The Ministry of Home Affairs has issued an order authorising 10 central agencies to intercept, monitor, and decrypt information stored in any computer anywhere in the country. The Cyber And Information Security Division of the Ministry of Home Affairs has issued this order. The 10 agencies tasked with this are the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only) and the Commissioner of Police, Delhi.
Simply put, this means that any of these agencies can demand access to any data that is stored in any computing device anywhere in the country. While the definition of “computer” is vague in this order, it would be safe to consider that PCs, desktops, laptops, tablets, smartphones and even data storage devices will be considered within the purview of this order. These agencies have the power to demand access to any data stored in any computing device at any point of time, decrypt any encrypted data that is stored and also monitor as well as potentially intercept data being transmitted from the computing devices in question. Now, there are two aspects to this. For physical data on a computing device, the agencies can ask an individual for access, basically any one of us. However, for the data transmissions that the agencies would want to intercept or monitor over the internet or between different networks, the agencies will take the help of internet service providers.
The order states that ten Central agencies are authorized to procure “any information generated, transmitted, received or stored in any computer.” The order further goes on to state that this is in exercise of the powers conferred by sub-section (1) of section 69 of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
The order clearly states that the operator of the said computing device, whether it is the owner of simply a user, will be legally bound to provide data access as well as any necessary assistance to the central agencies. According to the section 69 (1) of the Information Technology Act, 2000, failing to provide access to data or any necessary support for decrypting encrypted data can be punished with imprisonment of up to 7 years. The same section clearly states that the need to access the data on any computer becomes a requirement if it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. For this, the reasons need to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
At present, the latest order is not specific about what “data” it is referring to, or what data could potentially raise a red flag. However, at no point does the order or the sections it is based on, suggest that the Government or any of the agencies tasked with this, will be intercepting user data to any computing device, without user permission.