Department of telecommunications releases four sets of draft rules for consultation
The central government can specify agencies to intercept messages for reasons including national security, public order or preventing incitement
New Delhi The Department of Telecommunications released on Thursday four sets of draft rules under the Telecommunications Act, 2023, for a 30-day consultation period, covering interception, suspension of telecom services, telecom cybersecurity and critical telecom infrastructure.
While the interception and telecom suspension rules largely mirror existing regulations, the Critical Telecommunication Infrastructure Rules are new.
Interception Rules
The draft, like the extant Rule 419A of the Telegraph Rules, 1951, maintains that interception orders can be issued by the union or state home secretary. In “unavoidable circumstances”, a duly authorised joint secretary-level officer may issue the order. In “emergent cases in remote areas” or “for operational reasons” when it is not feasible for the home secretaries to issue the order, the head or second senior-most officer of an authorised law enforcement or security agency, not below the rank of inspector general of police, can issue the order.
The central government can specify one or more agencies to intercept messages, or class of messages, for five reasons: in the interest of sovereignty and integrity of India, defence and security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of any offence.
As is the case now, the interception order must specify: the authorised agency that will intercept; and one or more of the five reasons for which interception can be ordered and will limit use of intercepted messages to these reasons only. Unless revoked earlier, the order will remain in force for a maximum of 60 days but can be renewed. No order can remain in force for more than 180 days.
Requirements for maintenance and destruction of interception orders remain the same. Records related to an interception order and intercepted messages must be destroyed by both the ordering entity (home secretaries or the authorised agency, as the case may be) and the agency doing the interception every six months unless they are required for functional reasons. DoT and the telecommunication entity must also destroy records within two months of discontinuation of interception.
Raman Jit Singh Chima, Asia Pacific policy director of Access Now, criticised the provision for destroying interception orders as it could encourage “impunity” due to lack of accountability. “Destruction of interception orders will encourage impunity. In other territories, the information collected through interception is deleted but not the orders themselves. They are maintained,” he said.
The composition of the review committees that must confirm the interception orders at central and state level also remains the same.
Four changes have been made. One, DoT must authorise two nodal officers in each service area to receive and act on interception orders. The requirement for the telecom entity --- to notify the central government of two senior employees in every area of its operation who will implement the orders --- remains the same. The nodal officer of the government’s authorised agency can convey the interception order to either of them, as the case may be. The rules propose that the nodal officers at DoT, like the nodal officers at the telecom entity do now, must also acknowledge receiving the interception order within two hours of its receipt, and must submit fortnightly reports to the agency that conveyed the order with a list of interception orders received.
Two, telecom entities now include those establishing, maintaining or expanding telecom networks in addition to the telcos themselves. A telecom entity would include entities “authorised” under the Act, as well as those who are exempted from the authorisation requirement, and interception orders will apply to all telecom entities.
Chima asked, “Who is exempted, how and on what grounds? Does a minister’s press statement count as an exemption? Will there be a gazette notification? These are black areas.”
Three, the rules exclude demonstration and testing of lawful interception systems and monitoring facilities that telecom entities might be required to put in place by the government.
And four, the provision to fine or suspend/revoke the licence of service providers for not maintaining secrecy and confidentiality of such orders or for unauthorised interception has been removed in the draft rules. Telecom entities will now be responsible for the actions of both their employees and their vendors that result in any unauthorised interceptions.
Internet suspension rules
While the suspension of telecom services rules also remain largely the same, the proposals include provisions that require publication of all suspension orders, stating reasons, geographical area and duration, capped at 15 calendar days. The review committee also remains the same.
Vrinda Bhandari, a Supreme Court lawyer, noted, “The fact that the government is placing these rules for public consultation is welcome... The proposed Rule 5(3) is new and permits the Review Committee to set aside an order that fails to meet the prescribed standards”.
Both Bhandari and Chima highlighted the problems with the executive-led review committees in the interception and telecom suspension rules.
“There is no real change in the process. It is the same executive-led process with no role for judiciary or parliament. These draft rules, like the extant rules, are unconstitutional and do not conform to the principles laid down in the Puttaswamy judgement. These draft rules position India as one of the worst democracies in the word when it comes to interception,” Chima said.
Chima, however, said that the telecom services suspension rules might be worse than interception rules because of lack of safeguards. “In the interception rules, there is at least the requirement to look for less restrictive means for interception but no similar requirement is there for suspension of telecom services. By not including it, you are basically telling the police that suspending telecom services is the first step that you should take,” he said.
Telecom cybersecurity rules
The department also introduced draft telecom cybersecurity rules, mandating telecom entities to implement measures to prevent and respond to cyber incidents.
These rules seek to empower the central government, or any authorised agency, to seek “traffic data and any other data” from a telecom entity for cyber security reasons.
This collected data might be analysed to take measures to enhance telecom cyber security and, if so deemed necessary by the central government for the purposes of ensuring telecom cybersecurity, be “disseminated” to law enforcement and security agencies, or be shared with telecom entities and users.
Like in the interception rules, a telecom entity includes both authorised and exempted entities, including telcos and telecom infrastructure providers.
Traffic data has been defined as “any data generated, transmitted, received or stored in telecommunication networks, including data relating to the type, routing, duration or time of a telecommunication”.
The proposed rules mandate all telecom entities to appoint an Indian chief telecommunication security officer based in the country, to adopt a telecom cybersecurity policy, and conduct periodic telecom cybersecurity audits, amongst other things. As in the CERT-In directions of 2022, telecom entities are also required to report any security incident to the central government within six hours of the occurrence of the incident.
The international mobile equipment identity (IMEI) numbers of all equipment that is manufactured in India must be registered with the central government before the sale of the equipment. Importers of equipment with IMEI number must register the number prior to import. Changing the IMEI or the electronic serial number (ESN) or any other number or signal that identifies unique telecom equipment has been forbidden in the draft rules. Equipment with tampered IMEI number can be blocked from accessing telecom networks and services.
Critical telecom infrastructure rules
Under the Telecom Act, the government is also empowered to notify a telecom network, or a part thereof, as “critical telecommunication infrastructure” if it concludes that a disruption of such infrastructure will have “a debilitating impact on national security, economy, public health or safety of the nation”.
Under the proposed Critical Telecommunication Infrastructure Rules, telecom networks that are notified as CTI must allow people authorised by the central government to access and inspect their hardware, software, and data related to the CTI. The chief telecommunication security officer, who needs to be appointed under the draft telecom cybersecurity rules, will be responsible for ensuring the implementation of these rules as well.