Privacy, Telecommunications, and Interception: Navigating The Maze

Introduction

Telephonic surveillance and privacy rights are increasingly a part of the mainstream discourse. For instance, the ever-increasing tracking and monitoring mobile apps available in India have led to mounting phone tapping and monitoring concerns. These apps could range from digital lending service providers who access SMS data to assess creditworthiness of borrowers or wealth management apps to keep track of income and expenditure to spam filtering apps that identify spam callers before a call is accepted. Separately, the recent controversy on the alleged use of privately-operated Pegasus spyware products by the Indian government has escalated concerns about its surveillance rights.

As a general rule, the unauthorised interception of messages and calls is prohibited under Indian law. The primary laws and procedures enabling telephonic surveillance arise out of the Telegraph Act, 1885 (“Telegraph Act”) and the Indian Telegraph Rules, 1951 (“Telegraph Rules”) issued under the Telegraph Act. Indian telecom service providers (“TSPs”) are also subject to the licensing conditions prescribed under the “License Agreement for Unified License” (“ULA”) entered into with the Department of Telecommunications, under the Indian Ministry of Communications. The ULA is governed by a set of Indian laws including the Telegraph Act and the Information Technology Act, 2000 (“IT Act”). This note examines the Indian legal framework on undertaking telephonic surveillance in India.

Enabling Telephonic Surveillance

The Telegraph Act sets out the law relating to telegraphs in India and empowers the central and state governments with the ability to order for the interception of messages. The Telegraph Act defines a “telegraph” as an “appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, radio waves or hertzian waves, galvanic, electric or magnetic means”. The definition is broad enough to include wireless communication devices such as mobile phones.

The overarching obligation on all stakeholders within the telecom ecosystem is to ensure the privacy of communications. The Telegraph Act prohibits the interception of the contents of any messages and imposes criminal sanctions for contravention. In addition, the ULA requires TSPs to ensure the protection and privacy of communications, and that unauthorised interception of messages transmitted through their networks does not occur.

However, the Telegraph Act empowers the central and state governments with the power to order the interception or detention of any message under transmission through a telegraph on the occurrence of any public emergency or for public safety. The Telegraph Rules prescribe the procedure, checks, and balances for undertaking such interception. Practically, and much like other telecom mandates[1], the process of authorised interception is undertaken through a co-regulatory regime together with the TSPs. The ULA requires TSPs to provide the designated authorities[2] of central and state governments, with the ability to intercept messages passing through their networks as required by the Telegraph Act and prescribes certain technical and security conditions for enabling such access.

Rule 419A of the Telegraph Rules prescribes the procedure through which interception requests under the Telegraph Act (as well as the IT Act) are processed. The rules prescribe which authorities are competent to issue interception orders under the Telegraph Act, what the orders of interception must contain, how such directions must be conveyed to TSPs for implementation, the responsibilities of TSPs and their officers in implementing these directions, and other obligations regarding record maintenance, destruction, and confidentiality. The rules further establish “review committees” which consist of certain secretaries to the central and state governments. The review committee is required to meet periodically and review the interception orders issued by competent authorities. The committees are empowered to set aside directions for interception if they believe that the directions are not in accordance with the Telegraph Act.

In addition to the Telegraph Act, the Indian government has other draft laws and proposals in place that will augment its interception abilities. For instance: India was recently in the news for its international data sharing proposal to a United Nations panel on cybercrime. If implemented, this proposal will pave the way for countries to request data such as subscriber information (phone numbers and email addresses) and traffic data from signatory nations. The underlying premise appears to be that such access will provide countries with speedier access to data, necessary for cybercrime investigations, as opposed to the time-consuming alternatives such as mutual legal assistance treaties.

A plain reading of the Telegraph Act and the ULA reveals that (a) as a general rule, the interception of communications over telecom networks is prohibited and TSPs are required to institute adequate safeguards against this, (b) the exclusive privilege of intercepting telecommunications over telecom networks lies with government agencies empowered to do so, and (c) by necessary corollary, privatised telephonic interception is prohibited under Indian law.

Even so, there are a number of mobile apps that can read text messages and identify individuals making incoming calls upon installation. These apps carefully navigate through the legal framework around lawful interception to make such access possible. To determine whether such access constitutes unauthorised interception, the definition of “interception” must be analysed.

Defining Interception

Neither the Telegraph Act nor the rules issued under it define “interception”. In the absence of a definition, guidance may be drawn from the IT Act which contains similar interception powers for information processed on computer resources. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 issued under the IT Act define the term “intercept” (of information stored in computer resources):

“…the aural or other acquisition of the contents of any information through the use of any means, including an interception device, so as to make some or all of the contents of information available to a person other than the sender or recipient or intended recipient of that communication…”

It may be inferred that if an individual or entity other than the sender, recipient, or the intended recipients are privy to contents of a communication, such access constitutes interception under Indian law.  Therefore, the essential elements of “interception” include:

• the actual acquisition of information by a third party. Such acquisition could be through any means (“Element A”); and
• the third-party accessing the information being neither the sender, recipient, nor intended recipient of the information (“Element B”).

By carefully structuring their disclosures and consent practices, the apps accessing information relating to messages and calls ensure that they do not fall afoul of the prohibitions under the Telegraph Act.

Privatised Surveillance 

An analysis of the information access, disclosure, and consent architecture of these apps reveal how they steer clear of satisfying any of the elements identified above.

Element A

Some apps argue that there is no actual access to information by them. Any information relating to messages or calls is analysed locally (on the mobile devices in which the app is installed) and is not shared with or stored in the organisation’s servers. Since there is no actual access to information, there is no interception.

Element B

Some apps make disclosures that the installation of their app will result in them being able to read and analyse the contents of messages and call logs. These apps may also seek consent for being able to do so.

Accordingly, once the parties to a communication are aware that a third-party is accessing their data, and have consented to such access, such apps become “authorised recipients” of the information they have accessed and are no longer third parties (other than the senders and recipients) to the communication[3].

Best Practices for Call and Text Monitoring

Organisations that want to access information contained in texts or calls must ensure that they do not satisfy at least one of Element A or Element B:

• To the extent technically possible, any access to data must be local, that is, limited to the mobile device of the individual, and must not actually hit the servers of the organisation.
• As a good practice, any access must be disclosed to individuals beforehand (such as through privacy policies) and appropriate consents must be obtained and documented for this purpose.

What the Future Holds

Pursuant to the uproar around the Indian government’s alleged use of the Pegasus suite of spyware products, the Supreme Court of India, has established a “technical committee” to make recommendations regarding amendments to existing surveillance laws and securing an improved right to privacy. The findings of this committee have not yet been made public.

Generally, Indian laws on data protection and telecommunications are in a state of flux. The Indian government has published the Digital Personal Data Protection Bill, 2022 (“DPDP”) and the Indian Telecommunication Bill, 2022 (“Telecom Bill”) for public consultation. While both the DPDP and the Telecom Bill have been appreciated for easing compliance for businesses, they have also been subject to the widespread criticism that they do little to curb the Indian government’s powers of surveillance and rising concerns around phone tapping.

The draft bills are in conformance with the status quo of Indian laws. The DPDP gives the central government the broad powers to exempt any government instrumentality from the applicability of the draft bill. The Telecom Bill contains the same provisions on interception of messages as the Telegraph Act. Nevertheless, we expect the legal framework on surveillance to radically transform in the coming few years. The Pegasus spyware fallout, judicial precedents, and the establishment of the “technical committee” signal that major reforms (both on government and private surveillance concerns) are on the horizon.

Please reach out to Mathew Chacko and Aadya Misra for queries.

[1] The Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”) issued under the Telecom Regulatory Authority of India Act 1997 establish a co-regulatory regime with TSPs to regulate the transmission of commercial communication over telecom networks.

[2] The authorities include agencies such as the Intelligence Bureau, Directorate of Enforcement, Central Board of Direct Taxes, and the Central Bureau of Investigation.

[3] It may be argued that if an app is installed on the recipient’s phone and not that of the sender, such access may still constitute privatised interception since the sender is not aware of and has not consented to the access. However, apps usually contractually require individuals to warrant (through their terms and conditions) that they have procured the consent of any third party whose personal data may be accessed by the app in the course of their communications. Separately, while the definition of interception referenced above does not expressly say so, it may be argued that where accessing information on calls and messages is authorised by law, it does not constitute unauthorised interception (for instance: the TCCCPR permits the access of text messages by private entities, but such access does not constitute unauthorised interception).