On February 14, in the case of tapping of political leader Amar Singh, the Reliance Infocomm, India’s second-largest mobile telephony provider, informed the supreme court that various government agencies had asked it to intercept 1.51 lakh telephone numbers between 2006 and 2010. This figure was extrapolated and it has been thus estimated that the there were about one lakh telephones were being tapped by the agencies every year. This number is huge and this behaviour of the agencies sounds more like peeping-tom behaviour than the need of law enforcement. It has serious privacy implications.

The law being used by the police and intelligence agencies is the Section 5 of Indian Telegraph Act, 1885 read with rule 419 and 419A.
In1997, the supreme court intervened and ordered the government to frame the proper rules, however till the time it is done, the right of privacy has to be safeguarded against the arbitrariness in the exercise of power under the Act.

The government had formed the half-hearted rules under the pressure from the supreme court.

In the meanwhile, the technology has changed dramatically from the yesteryear of 1885 from analogue to digital, where your mobile phone is a computer who communicates through network of computers to another mobile phone computer on behalf of you and your friend. Thus at any point of electronic interception, the communication is between two computer in digital format and not in analogue format over which Telegraph Act applies.  And thus rightly speaking present interception laws are covered under Information Technology Act 2000 rather than under Telegraph Act, 1885.

In fact Section 81 of IT Act make this law having overriding effect over Telegraph Act. Unlike Telegraph Act which is ambiguous about the procedure of interception, IT Act 2000 has much more clearly empowered the Controller Certifying Authority to authorise any interception or getting any information from data stored in computers under Section 69 of IT Act. Though in amendments these powers were dilute and as law in 2008. After amendments, as it stands today, the Central Government is to frame Rules for interception and getting data protected even by a password. Almost three years have passes but the government is yet to frame any rules under this section which is being used and abused extensively.

This was the matter related to the telephone tapping which does have some governing rules (right or wrong or incomplete) but there emerges new facet impacting privacy with increase tele-density. One of them is your Call Detail Records (CDRs). This record can reveal about whom, when, from where, using which handset and how long you were communicating. These records are maintained by the Telephone Service Providers (TSPs) basically for financial reasons.  CDRs are stored in computers of TSPs and are protected/ encrypted by various mechanisms including password. However, presently due to lack of any rules, a police officer claiming to be Investigating Officer can get copy of your CDRs. This is an outright breach of privacy as enshrined under Article 19 and 21 of the Constitution of India.

It has been said by many experts that privacy laws in India are non-existent but this is probably not true at least in matters related to the electronic records (CDRs  are electronic records according to the Section 65B Evidence Act). Section 131 Evidence Act empowers the TSPs to refuse to give information to anyone, of your CDRs, unless you have given the approval or the procedure established under the law is followed. In fact wordings of section 131 Evidence Act has been casted in a similar manner as Section 129 Evidence Act which protects the communication with legal advisor. Hence if any TSP breaches the section 131 Evidence Act, you can take the defaulting TSP to the courts and book them under Sections 406, 407 and even 409 Indian Panel Code, which attracts imprisonment between 3 years to life in addition to fine. (TSPs fulfils the criteria of ‘being in the business of merchant’ as well as ‘carrier’ as envisioned by the law makers in year 1886, when IPC was enacted).

The law makers fully aware of the higher possibilities of breach in networked environment have enacted Section 72 of Information Technology Act, which provides for two years of imprisonment and / or fine up to One Lakh Rupees not only on the defaulting TSP but also against the Police Officer securing the CDRs without the procedure established by law.

It is therefore in the best interest of safety and security of the country and also the privacy of the citizen of this country that the central government frame the rules under section 69 of IT Act. In the meanwhile any citizen whose privacy has been breached with utter disregard to the procedures has all the means and power of law to take necessary legal recourse.

Saini  is a former national coordinator of information security (GoI) and chief information security advisor to Microsoft (India).