Privacy and Telecommunications: Do We Have the Safeguards?
All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.
1 Introduction
With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.
While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused;
Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;
Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;
Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.
This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection
1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.
2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy.
3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy.
The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms
2 Indian Regulatory Regime
2.1 The Indian Telegraph Act and Rules
First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:
1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii
2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.
3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.
4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.
5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.
6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.
2.2 License Agreements
Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include:
1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including
a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.
b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :
i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.
c. The above safeguard however does not apply where
i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or
ii. The information is already open to the public and otherwise known.
d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.
2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.
3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:
a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception.
b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).
c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”.
i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:
j) Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).
l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)
2.3 TRAI Regulations and Directions
The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:
2.4 Unsolicited Commercial Communications Regulation
In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications.
* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive,
* The following categories of message are excluded
(i) any message under a specific contract between the parties to such contract; or
(ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose;
(iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;
* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal.
* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services.
* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.
2.5 Privacy and Confidentiality Direction
In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted.
3 International Norms
3.1 Telecommunications in the EU
In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.
Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the
case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”
3.2 Telecommunication in the United States
In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing.
The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004).
4 Discussion
The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v
(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address);
As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.
(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications
Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance.
(3) the legal requirements placed on telecommunications providers for data retention or data erasure;
The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures.
Questions:
Will a privacy legislation address data retention for the Telecom sector?
Will a privacy legislation regulate the monitoring and tapping of phones?
End Notes
i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication.
ii In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.
iii Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.
iv Issued to TSPs who offer long distance telephony in India
v These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.