II. Legal framework
The Information Technology Act 2000 (Amended 2008)
In India the Information Technology Act 2000 was passed as a law addressing digital contracts, digital property, and digital rights. The Act contains a number of provisions that can be used to safeguard online and computer-related privacy. The Act provides for civil and criminal liability with respect to hacking,1 electronic voyeurism,2 phishing and identity theft,3 and offensive email.4 These offenses are punishable by imprisonment of three years and a fine of up to one lakh rupees. Disclosure by the government of information obtained in the course of intercepting an electronic communication is punishable by imprisonment of up to two years and a fine that may extend to one lakh rupees.5 Disclosure, with the intent of causing wrongful loss or wrongful gain, of 'personal information' obtained through lawful contract by an intermediary is punishable by imprisonment for up to three years or by a fine of INR 500,000.6 Below is an outline of the sections of the ITA that are relevant to privacy.
Data Protection: Currently the strongest legal protection of personal information in India is through section 43A of the Information Technology (Reasonable security practices and procedures and sensitive personal data information) Rules 2011. The provision require any corporate bodies7 which 'receives, possesses, stores, deals, or handles any 'sensitive personal data' to implement and maintain 'reasonable security practices', failing which, they are held liable to compensate those affected. Other privacy-relevant provisions include:
Consent: Body corporates must obtain consent in letter, fax, or email from the 'provider of information' before collecting, using or disclosing any sensitive personal information.9 This provision protects privacy and reflects the principle of consent.
Collection of information: Body corporates may only collect sensitive personal information for lawful and necessary purposes.10 While collecting information, body corporates must ensure that the individual is informed of a) the fact that the information is being collected b) the purpose for which the information is being collected; c) the intended recipients of the information; and d) the name and the address of the agency collecting information and the agency that will retain the information.11 This provision protects privacy as it reflects the principle of limited collection and prevents the over-collection of information, while also ensuring that individuals are informed of why, how, and by whom their information is being collected, thus working to place the control of information in the hands of the individual.
Use of information: Body corporates must use information only for stated and agreed to purposes.12 This provision is a positive protection of privacy as it adheres to the principle of limited and proportional use.
Opt-in and opt-out: Individuals are provided with the option to opt-in or opt-out of services prior to the collection of sensitive personal information. The individual also has the ability to withdraw consent at any point in time.13 This provision protects privacy as it places the control over sensitive personal information in the hands of the individual and allows the individual to determine how the information that they provide may be used.
Access, review, and correction: Individuals are allowed to review, update, and correct any sensitive personal information that they have provided "wherever necessary".14 The ability to review, update, and correct personal information is a positive protection on privacy as it places the control of personal information in the hands of the owner and reflects the principle of accuracy and individual access. This provision could be further strengthened by providing individuals with the option of requesting personal information that is stored by the organization.
Data retention: Body corporates are allowed to retain sensitive personal information only as long as is lawfully necessary.15 Limiting how long body corporates are permitted to retain information protects an individual's information from being stored longer than is necessary or after a contract or transaction has been closed and complete. Though the provision sets a time limit for how long sensitive information may be retained, it is missing a mandatory deletion or anonymisation policy to ensure that information is not retained longer than necessary.
Lawful disclosure: Before a body corporate is allowed to disclose or publish sensitive personal information to a third party, consent must be obtained from the individual to whom the information belongs. The only circumstance under which a body corporate may disclose information is if it is required to do so by a contract with the provider of the information or through the law.16 Any third party receiving sensitive personal information is not allowed to disclose the information further.17 Requiring individual consent before disclosure or publishing information works to protect an individual's personal sensitive information from being sold to a data-mining agency or other third party, and used for purposes beyond those to which they originally consented.
Reactive disclosure: An exception to the above protection is in the case of requests from governmental agencies. Body corporates are required to share financial information that government agencies request in writing. In such cases consent from the individual is not required. Sensitive personal information so obtained may be used by governmental agencies for: verification of identity, prevention, detection, and investigation of cyber incidents, and the prosecution of offences.18 Though government agencies are required to state in writing the reason for collecting information and also clearly state that the information so obtained will not be published or disclosed to any person, the provision is missing important safeguards against the non-specific collection of personal financial information by governmental agencies. Missing safeguards include:
Court order: requiring governmental agencies to first obtain a court order before requesting information.
Limited scope for collection: narrowing the grounds on which governmental agencies are allowed to collect information.
Breach notification: requiring that after an investigation or inquiry is completed, body corporates inform the individual that personal sensitive information was disclosed.
Lawful transfer of information: Body corporates, or anyone acting on their behalf may only transfer sensitive personal information to international organisations that ensure the same level of protection over the data. The one exception to this protection is if the transfer is required under a lawful contract between the provider of information and an organisation, or if the individuals concerned have consented to the transfer. 19 This provision protects privacy by ensuring that third party transfers only take place when adequate safeguards are established.
Information security: Body corporates must implement security practices and standards which require a) a comprehensively documented information security programme; and b) information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.20
Penalties and remedies: Non-observance of the data protection rules and general negligence with respect to personal data attracts civil liability.21 In addition, Section 45 of the Act provides for compensation or penalty of up to INR25,000 to any person affected by non-compliance with the rules framed under this Act (including the data protection rules). Claims for compensation are to be made to the adjudicating officer appointed under Section 46 of the IT Act. In addition, body corporates may be exposed to criminal liability under Section 72A as described above, if they disclose information with the intent of causing wrongful loss or obtaining a wrongful gain.
Grievances: All grievances and discrepancies must be addressed by the body corporate "in a time-bound manner". To achieve this, a Grievance Officer must be appointed and must address grievances within one month from the date of receipt.22
The issuance of digital signatures in India is the responsibility of the certifying authorities, who can either issue digital signatures to end users directly, or through the registration authorities/local registration authority. A few certification agencies in India include: Tata Consultancy Services, National Informatics Centre, Institute for Development & Research in Banking Technology, MTNL, Customs & Central Excise, Code Solutions, SafeScrypr from Sify Communications, and E Mudhra.23 Salient features of digital signatures under the Information Technology (Use of Electronic Records and Digital Signatures) Rules 2004 are:
Privacy of digital signatures: The certifying authority will ensure that the secrecy and privacy of the digital signature is assured.24
Security of digital signatures: A digital signature shall be deemed to be a secure digital signature for the purposes of the Act if the following procedure has been applied to it, namely:
- that the smart card or hardware token is used to create the key pair;
- that the private key used to create the digital signature always remains in the smart card or hardware token;
- that the hash of the content to be signed is taken from the host system to the smart card or hardware token and the private key is used to create the digital signature and the signed hash is returned to the host system;
- that the information contained in the smart card or hardware token is solely under the control of the person who is purported to have created the digital signature;
- that the digital signature can be verified by using the public key listed in the Digital Signature Certificate issued to that person;
- that the standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 have been complied with, in so far as they relate to the creation, storage and transmission of the digital signature; and
- that the digital signature is linked to the electronic record in such a manner that if the electronic record was altered the digital signature would be invalidated.25
Hacking & Offensive Messages
Any person who intentionally causes wrongful loss, damages, destroys, deletes, or alters information in a computer or commits a hacking offence is held criminally liable and is punishable by imprisonment for up to three years, or by a fine which may extend up to one lakh rupees, or both.26 Hacking done with the intent to threaten the unity, integrity, security, or sovereignty of India or strike terror in the people by denying authorised personnel access to computers, attempting to penetrate or access a computer resource without authorisation, or introducing malware to any computer, is considered to be committing an act of cyber terrorism which is punishable by imprisonment for life.27 This provision works to protect the privacy and integrity of entire computer systems belonging to the individual and the state.
The use of electronic resources to send information that is 'grossly offensive', is 'for the purpose of causing annoyance', ' has menacing character', and is known to be false28 is punishable by imprisonment for up to three years and by a fine.29 Though the prevention of sending offensive messages is an important protection for individual privacy, the vague language in the provision may allow misinterpretation and abuse.
Voyeurism: Whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person under circumstances violating the privacy of that person, and without consent is held criminally liable with imprisonment for up to three years and/or with a fine not exceeding two lakh rupees.30 Though it is important that an individual is protected from the transmitting of invasive images without his/her consent, the provision is unclear if this applies to any other person, or any person. In other words, it is not clear if an individual can voluntarily transmit an image of his or genitals.
Child pornography: The publication or transmission of explicit or sexual material pertaining to children in an electronic form is prohibited. Any person who creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges, or distributes material in any electronic form that depicts children in a sexually explicit manner, cultivates entices or induces children to online relationship with one or more children for a sexually explicit act, facilitates abusing children online, or records in electronic form sexual abuse of children is punishable by imprisonment for five years and a fine which may extend to ten lakh rupees.31
Intermediary due diligence: The Information Technology (Intermediary Guidelines) Rules 2011 provide regulations for intermediaries to follow concerning the content that passes through their systems. The rules also establish what content is and is not allowed to be posted by individuals, and holds intermediaries responsible for ensuring that websites are in compliance with the provisions. Aspects of the rules that are relevant to privacy include:
Prohibited content: Individuals are not allowed to host, display, upload, modify, publish, transmit, update or share information that:
- does not belong to them,
- is grossly harmful; harassing; blasphemous; defamatory; obscene; pornographic; paedophilic; libellous; invasive of another's privacy; hateful or racially/ethnically objectionable; disparaging; related to money laundering, or harmful to minors;
- infringes on an patent/copyright;
- violates any law in force;
- is deceptive or misleading; impersonates another;
- contains software viruses or any other computer code designed to interrupt, destroy, or limit the functionality of a computer resource ; or
- threatens the unity, integrity, defence security, or sovereignty of India, friendly relations with foreign states, or public order; or causes incitement to the commission of any offence, or prevents the investigation of any offence, or is insulting to any other nation.34
If a notice is served to an intermediary concerning prohibited information under the Act, the intermediary must disable such information within 36 hours.35 This provision could potentially serve to protect the privacy of individuals, as it prohibits content that is privacy infringing, yet the broad terminology also places the freedom of expression at risk.
Data retention: Any information removed by the intermediary upon notice will be preserved for a period of 90 days for the purposes of investigation.36 This provision violates privacy because of the potentially large amount of sensitive information that could be taken down, stored by the intermediaries, and used by law enforcement.
Grievance mechanism: The intermediary must publish the name and contact details of the grievance officer as well as mechanism by which users can register their complaints. The grievance officer must address the complaints within one month of the complaint being received. 37 Though the provision of a grievance mechanism protects privacy, it is unclear if any remedies will be provided to aggrieved individuals.
Reactive disclosure to law enforcement: Intermediaries are required to provide any authorised governmental agency with information that is requested in writing for the purpose of: verification of identity; the prevention, detection, investigation, and prosecution of cyber security incidents; and punishment for any law currently in force.38 The broad reasons for which law enforcement are permitted to access information, particularly for the purpose of verifying identity, serve to violate privacy and could be used to facilitate tracking.
Security: The intermediary must take all reasonable measures to secure its computer resources and the information contained therein.39 The intermediary must report cyber security incidents and share all related information with the Computer Emergency Response Team.40 The intermediary will not knowingly deploy or install or modify the technical configuration of a computer resource, unless the change is meant to secure the computer resource.41
Missing provisions: Provisions that would provide stronger privacy protection to the individual include those requiring breach notification to the individual, a required notification for the presence of cookies, do-not track provisions, and clear remedies for aggrieved individuals.
The Information Technology (Guidelines for Cyber Cafe) Rules 2011 provide regulations for the maintenance of user records in cybercafés. Critical information under the Rules includes forms of identification and user browsing information.
Identity: The rule establishes seven acceptable forms of identification that must be presented before an individual is allowed to use the cybercafé's facilities.42 When an individual cannot establish his/her identity, he/she will be photographed. All children must carry a proof of identity or be accompanied by an adult when using a cybercafé.43
Security: Cybercafés must take all precautions necessary to ensure that their computer systems are not used for illegal activities.44 This includes having in place safety/filtering software so as to prevent access to web sites relating to pornography, obscenity, terrorism, and other objectionable materials.45
Transparency: Cybercafés must display a sign clearly prohibiting users from viewing pornographic sites.46
Data Retention: Cybercafés must record, maintain and prepare four types of records:
- Copies of identity documents that have either been scanned or photocopied are to be maintained securely for a period of one year;47
- A log register containing the required information48 must be retained for a period of one year;49 Online copies of the log register are to be maintained and must be authenticated with an electronic or digital signature.50
- Cybercafés must also prepare a monthly report of the log register showing dated details on the usage of their computer systems that is to be submitted to the person or agency as directed by the registration agency;51
- The cybercafé's owner must store and maintain backup register logs for at least six months. These logs must include: history of websites accessed using computer resource at the cybercafé; and logs of proxy servers installed at the cybercafé;52
Powers of inspection: Any officer authorised by the registration agency may check and inspect any cybercafé and the computer resource or established network at any point of time for the purpose of ensuring compliance. The cybercafé owner must provide every related document, register, and necessary information to the inspecting officer on demand.53 This provision dilutes individual privacy as there are no safeguards such as court order, official rank, and specified circumstance creates privacy to protect against undue access to information by law enforcement.
Invasive physical layout: Cybercafés must install partitions that are no higher than four and half feet and all screens must be installed to face outward. Additionally, the screens of all computers other than those situated in partitions or cubicles, must face outward into the common open space of the cyberafé;54
Proactive Disclosure: The cybercafé must submit hard and soft copies of the monthly report of the log register by the 5th day of every month to the person or agency specified by the licensing agency;.55
Missing provisions: The Rules contain no deletion policy, breach notification or provision for complaint and redress mechanisms.
Standards of Encryption
The central government has the power to set the nationally permitted standard for encryption. Currently, this is set at 40bit.56
Interception of Communications
The interception powers laid out in the Act were amended in 2008. In 2009 the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009 were adopted. Below is an outline of the relevant provisions.
Authorities: According to the 2009 rules, the secretary of the Ministry of Home Affairs has been designated as the "competent authority" to issue directions permitting the interception, monitoring, and decryption of communications. At the state and union territory level, the State Secretaries respectively in charge of the Home Departments are designated as "competent authorities" to issue interception directions.57 In unavoidable circumstances the Joint Secretary to the Government of India, when so authorised by the competent authority, may issue an order. In further cases of emergency the interception, monitoring, or decryption of information may be carried out with approval from the head or the second most senior officer of the security and law enforcement agency at the central level and an authorised officer at or above the rank of police inspector general of or equivalent at the state or union territory level.58 According to the 2008 amendment, the Central `Government or State Government, or any of its officers specially authorised, may issue directions for interception.59 According to the 2000 statute, the Controller is empowered to give direction for interception.60 Under the Act, the Controller is an individual appointed by the Central Government.61 The authority appointed under the 2009 Rules serves as a dilution from the original 2000 statute, as it appoints multiple authorities capable of issuing interception orders at the State level and in unavoidable circumstances;
Permitted surveillance actions: According to the 2009 Rules, any authorised agency or body is permitted to intercept, monitor, or decrypt information that is generated, transmitted, received, or stored in any computer resource for the specified purpose.62 These permitted actions originate from the 2008 amendment,63 but diverge from the 2000 statute, which originally provided for only the interception and decryption of information that was transmitted from any computer resource.64 Thus, the 2009 rules have expanded surveillance in two ways: by additionally allowing for the monitoring of any information, and by allowing for surveillance on information that is generated, transmitted, received, or stored rather than information that is only transmitted;
Circumstances for interception, monitoring, and decryption: Conditions in which interception, monitoring, and decryption is permitted include: in the interest of the sovereignty or integrity of India, the defence of India, the security of the state, friendly relations with foreign states, or public order, or to prevent incitement to the commission of any cognizable offence, or for investigation of any offence.65 Of these, the 2008 amendment added 'or for investigation of any offence', and the competent authority may additionally issue directions to any agency of the government to monitor and collect traffic data for a range of "cyber security" purposes including, inter alia, "identifying or tracking any person who has breached, or is suspected of having breached or being likely to breach, cyber security".66 Thus, the 2008 amendment expanded the circumstances for interception, monitoring, and decryption;
Legal interception: If authorised by the competent authority, any agency of the government may intercept, monitor, or decrypt information transmitted, received, or stored in any computer resource only for the purposes specified in section 69(1) of the ITA.67 The 2009 Rules further provide that the competent authority may give any decryption direction to the decryption key holder;68
Interception procedure: Any approved interception order in the case of an emergency must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days. Failing that, the order lapses.69 If a state wishes to intercept information that is beyond its jurisdiction, it must request permission to issue the direction from the Secretary in the Ministry of Home Affairs.70 Any direction issued by the competent authority must contain the reasons for direction, and must be forwarded to the review committee seven days after being issued.71 In the case of issuing or approving an interception order, in arriving at its decision the competent authority must consider all alternate means of acquiring the information.72 The order must relate to specific information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources.73 The reasons for ordering interceptions must be recorded in writing, and must specify the name and designation of the officer to whom the information obtained is to be disclosed, and also specify the uses to which the information is to be put.74 The directions for interception will remain in force for a period of 60 days, unless renewed. If the orders are renewed they cannot be in force for longer than 180 days.75 These procedures did not exist in the 2000 statute or 2008 amendment, and were formulated under the 2009 rules. These procedures are important safeguards, protecting wire taps from being carried out in an abusive manner;
Provision of facilities: The officer issuing an order for interception is required to issue requests in writing to designated nodal officers of the intermediary.76 Upon receiving an order for interception, intermediaries are required to provide all facilities, cooperation, and assistance for interception, monitoring, and decryption. This includes assisting with: the installation of the authorised agency's equipment, the maintenance, testing, or use of such equipment, the removal of such equipment, and any action required for accessing stored information under the direction.77 Additionally, decryption key holders are required to disclose the decryption key and provide assistance in decrypting information for authorized agencies.78 Though the 2000 statute required that agencies extend facilities and technical assistance to decrypt information,79 the 2009 Rules expanded these orders by requiring the above;
Collection: The 2008 amendment provides for real-time collection of traffic data from any computer resource either in transit or in storage is permitted.80 Any direction to decrypt issued to an intermediary must be limited to information encrypted by the intermediary or the decryption key holder.81 This is an expansion of the 2000 statute, which provided only for interception of information in transit;82
Penalties: Under the 2000 statute, intermediaries that do not comply with requests from authorised agencies can be held criminally liable with imprisonment for up to seven years.83 In addition the 2009 Rules provide that intermediaries or any employee of the same who intentionally and without authorisation attempts to intercept, authorise, or assist any person to intercept information in transmission at any place within India will be punished according to the relevant provisions;84
Additional provisions established under the 2009 Rules include:
Sharing: Although authorised agencies are prohibited from using or disclosing contents of intercepted communications for any purpose other than investigation, they are permitted to share the contents with other security agencies for the purpose of investigation or in judicial proceedings. Furthermore, security agencies at the union territory level will share any information obtained by following interception orders with any security agency at the centre;85
Data retention/destruction: All records, including electronic records pertaining to interception are to be destroyed by the government agency "every six months, except in cases where such information is required or likely to be required for functional purposes".86 In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings;87
Security of data: The intermediary must put in place adequate internal checks to ensure that unauthorised interception does not take place, and to ensure the extreme secrecy of intercepted information is maintained;88
Liability: The intermediary or person in charge of the computer resource will be responsible for the actions of their employees and will be held liable for: maintaining the secrecy and confidentiality of information, and protecting against unauthorized interception, monitoring, or decryption of information from taking place;89
Review Committee: Every two months, the review committee is required to meet and record its findings as to whether the direction is valid. If the review committee is of the opinion that it is not, it can set aside the direction and order the destruction of all information collected.90 A copy of every direction issued by the competent authority must be forwarded to the review committee within a period of seven working days;91
Transparency: Every fifteen days the officers designated by the intermediaries are required to forward to the nodal officer in charge a list of interceptions orders received by them. The list must include the details such as reference and date of orders of the competent authority;92
Confidentiality: The contents of intercepted communications are not allowed to disclosed or used by any person other than the intended recipient.93 Additionally, the intermediary will put in place internal checks to ensure that unauthorized interception of information does not take place and extreme secrecy is maintained. This includes ensuring that the interception and related information are handled only by the designated officers of the intermediary;94
Unauthorized Disclosure: The contents of intercepted, monitored, or decrypted information will not be used or disclosed by any agency, competent authority, or nodal officer;95
Nodal Officers: The agency authorised by the competent authority will appoint a nodal officer (not below the rank of superintendent of police or equivalent) to authenticate and send directions to intermediaries or decryption key holders;96
The Controller or any officer authorized by him, will have the power to undertake investigation of any contravention of the provisions of the Information Technology Act.97
The Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder their has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or data contained in or available to such computer system. Furthermore, the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary.98
Telegraph Act 1885 (2003) (2006)
The Indian Telegraph Act was passed to govern telegraphy, phones, communication, radio, telex and fax in India. The Act allows any authorized public official to intercept communications.99 In 2007 Telegraph Act (Interception) Rules 2007 were issued. Unauthorized interception of communications is punishable by imprisonment for up to one year and a fine of INR 500.100 The Interception Rules further hold service providers responsible for the actions of their employees, who can be held criminally liable under the act.101 The following provisions relating to interception exist under the Act:
Lawful Interception: Communications can be intercepted under the Telegraph Act during public emergencies or in the interest of public safety, provided that certain other grounds also apply, namely, the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order, the prevention of the incitement of offences;102
Authorities: Interception may only be authorised by a Secretary to the Government of India in the Ministry of Home Affairs (in the case of the Central Government) and the Secretary to the State Government in charge of the Home Department (in the case of the State Government), or an officer at or above the rank of a Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary. In the case of remote areas or where for operational reasons obtaining directions for interception is not feasible, interception will take place with authorisation from the head or the most senior officer.103 In this case, the tapping order must be sent to the competent authority for approval within three days. If the order is not approved within seven days, the interception must cease.104 Additionally, all security agencies must designate an authority not below the rank of Superintendent of Police to authenticate and send interception orders to the designated officers of the service providers.105 The service provider must designate two senior officers to receive and handle interception orders;106
Validity of wiretap order: Each order unless, canceled earlier, is only valid for 60 days and can only be extended to a maximum of 180 days;107
Review committee: A review committee is to meet every two months at the central/state level and must validate the legality of the wiretap. A copy of every order issued by the competent authority must be sent to the review committee within seven working days.108 The committee has the authority to revoke orders and destroy copies of the intercepted message or class of message;109
Safeguards for interception orders: While issuing directions for interception the officer must determine if the information is possible to obtain through other means.110 Interception orders must be for a specific individual and specific address. 111 The order should specify the name and the designation of the officer of the authority to whom the intercepted message will be disclosed to and the use of the intercepted message;112
Retention of Records: The officer authorized to intercept any message must maintain records including: the intercepted message, the particulars of the person whose message was intercepted, the name and details of the officer who intercepted the message, the number of copies that were made of the message, the mode and method of the copies made, and the date of destruction of the copies, and the duration within which the orders remain in force;113
Transparency: The nodal officers appointed by the service providers must recognise receipt of an order for interception within two hours of receiving the order.113 Every 15 days the nodal officer of the service provider must forward a list of interception authorisations to the nodal officers to confirm its authenticity. The list must include the date of the orders, the date and time of receiving the orders, and the date and time of implementation;114
Security: Service providers must put in place internal checks to ensure that unauthorized interceptions of messages do not take place and the secrecy of messages is maintained. Additionally, service providers must ensure that intercepted messages are only handled by the appointed nodal officer.115 Service providers are to be held responsible for the actions of their employees, and if a violation of the rules takes place, action will be taken against the service provider;116
Destruction: Records of directions for interception must be destroyed every six months by the relevant competent authority and the authorized security and law enforcement agencies unless they are required for 'functional requirements.117 Service providers must destroy records pertaining to directions for interception within two months of discontinuing the interception.118
Comparison of the interception rules found under the Indian Telegraph Act and the Information Technology Act show that the interception standards via the Information Technology Act have been expanded in the following ways:
Grounds for interception: The Indian Telegraph Act creates two levels of circumstances that must be met before the interception of communications can take place: a public emergency or the public interest or safety must be in force, and interception may take place if it is found to be in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or for preventing incitement to the commission of an offense. The ITA expands these powers by removing the condition of 'public emergency, public interest, public safety' and allowing for interception to additionally take place for the 'incitement to the commission of any cognizable offense or for the investigation of any offense;
Types of information: The ITA allows for the interception of information that is generated, transmitted, received or stored in a computer resource,121 while the TA allows for interception of information from any message or class message;122
Who can be surveilled: The ITA allows for any person, class of persons, or relating to a particular subject to be intercepted, monitored, or decrypted.123 The TA does not specify as to this requirement;
Provision of facilities: The ITA requires that intermediaries must provide all facilities, co-operation, and assistance for the interception, monitoring, or decryption of information.124 Such a requirement is not found in the TA;
Disclosure of decryption key: The ITA requires that if requested by the nodal officer decryption key holders must disclose decryption keys and provide decryption assistance;125
Intermediary to provide technical assistance: The ITA requires that the intermediary must provide technical assistance and the equipment including hardware, software, firmware, stores, interface, and access to the equipment wherever requested for the purposes of installing interception equipment, maintaining interception equipment, removing interception equipment, or performing any action required for access to stored information;126
Destruction of records by service providers/intermediaries: The ITA requires that the intermediary should destroy records pertaining to an interception within a period of two months of discontinuance unless required for an ongoing investigation, criminal complaint, or legal proceeding.127 Under the TA the service provider is required to destroy records two months after discontinuance of the interception order;128
Interception, monitoring, and decryption additionally allowed: The ITA allows any person authorized by the intermediary to intercept, monitor, or decrypt for the purposes of installing a computer resource, maintaining a computer resource, installing a communication link for the intermediary, accessing stored information relating to the maintenance etc. of the communication link, accessing or analyzing information from a computer resource for the purposes of implementing information security practices, determining any security breaches, or undertaking forensics as part of an investigation or audit; and accessing information for the purpose of tracing a computer resource of someone who has contravened or is suspected of contravening the provisions of the act.129 An equivalent provision is not found in the TA;
Sharing with concerned agencies: Whenever asked by a concerned agency at the central level, the state level agencies will share any information that they have obtained while following directions for interception.130 An equivalent provision is not found in the TA;
Interception, monitoring, or decryption beyond the state jurisdiction: If a State Government requires interception beyond its jurisdiction the Secretary in charge of the Home department will request permission from the Secretary of Ministry of Home Affairs.131
In India interception powers are also given to the government through the Internet Services License (ISP) Agreement and the Unified Access Services Agreement for service providers. In practice, both licenses afford the government expansive access to communication data held by and accessible to ISPs.
The following provisions are in place under the ISP Agreement:
Right to inspect: In addition to a number of other facilities, the licensor or its authority have access to record files and logbooks.132 Periodic inspections will also be carried out on the premises of Internet leased line customers to check for possible misuse;133
Provision of facilities: The ISPs will provide the necessary facilities for continuous monitoring of the system as required by the licensor or its authorized representatives.134 The ISP will also provide facilities for the tracing of nuisance, obnoxious or malicious calls, messages, or communications. These facilities are to be provided specifically to authorised officers of the Government of India (police, customs, excise, intelligence department) when the information is required for investigations or detection of crimes and in the interest of national security.135 ISPs should also provide facilities to the government from time to time to counteract espionage, subversive acts, sabotage or any other unlawful activity.136 The types of facilities and equipment to be used will be assigned by the government of India.137 This includes the installation of necessary infrastructure in the service area with respect to Internet Telephony Services offered by the ISP including the processing, routing, directing, managing, authenticating the internet calls including the generation of call details records, IP address, called numbers, date, duration, time, and charge of the internet telephony calls.138 The ISPs must also provide the government facilities to carry out surveillance of Mobile Terminal activity within a specified area whenever requested.139 As per the requirements of security agencies, every international gateway location having a capacity of 2 Mbps or more will be equipped will have a monitoring center capable of monitoring internet telephony traffic.140 Every office must be of a minimum size and have adequate power, air conditioning, and be accessible only to the monitoring agencies. One local exclusive telephone line must be provided, and a central monitoring center must be provided if the ISP has multiple nodal points;141
Right to Monitor: The designated person of the Central/State government or the licensor or nominee will have the right to monitor telecommunications traffic in every node or any other technically feasible point in the network. To facilitate this, the ISP must make arrangements for the monitoring of simultaneous calls by the Government or its security agencies.142 The Department of Telecom (DOT) will have the ability to monitor customers who generate high traffic value and verify specified user identities on a monthly basis.143 As a safeguard, the ISP is not allowed to use remote access facilities for the monitoring of content.144 Mirror images of the remote access information should be made available online for monitoring purposes;145
Bulk encryption not allowed: The ISP is not permitted to employ bulk encryption equipment in its network;146
Real time maintenance of logs: Each ISP must maintain an up-to-date log of all users connected and the service that they are using (mail, telnet, http, etc). The ISPs must also log every outward login or telnet through their computers. These logs as well as copies of all the packets must be made available in real time to the Telecom Authority.147 A record of each internet-leased line customer should be kept along with details of connectivity, and reasons for taking the link should be kept and made readily available for inspection.148 The ISP will maintain a record of all commercial communications exchanged on the network. These records must be archived for at least one year for scrutiny by the licensor or security agencies.149 The ISP will also maintain a complete audit trail of the remote access activities that pertain to the network for at least six months. This information must be available on request for any agency authorized by the licensor;150
Systematic access to user logs: The complete and up to date list of subscribers will be made available by the ISP on a password protected website, accessible to authorized intelligence agencies.151 Information held in the logs includes customer name, IP address, bandwidth provided, address of installation, data of installation, contact number and email.152 The licensor or its representatives will also have access to the database relating to the subscribers of the ISP, which is to be available at any instant;153
Prevention of logins: Logins where the identity of the user is not known should be prevented by the ISP;154
Right to take over: The licensor has the right to take over the service equipment and networks of the ISP in the case of the public interest, national emergency, low intensity conflict, or any other reason when ordered to do so by the government;155
Protection of privacy: There is a responsibility on the ISP to protect the privacy of its communications transferred over its network. This includes securing the information and protecting against unauthorized interception, unauthorized disclosure, ensure the confidentiality of information, and protect against over disclosure of information- except when consent has been given.156 In order to protect the privacy of voice and data, monitoring shall only be by the Union Home Secretary or Home Secretaries of the States/Union Territories;157
Block, filter, and take down material: The ISP must take measures to prevent objectionable, obscene, unauthorized, messages that infringe on copyright, intellectual property, and international and domestic cyber laws from being carried across his network. If an ISP is made aware of prohibited material being carried on his website, they must take all steps to prevent and block the material.158 In the interests of national security or public interest, the ISPs can block internet sites, and or individual subscribers as identified by the licensor from time to time;159
Provision of information: The ISP will provide the login password to DOT and authorized Government agencies on a monthly basis for access to information stored on any dedicated transmission link from ISP node to subscriber premises.160 The ISP will also provide the licensor with location details of the equipment provided by the ISP.161 The ISP must provide the traceable identity and geographic location of their subscribers, and if the subscriber is roaming the ISP should try to find traceable identities of roaming subscribers from foreign companies.162 A safeguard provided for in the license is that remote access to networks is only allowed in areas approved by the DOT in consultation with the Security Agencies.163
There are slight differences between the ISP license is the Unified Access Service License (UASL). Many of the provisions are the same, but those unique to the UASL include:
Registration requirement: Mobile phone subscribers must register the SIM card that they are using;164
Provision of facilities: The ISP must make arrangements for the monitoring of the telecommunication traffic in every MSC exchange or any other technically feasible point, of 210 calls simultaneously;165
Disclosure of records: When required by security agencies, the ISP must make available records of i) called/calling party mobile/PSTN numbers; ii) time/date and duration of interception; iii) location of target subscribers and from time to time precise location; iv) telephone numbers, and if any call forwarding feature has been evoked, records thereof; and v) data records for failed call attempts; vi) CDR of roaming subscribers.166 On a monthly basis, and from time to time, information with respect to bulk connections must be provided to the Department of Telecom, the licensor, and security agencies.167 Calls should be checked, analyzed, and a record maintained of all outgoing calls made by customers both during the day and night that exceed a set threshold of minutes. A list of suspected subscribers should be created by the ISP and should be provided to DOT and any officer authorized by the licensor at any point of time.168 Furthermore, a list of calling line identification restriction subscribers with their complete address and details should be created on a password protected website that is available to authorized government agencies.169
TRAI Regulations on Unsolicited Marketing Calls
In India, the Telecom Regulatory Authority of India (TRAI) is responsible for establishing Regulations for unsolicited marking calls. The first Regulations regarding unsolicited commercial marketing calls from telemarketers emerged in 2007, but were repealed and replaced in 2010 by the Telecom Commercial Communications Customer Preference Regulations 2010.170 Since their enactment, the Regulations have been amended eight times.171 They work to regulate 'unsolicited commercial communications', which have been defined as any message which is transmitted for the purpose of informing, soliciting, or promoting any commercial transaction in relation to goods, investments or services etc. Excluded from this definition are 'transactional messages', which relate to:
- information pertaining to the account of a customer and sent by a licensee, bank, insurance company, credit card company, or depositories registered with Securities and Exchange Board of India, or Direct to Home Operators;172
- any information given by airlines or Indian Railways or its authorized agencies to its passengers regarding travel schedules, ticket booking, and reservations;
- information from registered educational institutions to parents or guardians of its students;
- any other message as may be specified by the Authority from time to time as a "transactional message".173
To facilitate regulation of unsolicited commercial communications, the 2007 Regulations establish a National Do Not Call Register, and a Private Do Not Call List, which are applicable under the 2010 Regulations. Additionally, the 2010 Regulations established a Provider Customer Preference Registration Facility, "fully blocked" and "partially blocked" categories, a National Customer Preference Register, a National Telemarketers Register, and a Provider Customer Preference Register. Salient features of the 2010 Regulations include:
Provider Customer Preference Register: Every service provider or agency will set up a toll-free Customer Preference Registration Facility that will be identified by the code 1909. The Provider Customer Preference Register must include the name of each subscriber making the request, the telephone and area code of each subscriber, the date and time of making the request, and details of the option chosen by the subscriber, and the unique registration number.174 A duplicate copy of the Provider Customer Preference Register list will be maintained in at least two places for security purposes. 175 The Private Do Not Call List, as established under the 2007 Regulations, will be included in this register.176 According to the 2007 regulations, every service provider, within 15 days of the establishment of the Do Not Call Register, must maintain and operate a private Do Not Call list with the preferences of its subscribers for not receiving unsolicited commercial communications;
National Provider Customer Preference Register: The National Customer Preference Register will be maintained by any agency authorized by the Authority, and will contain a list of subscribers preferring to be fully blocked and partially blocked.177 The Register will contain the telephone number and area code of the subscriber indicating their preference, the details of the preference, and any other information specified by the Authority.178 After receiving a request from a subscriber, the Service Provider must verify the communication and send a unique registration number to the subscriber within 24 hours of the request.179 The National Do Not Call Register, as established under the 2007 guidelines, will be merged into the National Provider Customer Preference Register.180 Subscribers have the option to change their preference after three months of initial registration.181 The National Preference Register should be updated every 24 hours;182
National Telemarketer Register: A National Telemarketer Register should be set up and maintained by an agency authorized by the Authority. The Register should contain i) details of the telemarketers like registration date, application number, and registration number; ii) details of the fees deposited by the telemarketer; iii) details of the telecom resources allotted to a telemarketer; iv) the number of notices, along with the date of such notices, served upon the telemarketer by the Access Providers for sending unsolicited commercial communications; v) the date of blacklisting of the telemarketer; and vi) other details specified by the Authority.183 For registration, a fee must be paid by the telemarketer, and resources will not be given to the Telemarketer unless it is registered. Every Telemarketer, after registration, will be identified by the numbers '140' and '70'.184 A Telemarketer will be black listed if they fail to furnish additional security information, or if they have received and failed to comply with six notices for sending unsolicited commercial communications;185
SMS Limit and charge: No service provider will allow for more than 100 SMS to be sent per day per SIM, and no more than 3,000 SMS per SIM per month.186 A promotional SMS charge of .05 paisa will be levied for promotional SMS;187
Grievance and compliant mechanism: If an individual still receives unsolicited commercial communications seven days after registering in the Provider Customer Preference Register, he/she may issue a complaint using the code 1909. While making the complaint, the subscriber must provide the particulars of the telemarketer, the telephone number of the unsolicited commercial communications, the date and time, and a brief description of the unsolicited commercial communication. The Terminating Access Provider must acknowledge the complaint with a unique complaint number, and within seventy-two hours forward the complaint to the national Telemarketer Register to the Originating Access Provider from whose network such unsolicited commercial communications originated and take needed action;188
Obligations of the Service Provider: It will be the responsibility of the service provider to ensure that no Telecom resource is provided to a telemarketer unless it has registered itself with the Authority. The Service Provider must also ensure that the telemarketer scrubs the telephone number of the subscriber with the database received from the National Customer preference register before sending any SMS to a telecom subscriber. Every Service Provider must ensure that commercial communications including SMSs are sent to the customer only between 9am and 9pm;189
Power of inquiry: The Authority has the right to constitute an inquiry committee to look into the contravention of the Regulations;190
Penalty: If an inquiry is conducted and the service provider is found to have contravened the provisions, they will be liable to pay a fine of one lakh rupees for the first contravention, five lakh rupees for the second, and ten lakh rupees for the third;191
Privacy and Confidentiality: All service providers must put in place appropriate mechanisms to protect the privacy of communications and subscriber information.192
Cases filed under the Information Technology Act 2000:
Radiological and Imaging Association v. Union of India 2011(113)BomLR3107 (Bombay High Court)
Summary: A circular was issued by the District Magistrate of Kolhapur, requiring sonologists and radiologists to install silent observers (SIOB) in all sonography machines and to submit an online form F under the Pre-Conception and Pre-Natal Diagnostic Technique Rules 2003. The circular was challenged under Article 226 of the Constitution on the ground that it violates the right to privacy of the patients.
The Petitioner argued, inter alia, that there would be a violation Section 72 of the Information Technology Act 2000 if the impugned circular was implemented. The Court did not find any merit in this claim and clarified that Section 72193 of the IT Act was not applicable in the case as it only deals with 'any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder'.194 In this case the information was not considered to be obtained under the IT Act 2000 but under the Pre-Conception and Pre-Natal Diagnostic Technique Rules 2003. The Court also observed that the allegation of invasion of privacy due to the silent observer is farfetched as the images stored in the silent observer are not transmitted online to any server and stay stored in the sonography machine. There are also safeguards in place, including those requiring the removal of the silent observer device, and requiring the appropriate authority to enter a user name and password, which are under the control of Collector.
Relevance: The Court held that right to privacy is not absolute and is subject to restrictions on the grounds of public interest. It also held that there are enough procedural safeguards to protect the privacy of the patients.
Nirav Navin Bhai Shah and Ors. v. State of Gujarat and Another, Criminal Misc. Application No. 10291 of 2006, Decided On: 28.09.2006 (Gujarat High Court)
Summary: The appellants were accused of hacking into the computer system of the complainant and stealing important data. The main issue was whether criminal proceedings can be quashed on the ground that the parties have reached an amicable settlement. The Court decided that if the 'entire' dispute has been amicably settled then the Court shall quash criminal proceeding to that effect.
In this case the appellants were charged under section 66 and 72 of the Information Technology Act 2000 along with other offences under the Indian Penal Code 1860. The complainant argued before the Court that the criminal proceeding should be quashed as the dispute is civil in nature. The Court rejected the contention, while stating that the offense cannot be viewed as a civil dispute because offenses under section 66 and 72 of the Information Technology Act 2000 are offenses against the society and cannot be condoned. The Court however, quashed the FIR based on the reasoning that there was an amicable settlement of the 'entire dispute'. It also took into consideration that if criminal proceedings were continued, a miscarriage of justice would be the result.
Relevance: The Gujarat High Court observed that violation of privacy and hacking are offenses against the society and cannot be condoned or treated as a civil dispute. However, if the parties agree to a settlement of the 'entire' dispute then the Court may allow such settlement in the interest of justice.
Shankara Shekhar Mishra v. Ajay Gupta, 2011VIIIAD(Delhi) 139 (Delhi High Court)
Summary: The plaintiff bought a laptop for the purpose of web design and other functions. He also stored personal data on his laptop, including family photographs and bank details. The defendant, who was also involved in similar business of web design, barged into the premises of the plaintiff and snatched his laptop, which contained confidential and personal information. The plaintiff filed for a permanent injunction for the rendition of accounts, delivery of the infringing material and damages.
Relevance: The Court took into consideration that there was ample amount of personal information on the laptop, which also contained vital financial data. The court asserted that the privacy of the plaintiff had already been invaded. The defendant had no right to transfer the information to any other person and the plaintiff was entitled to an injunction restraining the defendant to further transfer the information. The Court also noted that the plaintiff had gone though mental trauma and would be in constant fear that the data stored by him on the laptop may be misused by the defendant. The Court reiterated the value of privacy and stated that monetary compensation is widely recognized as the remedy to violation of right to privacy against State or individual. In its final order, the Court passed a permanent injunction restraining the defendant from infringing the copyright of the plaintiff in the "literary works" authored by the plaintiff, and restrained the defendant from disclosing the information of the defendant and his family stored on the laptop snatched to any person. In this case it is interesting to note that the Court also took into account the invasion of privacy along with the theft of laptop while deciding on the quantum of the compensation.
Vinod Kaushik and Ors. v. Madhvika Joshi and Ors., Before Sh. Rajesh Aggarwal, Adjudicating Officer, Information Technology Act, 2000, Government of Maharastra, At Mantralaya, Mumbai- 400032, Complaint No.2 of 2010195
Summary: The main issue in this case is whether accessing a husband's and father-in-law's email account without their permission amounts to 'unauthorized access'. In this case, the first respondent had accessed the email account of her husband and father in law, in order to acquire evidence in a Dowry harassment case. The Adjudicating Officer held that accessing an e-mail account without authorization amounts to contravention of section 43 of the Information Technology Act 2000. There was no compensation awarded to the complainant as the respondent had only submitted the information so obtained to the police and the court. The Adjudicating Officer, however ordered the first respondent to pay a fine of Rs. 100, as she was held to be in contravention of Section 66-C (identity theft and dishonest use of password of any other person) of the IT Act 2000.
Relevance: It is to be noted that there cannot be any defense of bonafide intention, in case of violation of privacy by accessing e-mail account without the consent of the user. It will be still construed as 'unauthorized access'. It is also interesting to note that the adjudicating officer relied on the reasoning that the information procured by the 'unauthorized access' was only disclosed to the Court and the police, therefore the respondent is not liable to pay any compensation to the complainant. However, Section 43 of the IT Act 2000 deals with penalty and compensation for an 'unauthorized access' to any computer or computer system or computer network. It may be said there is a lacuna in the reasoning of the Adjudicating Officer. It also gives rise to the question whether a person is not liable to pay compensation under Section 43 if the information obtained by 'unauthorized access' is only disclosed before competent authorities such as police or court. The 'unauthorized access' of an e-mail account by dishonest use of password of any other person also amounts to violation of privacy. It is covered under Section 66C of the IT Act 2000.
Interception of Communication:
State of Maharashtra v. Bharat Shanti Lal Shah and Ors. (2008) 13 SCC 5 (Supreme Court)
Summary: The legislative competence of the State to enact Sections 13-16 of the Maharashtra Control of Organized Crime Act 1999 (MCOCA) was challenged. The court, while deciding on the constitutional validity of the impugned sections, which deal with the interception of wireless, electronic or oral communication, observed that although the interception of communications is an invasion of an individual's right to privacy, the right to privacy is not absolute, thus the court must see that the procedure itself be fair, just, and reasonable.196 It was also observed by the Court that MCOCA provides for sufficient procedural safeguards to avoid invasion of privacy, and hence the impugned sections are constitutionally valid and do not infringe upon right to privacy.
Relevance: This case lays down the limits to the exercise of the right to privacy. It also reiterates that the State has the legislative competence to enact laws that may curtail the right to privacy of an individual. However, such laws should lay down fair, just and reasonable procedure with respect to issuance and implementation of orders of interception of conversation or communication.
Amar Singh v. Union of India (2011) 7 SCC 69 (Supreme Court)
In this case the petitioner is a political leader of the opposition party. At the outset the petitioner had filed a writ petition before the Supreme Court under Article 32 of the Constitution, seeking to protect his right to privacy under Article 21. The petitioner in his petition mentioned that Respondent No. 7 (Indian National Congress) pressurized the Government of India and the Government of the National Capital Region of Delhi to monitor and record the phone conversations of the petitioner. The petitioner has also sued in court asking the Court to direct telecom service providers to reveal the details as to the order of interception.
The Court dismissed the writ petition, on the ground that such a writ petition is frivolous, because of the change in the facts in the subsequent affidavits filed by the petitioner. In considering the facts of the case the Supreme Court said that it is the duty of the service provider to give assistance to the law enforcement agencies, as and when required. Any violation of such a condition may lead to heavy imposition of penalty on the service provider. However, the Court observed that, "[i]n view of the public nature of the function of a service provider, it is inherent in its duty to act carefully and with a sense of responsibility." It further laid down that the service provider while acting on orders of interception should simultaneously verify the authenticity of the same from the author of the document.
Relevance: In order to avoid forgery of orders of interception of communication, which may lead gross violation of privacy, the Supreme Court laid down the guidelines to be followed by the telecom service providers while assisting law enforcement agencies with intercepting communication.197
K.L.D Nagasree v, Government of India, represented by its Secretary, Ministry of Home Affairs and Ors. AIR2007AP102, (Andhra Pradesh High Court)
A writ petition was filed in the Andhra Pradesh High Court challenging the order of the respondent under Section 5(2) of the Indian Telegraph Act 1885. The respondent gave the order to intercept messages from the mobile phone of the petitioner. The Court examined the procedural safeguards that are in place in case with respect to an order of interception of communication. These safeguards are enshrined in Rule 419-A of the Indian Telegraph Rules 1951 pursuant to the guidelines laid down by the Supreme Court in the case of PUCL v. Union of India.198 The Court, while considering the impugned order, decided that the order did not record the reasons for the interception. The Court also discovered that the Review Committee constituted under Rule 419-A (8) had without any reason delayed the review of the impugned order. The Court also laid down in this case that the procedural inconsistencies render any recorded evidence inadmissible in Court. The Court also observed that the enforcement agencies were not observing the correct procedure for interception of communications under Section 5(2) of the Indian Telegraph Act. It ordered that any such recording should be destroyed.
Relevance: It is one of the few instances where the Court has gone on record to say that the enforcement agencies are not following the procedure established by law, with regard to giving out of orders for interception of communication under Section 5(2) of the India Telegraph Act 1885.199 Disregard to procedural safeguard by the enforcement agency amounts to a gross violation of right to privacy envisaged under Article 21 of the Constitution of India.
Rayala M. Bhuvaneswari v. Nagaphanender Rayala, AIR 2008 AP 98 (Andhra Pradesh High Court)
Summary: This case came up to the Andhra Pradesh High Court under a revision petition for a voice test of a tape recording. In this case, the Court discovered that the husband had tape-recorded a telephone conversation of his wife with her friends and parents, without her consent. Subsequently, he had been using this as evidence in the divorce case between the parties. The Court, at the very outset, held that there had been clear violation of privacy of the wife by her husband. It also cited the compilation of Federal Law on "Covertly Recording Telephone Conversation", which makes it unlawful to record telephone conversation except in one-party consent cases. One-party consent cases are those cases where the person can record their own telephone conversation without the consent or knowledge of the other party. But in this case no consent had been given by either party of the telephone conversation.
The Court held that the act of the husband was illegal and unconstitutional, and infringed upon the privacy of the wife. Even if the tapes were accurate, they could not be admissible as evidence.
Relevance: This is one of cases where the Court has acknowledged that the protection of right to privacy under Article 21 of the Constitution of India is not only enforceable against the State but also against individuals. The Court also held that any recording which infringes upon the right to privacy of an innocent person cannot be admitted as evidence in a court of law.
NASSCOM v. Ajay Sood, 119 (2005) DLT 596 (Delhi High Court)
Summary: The plaintiff filed the suit asking for a permanent injunction, restraining the defendants or any other person from acting under their authority to send and circulate fraudulent e-mails that appear to be sent by the plaintiff due to the use of the trademark 'NASSCOM' or any other mark which is confusingly similar.
Relevance: It is the first judgment in India that recognized phishing. The Court observed that there is no law in India that deals with phishing. However, within the purview of the existing laws, it could be considered to be a form of misrepresentation, passing off and defamation.200
- 1. Information Technology Act 2000 s. 43 & 66 and 66-F.
- 2. Information Technology Act 2000 s.66 E provides for imprisonment of up to three years with fine which may extend to one lakh rupees for electronic voyeurism
- 3. Information Technology Act 2000 s. 66C/66D
- 4. Information Technology Act 2000 s.66A
- 5. Information Technology Act 2000 s.72
- 6. Information Technology Act 2000 s.72A
- 7. Body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
- 8. Section 43A of the Act and Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 9. Section 43A of the Act and Rule 5(1) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 10. Section 43A of the Act Rule 5(2)(a)(b)
- 11. Section 43A of the Act and Rule 5 (3) (a,b,c,d,)(i,ii)
- 12. Section 43 of the Act and Rules 5(5)
- 13. Section 43A of the Act and Rule 5(7) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
- 14. Section 43A of the Act and Rule 5(6) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 15. Section 43A of the Act and Rule 5(4) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 16. Section 43A of the Act and Rule 6(1) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 17. Section 43A of the Act and Rule 6(4) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 18. Section 43A of the Act and Proviso to Rule 6(1) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 19. Section 43A of the Act and Rule 7 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 20. Section 43A of the Act and Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. In case of an information security breach, such body corporate will be "required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies". The Rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on "Information Technology Security Techniques Information Security Management System Requirements", a body corporate will be deemed to have complied with reasonable security practices and procedures. The Rule also permits "Industry associations or industry clusters" who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of Sub-Rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of Section 43A.
- 21. Under Section 43A, any body corporates who fail to observe data protection norms may be liable to pay compensation if : it is negligent in implementing and maintaining reasonable security practices, and thereby causes wrongful loss or wrongful gain to any person. "Wrongful loss" and "wrongful gain" have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled." The section also includes this interesting explanation "Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property". Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a "wrongful gain".
- 22. Section 43A of the Act and Rule 5(9) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- 23. Relyon Vision for Tomorrow. Digital Signature: Power Point Presentation. Available at: http://www.saraltds.com/digital-sign/digital-signature.pdf
- 24. Information Technology Act 2008 s. 30 Available at:http://mit.gov.in/content/it-act-notification-no-735
- 25. Notification No 735 to the Information Technology Act 2000. "Use of Electronic Records and Digital Signatures"Rules 2004.
- 26. Information Technology Act 2008, s. 66(B)
- 27. Information Technology Act 2008 s. 66F(A-B)
- 28. Exact language of the provision: a) any information that is grossly offensive or has menacing character, or b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communications device, or c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages.
- 29. Information Technology Act 2008 s.66A
- 30. Information Technology Act s.66E.
- 31. Information Technology Act 2008 s. 67B (a-e)
- 32. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3(1)
- 33. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3 (5)
- 34. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3(2) (a-i)
- 35. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3 (4)
- 36. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3 (4)
- 37. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3 (11)
- 38. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3 (7)
- 39. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3(8)
- 40. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3(9)
- 41. Information Technology (Intermediary Guidelines) Rules, 2011, Rule 3(10)
- 42. Acceptable forms of identity include: 1. Identity card issued by any School or College, 2. Photo Credit Card or debit card issued by a Bank or Post Office 3. Passport 4. Voter identity card 5. Permanent Account Number (PAN), Photo Identity Card issued b y the employer or any Government Agency 6. Driving license issued by the Appropriate Government 7. UID number issued by UIDAI
- 43. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 4(1)-(4)
- 44. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 6(6)
- 45. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5 (6)
- 46. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 6(7)
- 47. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule Rule 4(2)
- 48. Required information includes: Name, address, gender, contact number, type and detail of identification document, date, computer terminal identification, log in time, log out time.
- 49. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5(1)
- 50. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5(2)
- 51. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5(3)
- 52. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5(4)
- 53. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule Rule 7(1)
- 54. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule Rule 6(1)&(2)
- 55. Information Technology (Guidelines for Cyber Cafe) Rules, 2011Rule 5(3)
- 56. Section 84A
- 57. ITA Interception Rules 2009 Section 2(d): Secretary in the Ministry of Home Affairs in case of the Central Government, Secretary in charge of the Home Department in case of a State Gov or Union territory.
- 58. ITA Interception Rules 2009 s. 3
- 59. Information Technology Act 2008 s. 69(1)
- 60. Information Technology Act 2000 s. 69(1)
- 61. Information Technology Act 2000 s. 17
- 62. Information Technology Act Rules 2009 s.4
- 63. Information Technology Act 2008 s.69(1)
- 64. Information Technology Act 2000 s.69(1)
- 65. Information Technology Act 2000 & 2008 s.69 (1)
- 66. ITA Amendment 2008 Section 69B
- 67. Information Technology Act 2000 & 2008, ITA Interception Rules 2009 Rule 4
- 68. ITA Interception Rules 2009 Rule 5
- 69. ITA Interception Rules 2009 Rule 3
- 70. ITA Interception Rules 2009 Rule 6
- 71. ITA Interception Rules 2009 Rule 7
- 72. ITA Interception Rules 2009 Rule 8
- 73. ITA Interception Rules 2009 Rule 9
- 74. ITA Interception Rules 2009 Rule 10
- 75. ITA Interception Rules 2009 Rule 11
- 76. ITA Interception Rules 2009 Rule 13
- 77. ITA Interception Rules 2009 Rule 19
- 78. ITA Interception Rules 2009 Rule 17
- 79. Information Technology Act 2000 s.69 (2)
- 80. ITA 2008 Section 69(B)(2)
- 81. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 13(3)
- 82. Information Technology Act 2000 s.69 (1)
- 83. ITA Interception Amendment 2008 69A(3)
- 84. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 25 (5)
- 85. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 25(2)&(6)
- 86. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 23
- 87. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 23(2)
- 88. ITA Interception Rules 2009 Rule 20& 21
- 89. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 21
- 90. ITA Interception Rules 2009 Rule 22
- 91. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 7
- 92. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 18
- 93. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 25
- 94. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 20
- 95. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Rule 25
- 96. ITA Interception Rules 2009 section 12
- 97. Information Technology Act 2000 s. 28
- 98. Information Technology Act 2000 s. 29
- 99. Indian Telegraph Act, 1951 s.5(2)
- 100. Indian Telegraph Act, 1951 s. 24
- 101. Indian Telegraph Rules 2007 s. 15
- 102. Indian Telegraph Act, 1951 s.5(2)
- 103. Rule 419A(1) of the Indian Telegraph Rules, 1951 as inserted by Section 2 2007 Interception Rules 2007
- 104. Section 419A(1) of the Indian Telegraph, 1951 as inserted by Section 2 of Interception Rules 2007
- 105. Rule 419A(9) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 106. Rule 419A(10) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 107. Rule 419A(6) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the 2007 Interception Rules 2007
- 108. Rule 419A(6) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the 2007 Interception Rules 2007
- 109. Rule 419A(18) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 110. Rule 419A(3) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 111. Rule 419A(4) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 112. Rule 419A(5) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Internception Rules 2007
- 113. Rule 419A(8) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 114. Rule 419A(13) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 115. Rule 419A(14) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 116. Rule 419A(15) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 117. Rule 419A(18) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 118. Rule 419A(19) of the Indian Telegraph Rules, 1951 as inserted by Section 2 of the Interception Rules 2007
- 119. ITA Interception Rules 2009 s.4
- 120. TA Rules 2007 s. 2(1)
- 121. ITA Interception Rules 2009 s.9
- 122. TA Rules s. 2(1)
- 123. ITA Interception Rules 2009 s.9
- 124. ITA Rules 2009 s. 13 (2) &(3)
- 125. ITA Interception Rules 2009 s. 17
- 126. ITA Interception Rules 2009 s. 19
- 127. ITA Interception Rules 2009 s. 23(2)
- 128. TA Interception Rules 2007 s.2(19)
- 129. ITA Interception Rules 2009 s. 24
- 130. ITA Interception Rules 2009 s. 25(6)
- 131. ITA Interception Rules 2009 s.6
- 132. ISP license s.30.1
- 133. ISP license s.34.17
- 134. ISP license s. 30.1
- 135. ISP license s, 33.4
- 136. ISP license s.34.1
- 137. ISP License s. 34.4
- 138. ISP License s.34.6
- 139. ISP License s.34.9
- 140. ISP License s.34.27 (a)(i)
- 141. ISP License s.34.27(a)(ii-vi)
- 142. ISP License 34.7
- 143. ISP License 34.15
- 144. ISP License 34.28 (xiii)
- 145. ISP License 34.28 (xiv)
- 146. ISP license s.32.1
- 147. ISP license s. 34.8
- 148. ISP license s.34.18
- 149. ISP license s.34.23
- 150. ISP license s.34.28 (xv)
- 151. ISP license s. 34.12
- 152. ISP license s. 34.13
- 153. ISP license s.34.22
- 154. ISP license s. 34.8
- 155. ISP license s.34.11
- 156. ISP license s.32.1, 32.2 (i)(ii), 32.3
- 157. ISP license s.34.28 (xix)
- 158. ISP license. 33.3
- 159. ISP license s.34.24
- 160. ISP license s.34.14
- 161. ISP license s.34.24
- 162. ISP license s.34.28 (ix)&(x)
- 163. ISP license s.34.28 (xi)
- 164. UASL license s. 41.14
- 165. UASL license s.41.10
- 166. UASL license s.41.10
- 167. UASL license s.41.19(ii)
- 168. UASL license s.41.19(ii)
- 169. UASL license s.41.19(iv)
- 170. The Telecom Commercial Communications Customer Preference Regulations 2010. Available at: http://188.8.131.52:8080/jspui
- 171. For list of amendments see: http://www.nccptrai.gov.in/nccpregistry/AmendmentToRegulations.jsp
- 172. Added by the The Telecom Commercial Communications Customer Preference (sixth amendment) regulations, September 5th 2011. s. 4
- 173. The Telecom Unsolicited Commercial Communications Regulations 2010. definition ab (i,ii,iii, iv)
- 174. The Telecom Commercial Communications Customer Preference Regulations 2010 s.5
- 175. The Telecom Unsolicited Commercial Communications Regulations 2007 s.5 (1) (2)
- 176. The Telecom Unsolicited Commercial Communications Regulations 2010. s. 4(2)
- 177. The Telecom Commercial Communications Customer Preference Regulations 2010 s.6
- 178. The Telecom Commercial Communications Customer Preference Regulations 2010 s.6 (2)
- 179. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 7 (1) & (2)
- 180. The Telecom Unsolicited Commercial Communications Regulations 2007 s.6(a) (b) (c )
- 181. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 8
- 182. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 10
- 183. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 13(1) (2)
- 184. Jaunary 31st 2011. The Telecom Commercial Communications Customer Preference (third amendment) regulations. TRAI amendment s. 3
- 185. The Telecom Commercial Communications Customer Preference Regulations 2010 s 18
- 186. September 5th 2011. The Telecom Commercial Communications Customer Preference (sixth amendment) regulations 2011. s. 8
- 187. The Telecom Commercial Communications Customer Preference (seventh Amendment) Regulations October 2011 s. 6
- 188. The Telecom Commercial Communications Customer Preference Regulations 2010 s.19 (1-11)
- 189. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 20
- 190. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 21
- 191. The Telecom Commercial Communications Customer Preference Regulations 2010 s. 22
- 192. The Telecom Commercial Communications Customer Preference Regulations 2010 Schedule IV agreement between access provider and telemarketer
- 193. Section 72, Information Technology Act, 2000, "Penalty for breach of confidentiality and privacy: Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both."
- 194. Id
- 195. Vinod Kaushik v. Madhvika Joshi. (2010). available athttp://docs.google.com/open?id=0B8vVw0jzMxE0Y2EyM2I1ZTQtNmQ3Yy00MDhjLTgz... last visited on 23/01/2012
- 196. Para 60, (2008) 13 SCC 5
- 197. "Therefore, while there is urgent necessity on the part of the service provider to act on a communication, at the same time, [it] is equally duty bound to immediately verify the authenticity of such communication if on a reasonable reading of the same, it appears to any person, acting bona fide, that such communication, with innumerable mistakes, falls clearly short of the tenor of a genuine official communication. Therefore, the explanation of the service provider is not acceptable to this Court. If the service provider could have shown, which it has not done in the present case, that it had tried to ascertain from the author of the communication, its genuineness, but had not received any response or that the authority had accepted the communication as genuine, the service provider's duty would have been over. But the mere stand that there is no provision under the rule to do so is a lame excuse, especially having regard to the public element involved in the working of the service provider and the consequential effect it has on the fundamental right of the person concerned." Para. 39, Amar Singh v. Union of India, (2011) 7 SCC 69
- 198. 1997 AIR (SC) 568
- 199. "As a matter of fact, except repeating all the five situations mentioned in Sub-section (2) of Section 5 verbatim, no specific reason which warranted interception of the petitioner's mobile telephone was mentioned. The said fact itself shows that the impugned order was passed mechanically without application of mind to the facts and circumstances of the case on hand. Hence, on the face of it, the impugned order is not in compliance with the mandatory requirement of Sub-section (2) of Section 5. Not only the satisfaction of the authority as to the occurrence of public emergency or the existence of public safety interest is absent, but even the satisfaction expressed with regard to the other situations enumerated under Sub-section (2) of Section 5 of the Act does not stand the legal scrutiny." - K.L.D Nagasree v, Government of India, represented by its Secretary, Ministry of Home Affairs and Ors. AIR2007AP102