Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndia literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.