Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy issues

Access to information via the Controller of Certifying Authority

In March 2012 a query undertaken by the Software Freedom Law Center shed light on a method by which the Government can subvert the safeguards for access to personal information found in section 43A of the Information Technology Act. By requesting information through the Controller of Certifying Authority under section 28 of the Information Technology Act, the Government can access person information without meeting various thresholds. According to the statute, the body corporate or business are required to give information to the CCA when requested, or be penalized under section 44 (A).1 To find out the extent to which information has been requested by agencies through the CCA, the Software Freedom Law Center sent a right to information (RTI) request to the Controller of Certifying Authority asking for the following information:

  • Number of requests received in the last three years by the CCA from government agencies like the Intelligence Bureau, Ministry Of Home Affairs etc.;
  • Number of notices issued by the CCA under Section 28 of the IT Act in the last 3 years;
  • Names of the recipients of notices under Section 28;
  • Names of body corporates on whom a fine under Section 44 (A) has been imposed; and
  • Information on the methodology of scrutiny of requests from government agencies, and any rules or guidelines regarding the same.

In response to the questions asked the CCA responded that it needed permission from the concerned government agencies to disclose the information with concern to questions 1,2, and 3. In response to question 4, the CCA stated that only Yahoo India had been fined under Section 44 (A) of the IT Act. To question 5 the CCA responded that the matter was confidential and could not be disclosed.2 On 2 March 2012 the Software Freedom Law Center received a follow up reply to the RTI request, in which the CCA stated that 73  notices were issued by the CCA under section 28 of the IT Act in the last three years. The reply further stated that the notices were issued to Yahoo India, Google, AOL, Face book, Orkut and Hotmail.3

Unsolicited Calls

Unsolicited telemarketing calls and text messages, which are sent in bulk, pose a threat to privacy as - besides causing disturbance and irritation - bulk text messaging can be used as a tool for phishing. For many years the Government has been cracking down on unsolicited calls. For example, in 2006 the issue of telemarketing practices was brought before the courts in public interest litigation. The case argued that indiscriminate calls made by companies constituted an invasion of privacy. During the hearing, the bench was clear about the need to regulate and curtail telemarketers' unlimited and free access to mobile numbers. Out of the hearing came the first suggestions for a 'Do Not Disturb' register in India, and the assignment of a prefixed number for telemarketers, enabling easy identification.4 In 2007 the Telecom Unsolicited Commercial Communications Regulations were passed. Among other things, the regulations established a National Do Not Call Register and a Private Do Not Call List and imposed a fine of Rs 1000 for a first violation, and disconnection for a second violation.5  According to data released by TRAI in 2007, 6.7 million subscribers were registered with the 'Do Not Call' Registry,  yet 3,685 of the subscribers still received unsolicited calls.6 Since the passing of the 2007 Regulations, new Regulations were passed in 2010 along with eight subsequent  amendments between 2010 and 2011.
Despite having in place guidelines for the regulation of Unsolicited Commercial Communications, implementation has been a challenge. For example, beginning in 2006 and lasting through 2010, a Supreme Court division bench issued a notice against Cellular Operators Association of India, Bharati Airtel, ICICI Bank, and American Express Bank seeking explanation from them as to whether they should be penalized for unsolicited calls/messages on a petition filed by Nivedita Sharma. The State Consumer Commission (Delhi) imposed a fine amounting to Rs 50 lakh on telecom companies and Rs 25 lakh on private banks along with Rs 50,000 to Sharma on account of mental harassment suffered by her. However, the costs were set aside by the Delhi High Court. Thus, the State Consumer Commission ordered TRAI to put in place a 'Do Not Call' register and bring in a number portability rule.7 Later, in contravention of the fine imposed by State Consumer Commission and the TRAI policy, ICICI bank failed to pay the fine to Nivedita Sharma, whereupon a contempt proceeding was filed before the Commission. On an application proffered by ICICI to the Delhi High Court bench, the High Court refused to stay the contempt proceedings and said, "You think you are above the law? Every day we receive calls at all times of the day from ICICI for loans, credit cards...now you face the music."8

Clearly, implementation has been the weakest aspect of the regulations for unsolicited commercial communications in India.

Phishing, Hacking, and Fraud

According to statistics, India is among the top three countries that are a target of phishing attacks. Commonly, the targets are various banks and government organizations such as the Income Tax Department. It was reported by CERT-In that there were 3 cases of phishing in the year 2004, and 392 cases of phishing in 2007.9 According to additional government data, there were 386 phishing incidents reported to the CERT-In between January and October 2011.10

One of the first cases of phishing was registered with the Cyber Crime Investigation Cell in the year 2005 by a financial institute. It was alleged that the accused was involved in sending e-mails that appeared to be sent by ICICI Bank. The e-mail requested personal and confidential information from clients. Out of 120 customers that were targeted with the fraudulent email, 80 divulged their banking details, under the impression that it was a genuine request. The accused was charged under Section 66 of the Information Technology Act, 2000 and Sections 419, 420, 465, 468, 471 of the Indian Penal Code read with Section 51, 63 and 65 of the Copyright Act, 1957.11 Similarly, in 2007, the website of Bank of India was hacked and malware was planted on the site. The malware installs itself on the computers of the visitors and sends sensitive information to the hacker. In another case, a Malaysian national hosted a website which was a replica of the Axis Bank website, duping the customers into parting with their confidential passwords and other details.12

In 2008, Mr Gulshan Rai, Director General in the Union Ministry of Communication and Information Technology said that the Government had made an effort to define spam and phishing and online frauds. However, it was not defined by the Information Technology (Amendment) Act 2008. Mr. Rai also noted that, "[t]he number of phishing cases is also increasing among the Indian banks. Almost 7-8 cases of phishing are being reported on an average daily and most of them are hosted from outside   hosted in one country, registered in another country."13

The problem of phishing is widely recognized by banks in India, although it appears as though banks do not like to take responsibility for phishing attacks. In 2011, a former top official of the India Overseas Bank conceded that "most of the time banks pass the responsibility of recovering the money to the customers. They also avoid accepting the incidence of such cases as it may result to damage to its reputation and good will." It was also reported that the Reserve Bank of India had laid down certain guidelines banks must follow when they experience fraud, but most of the banks do not follow the guidelines.14

In 2012, six foreign nationals were arrested suspected of defrauding people by using text message and email scams. The victims of the scam were told that they had won lottery.15 "These people have software generating e-mail ids and mobile numbers. They would randomly select them and send thousands of SMSs and e-mails every day," said Joint Commissioner of Police of Mumbai, Himanshu Roy.16 Later in 2012 a press statement from the Ministry of Communications and Technology alleged that the website of Bharat Sanchar Nigam Limited had been hacked in 2011, and from December 2011 to February 2012, 112 Government websites were hacked. The statement also noted that according to the Reserve Bank of India, for the years 2009, 2010, and 2011 5,288 internet frauds took place for amounts ranging between rs. 1 lack and Rd. 787.39 lakh.17

Interception

The Indian Government has a long history of conducting authorized and unauthorized interceptions of communications. For example, during the 'Sikh Terrorism' in 1986, the Government declared nearly half of Punjab as "disturbed" zone. Because of this declaration, the police, under the Terrorist and Disruptive Activities Prevention Act, had the power to open private mail, tap telephones, listen into conversations, and take control of telephones on subjective satisfaction that the said telephone was being used to aid terrorism or communications with people assisting terrorists. The Act empowered the police to take measures without parliamentary approval.18 With the development of technology, the Government has passed laws that legitimize the interception of all forms of communication including e-mails, SMA, mobile phone calls, instant messaging, etc.

Indian Intelligence Agencies

Indian Intelligence today comprises of fourteen central agencies and numerous state agencies. All central agencies can be grouped under three ministries: the Ministry of Defense, Ministry of State for Home Affairs, and the Ministry of Finance. At the top of the Intelligence organizations in India is the Joint Intelligence Committee (JIC). Within the JIC is the National Security Council (NSC), which includes as its members, the Home Minister, Minister of External Affairs, Minister of Defense, and the Finance Minister. After the JIC is the Research and Analysis Wing (RAW) and the Intelligence Bureau (IB).19  These various agencies at the central as well as at the state level are given the power to intercept communications based upon 'well-reasoned' orders. According to a 2011 Government Notification, the Research and Analysis Wing (RAW) became one of the eight agencies empowered to intercept phone calls, emails and voice and data communications 'domestically'. The other agencies are the Intelligence Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Narcotics Control Bureau, Central Bureau of Investigation, National Technical Research Organization and State police. These agencies are empowered to tap phones for 72 hours even without permission from the Union Home Secretary or the concerned state Home Secretary during emergency situations. The agencies will, however, have to destroy the recorded conversations within 48 hours if they are denied permission from the concerned authorities.20 In addition to these higher level agencies, bodies and organizations like the police conduct wiretaps on a regular basis.21

Interception Infrastructure

Over the years, India has put in place infrastructure that has greatly increased intelligence agencies abilities to monitor individuals. For example, in 2009, the Home Union Minister P. Chidambaram worked to establish the Crime and Criminal Tracking Network System (CCTNS), which is a system that will facilitate the collection, storage, retrieval, analysis, transfer and sharing of information between police stations, the State Headquarters, and the Central Police Organizations.22 In 2010, the National Intelligence Grid (NATGRID) was established as an attached office of the Ministry of Home Affairs, and facilitates monitoring by giving security agencies a license to go through linked information, such as an individual's tax, travel, internet, and Telecom usage information.23 To head the project, Union Home Minister P. Chidambaram appointed Raghu Menon, a private sector security expert, as chief executive officer of NATGRID.24 Implementation of the NATGRID scheme has been envisioned in four phases. The first two phases have been approved by the Cabinet Committee on Security (CCS) and deal with the centralized storage and sharing of data that can be legally accessed by the law enforcement agencies. The CCS has also given assent to the next two phases 'in principle'. However, the next two phases raise grave privacy concerns as they deal with property details, bank transaction records, internet usage etc. The CCS has said that there will most likely be amendments to the existing laws to implement the next two phases.25

Also introduced in 2010 was the Unique Identification Bill. If passed, the Bill will legally recognize the Authority that will provide a Unique Identity Number for every resident in India. This number will possibly be used in the future as identification at cybercafes, during the purchase of SIM cards, for broadband connections, and for NATGRID. The number will serve as a common key in 22 databases and will be shared by 11 intelligence agencies.  The ubiquitous nature of these schemes along with many organizational habits to collect large amounts of information will make it easy for security agencies to build a 360-degree profile of all Indian citizens.26

Authorized Interception

In 2012, in response to an RTI application by The Indian Express, the Home Ministry stated: "On an average, between 7,500 and 9,000 orders for interception of telephones are issued by the central government per month." The Home Ministry did not divulge specific details of the records pertaining to these interceptions. However, it said that once an order for interception is sanctioned it is valid for two months and can be renewed twice. Under any circumstances, the order of interception cannot be in force for more than 180 days.27 Earlier this year, it was reported by an associate editor of Malayalam Weekly that there had been an order by the Kerala State intelligence to tap  268 e-mail accounts.28

Currently, legal interception is carried out by telecom companies at the request of intelligence agencies. According to the ISP Agreement license, telecom companies have to provide a 10 ft x 10 ft room in every city, with computers capable of intercepting simultaneous calls and call details including geographic location, voice data, SIM number, subscriber information etc, provided that the Union or State Home Secretary has approved the interception.29 The Government's heavy reliance on ISPs and telecoms to assist with the interception of communications can be demonstrated by the affidavit filed in 2011 by Reliance Infocomm, which claimed that the company had received orders to intercept 1.51 lakh telephones across India last year.30 Another example of the Government's dependence is the growing number of tenders placed by telecom companies requesting interception equipment.31 Additionally, Bharti Airtel, in their 2010-2011 annual report noted that it had received 422 appreciation letters from law enforcement agencies for assistance in lawful interceptions.32  Another avenue through which security agencies (especially the police) gain authorization for interception is through section 91 of the Criminal Code of Procedure, which gives the magistrates, both executive and judicial, and any commissioner or district superintendent of police the powers to summon any document that is deemed important for the purposes of any investigation.33 Furthermore, a recent sting operation carried out by the Mumbai Mirror revealed that there are detective agencies which provide service such tapping of phones of spouses, business partner, etc.34

Legal Interception Equipment

If intelligence agencies do not want to rely on telecom companies to carry out interceptions, they can use monitoring equipment instead.35 Interception equipment can rely on a variety of sources for the monitoring of data, including satellites to intercept data traveling between cell towers, under sea fiber optic cables, the Internet, and radio transmissions. Presently, the Government is looking to build a Centralized Monitoring System (CMS) to enable comprehensive and legal interception. The CMS will allow Security Agencies to intercept emails, cyber chats, monitor voice calls, SMS, MMS, GPRS and fax communications on landlines, and CDMA and GSM networks - all in real time.36  Supporting this, is the undeniable fact that the market for surveillance technologies is also growing. In 2011 it was highlighted that the two private companies Clear Trail and Shoghi Communications have become key suppliers of surveillance equipment to intelligence agencies and armed forces in India. It is reported that Clear Trail has over 25 shareholders and is an example of how 'surveillance technologies' is a quickly growing business. Clear Trail specializes in developing and marketing software that can be used for the analysis of mobile networks known as "Data Traffic Inspect Engine". Shoghi Communications, on the other hand, sells equipment such as GSM monitoring equipment, encrpyters, satellite monitoring, mobile back haul monitoring, and radio monitoring technology   but the company only provides services to the Government.37

Other technologies, not designed specifically for interception, can still be used to access information and surveillance individuals. For example, technology that allows for the tracking of a mobile phones geographic location can be potentially used for surveillance. In India, geographic location can be determined in many different ways. Firstly, a few operators in India offer "Location Based" services as part of their VAS portfolio. Other options in India include location identification through the cell-id, SIM based tower triangulation trials which can pin point location up to five kilometres, and limited reach technology trials. For example, loc8, an organization based in Bangalore, offers exact location based on cell-tower ID and point-of-interest from location found using cell-tower ID or GPS.38 Assisting with geographic location, Google has opened up the Cell-id information for almost 150,000 towers, which was obtained using the Google maps application.39 Mobile phones can be at risk for interception as well, because of the security default settings they are set to. For example, according to a report released by ETSI on third generation mobile telecommunication systems, security features of the system include user identity confidentiality, entity authentication, confidentiality, data integrity, and mobile equipment identification. Access security features include identification of temporary identities and identification by a permanent identity. Furthermore, according to GSM specifications, users must at all times be informed by mobile device when the communication is not encrypted. In India, despite these safeguards, GSM ciphering indicators are switched "off" by default by Indian mobile service providers.40 This places mobile transactions completed in India at risk of interception.

Unauthorized Interception

Although India does have in place statutes outlining the legal procedure for wiretapping, over the years these guidelines have been consistently been undermined. Today, the strength of technologies, a permeating domestic and international fear of terrorism, and an understanding by the Indian Government that more surveillance equals more national security, has lead to a situation where Indian security agencies have expansive powers, and are thus enabled to easily bypass any safeguards put in place to prevent against unauthorized interception.

Individuals or agencies often carry out unauthorized wiretaps by using technologies such as phone cloning, and off-the-air GSM/CDMA monitoring systems. Phone cloning simply requires the phone you want to tap, and the phone's IMEI number. With this information it is possible to customize software to match the IMEI number, and transfer it onto the phone.  Currently, in India this service is being offered on the street for $400.41 Off-the-air GSM/CDMA systems, also known as "passive interceptors", can be placed in cars and collecting data while roaming different areas.42 Off-the-air monitoring equipment can grab cell phone signals from within a two-kilometer radius for GSM phones, and less for CDMA phones.43 The machines pick up a signal, decrypt it, and then record the conversation on a hard disk.

Off the air monitoring equipment was available for importation into India until 2011, when it was taken off of the Open General License (OGL),44 and recently the Indian Government ordered a recall on all passive interception machines.45 In 2010, it was revealed that the National Technical Research Organisation (NTRO) was in possession of these machines, and had been deploying these passive interceptors on fishing expeditions throughout the country's capital.46 These expeditions were problematic on many levels. Not only was the interception of the communications unauthorized, but the manner in which the interceptions were carried out was unprofessional and not in accordance with protocol.  Although NTRO's unregistered use of this equipment is a well-known case of unauthorized tapping using these machines, many State governments have acquired these systems and use them on a regular basis.47  In addition, high-profile individuals, companies, private detective agencies, even some state-owned firms, have imported 1,174 off the air GSM/CDMA devices over the last three years.48

Intelligence agencies also carry out unauthorized interceptions by requests to service providers. The service provider, more often than not, carries out the intercept despite not having the necessary approval. A striking example of unauthorized interception took place in 2010, when a former employee called a colleague friend asking for the call data of a certain individual. The employee gave the friend the data. The police had tapped the phone, and the employee was fired. It is not uncommon for security agencies to walk into any mobile or Internet service provider and access any information they want. This information is handed over to security agencies through nodal officers, in each telecom circle. The nodal officer provides both meta data, like subscriber details, location of calls, call data records, browsing details, and actual communication data like call content, chatting transcripts, emails, and attachments. Nodal officers are available to security agencies around the clock, attend fortnightly meetings with them and are rewarded with appreciation letters by grateful superintendents of police, and their performance is partly assessed by how effectively they help their companies avoid penalties.49

Redress for interception

When an individual has their phones illegally tapped, mechanisms for redress are limited. An example of redress being sought pertaining to a wiretap conducted by the government is the case of Ratan Tata. In 2008 and 2009 Income Tax officials intercepted conversations between Nira Radia, a professional corporate lobbyist, and many different individuals. The Ministry of Home Affairs approved the interception. The interception was conducted for suspected tax evasion, possible money laundering, and restricted financial practices. The individuals involved in the case included A. Raja, the then Cabinet Minister of the Ministry of Communications and Information Technology; Ratan Tata, a client of Nira Radia and Chairman of the Tata group of companies; and various journalists including Barkha Dutt, NDTV journalist alleged to have lobbied in support of A. Raja's appointment as minister, and Vir Sanghvi, editor of the Hindustan Times alleged to have edited articles reducing the blame in the Nira Radia tapes. Earlier this year, the recorded conversations were leaked to the media by an unknown source. The leak exposed a scam to manipulate the upcoming auctioning off of the 2G spectrum. In response to his leaked conversations with his lobbyist Nira Radia, Ratan Tata has filed a petition in the Supreme Court, claiming that the leaking of the tapes violated his right to privacy.50

Not only is it rare for an individual to seek redress with respect to a wiretap, but it is also rare for individuals to even learn about wiretaps conducted on them, or have access to information regarding the wiretap. An example of this is the case of Shri Omprakash Housilprasad Yadav vs. Appellate Officer & Deputy Secretary, heard by the Maharashtra State Commission. In a query filed April 2007, Mr. Omprakash H. Yadav, a Vile Parle resident, sought information from the principal information officer of the state home department about the suspected tapping of his phones over the preceding three years. Yadav wanted to know if his mobiles were being tapped and, if so, for what reason and under which legal provisions. The Maharashtra State Information Commission denied his request, stating that "it is clear beyond doubt that telephone tapping is a secret affair carried out in the interests of the sovereignty and integrity of the country. The appellate officer has rightly turned down the contention of the appellant and the appeal is dismissed."51

The case of Omprakash Yadav is not unique, as RTI applications filed with respect to the interception of communications are frequently denied. For example, in 2008 S.P. Singh, a former chief excise commissioner, was being investigated by CBI for a six-year old bribery case. The RTI application seeking details of the interception order was rejected because "matters connected with the interception of telephones were governed by the provisions of the Indian Telegraph Act and were distinctly related to the security of India." A similar situation can be seen in the case of Dharambir Khattar, accused of corruption. In his case, the CIC asked the Home Ministry to provide details of the interception, such as names and designations of members of the Review Committee in the Home Ministry, which processes requests for phone taps; the dates on which it met and its conclusions, as some of the information had already been made available to the applicant through the Court. In their request, the CIC was said, "it is not comprehensible as to what objection a public authority can have to the disclosure of the details about a meeting [of a] statutorily mandated review committee, except if the purpose is to prevent the infirmities in the information to be brought out in the open. It shall be impossible for the commission to support such a position." Despite the request from the CIC, the details of the Khattar case were not made available. In yet another case, the application from S.C. Sharma of Janakpuri was denied on the grounds of national security.52

Research in Motion

The negotiations between the Indian government and Reliance in Motion (RIM) bring additional complications to the standard fare of voice and data interception discussed in this chapter thus far. The Indian government cannot listen to Blackberry traffic using their equipment at the ISP or Telecom operators' premises as the PIN messenger, email and web traffic travels in an encrypted tunnel. For BES users it is from device to a corporate server, and for BIS users it is from a device to RIM's Network Operation Centres across the globe. Since most Indian politicians and bureaucrats use BIS services and even free email accounts like Hotmail and Gmail, there is fear about the asymmetric nature of interception, as it would be possible for Canadian and US intelligence to legally intercept what should ideally be domestic traffic. Since March 2008 the Government of India has threatened to place a ban on the RIM Blackberry services in India. The Indian Government has many motives for intercepting Blackberry traffic, including generic reasons such as counter-terrorism and crime, and more unique reasons such as the possibility of foreign intelligences being able to intercept communications taking place in India. The Blackberry controversy began when the Home Ministry asked the Department of Telecommunications to find a legal solution that allowed for the lawful interception of Blackberry traffic. The Home Ministry originally contacted the DOT after the Directorate of Revenue Intelligence expressed its inability to intercept messages between hawala dealers and militant groups that use wireless devices. In total the Indian Government has issued RIM eight deadlines since 2008 to the present day to propose a satisfactory solution. To date RIM has not met any of the deadlines set by the Indian Government, as the Government insists on real time interception of all services.53

Over a span of three years the Indian Government has proposed to RIM the following compromises and strategies: establish a domestic server in India;54 create a mirror image of all e-mails and data sent in India through RIM services and save it for a minimum period of six months,55 lower RIM encryption to 40bit from the current 256 bit,56 share RIM encryption keys with the Indian Government,57 negotiate a "Government to Government" solution, similar to the one RIM has with the Canadian Government; and comply with the requirements of the Central Monitoring System.58 RIM never responded directly to these compromises, but has offered the Indian Government access to different levels of information under varying conditions including sharing data with the Government under the condition that the DOT become the custodians of the private keys, and take responsibility for any data that is lost or damaged;59  sharing the technical codes for its corporate email services, opening up access to all consumer emails,60 voice, SMS and BlackBerry Internet Services;61 the IP address of BlackBerry Enterprise Servers and the PIN and IMEI numbers of BlackBerry mobiles;62  and sharing data on a request by request basis (under this solution a mobile number needed for monitoring would given to the RIM who would provide the information within ten days).63 Additionally RIM has offered a solution using a Cloud Computation Method technology that would create a separate server in India. In the midst of the running dispute between Research in Motion and the Department of Telecom, various software companies have approached the DOT and the Intelligence Bureau (IB) offering BlackBerry interception solutions. For example, Cain Technologies and SS8 Networks demonstrated their interception equipment and solutions on Indian mobile networks to DOT and the Intelligence Bureau.64 This involved software and hardware based lawful interception specifically, data and voice communication analysis. However, the Intelligence Bureau rejected the demonstration by Cain Technologies under the premise that the company fell short on various counts.

Footnotes