Centre for Internet & Society

In a significant attack on online privacy, India’s Home Affair’s Ministry has authorised no fewer than ten different central government agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer”.

The blog post by David Spencer was published by VPN Compare on December 24, 2018. Pranesh Prakash was quoted.


The move has angered many Indian internet users, with the number of Indians turning to VPNs like ExpressVPN to protect their online privacy is expected to rise significantly.

Extending powers under and old law

The authorisation has been made under Section 69 (1) of the Information Technology Act, 2000 and Rule 4 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules.

While these laws have been in place for almost a decade, it is only now that the Ministry has decided to use them toenable the decryption and access of online data.

The agencies that can now look at what every single Indian citizen is doing online include the Intelligence Bureau, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, and the Directorate of Revenue Intelligence.

Other which will also be permitted to hack into people’s devices are the Central Bureau of Investigation; National Investigation Agency, the Cabinet Secretariat (R&AW), the Directorate of Signal Intelligence (only for the service areas of Jammu & Kashmir and North-East and Assam) and the Delhi Commissioner of Police.

The laws do notionally limit the circumstances in which these agencies can access private internet data, but as is so often the case, the definition of these circumstances are so vague as to render the restrictions almost meaningless.

Permissible circumstances include cases thought to be “in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any recognizable offence relating to above or for investigation of any offence.”

Indian lawyers have said that all of the above agencies will still have to comply with Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

This requires permission from either the union home secretary or the secretary of the Home Affair’s Ministry before interception can take place.

The new powers could be illegal

The new permissions also raise the interesting prospect that all previous interception of data by these agencies could be both unconstitutional and illegal, according to one Indian technology policy analyst, Pranesh Prakash.

He also told The Wire that he believed “Section 69 and 69B of the IT Act are unconstitutional for being over-broad in what they allow interception and monitoring for, in demanding decryption from accused persons, and the punishments that they prescribe.”

The New Delhi based Internet Freedom Foundation echoed this opinion, releasing a statement which said, “the decision to authorise electronic snooping is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement.”

Opponents of the Indian President, Narendra Modi, have argued that this latest decision is further evidence that he is turning India into a surveillance state.

Congress Party chief, Rahul Gandhi, said this move showed Modi is “an insecure dictator”, while others have argued that that this increased surveillance will have a “chilling effect” on democratic debate and dissent in India.

Srinivas Kodali, an independent security researcher in Hyderabad, told Al Jazeera the new powers would “make data collection from critics and political opponents easier [and] facilitate targeted raids against the opposition and critics.”

For their part, the Indian Government have used the age-old argument about the new powers helping them to combat “terrorism”.

VPN use expected to rise in India

For innocent India internet users, the reality is that their rights to online privacy have been significantly undermined by the new powers. There are now multiple central government agencies with the power to intercept, decrypt, and access their private online data, with minimal safeguards in place to protect their rights.

For most Indians, the new powers are a step to far, as has been seen by the angry response on social media.

It seems highly likely that the move will see more and amore Indian’s turning to a VPN to protect their online privacy. By connecting to a VPN, such as ExpressVPN, they are able to ensure all of their online data is encrypted by state-of-the-art encryption and also effectively anonymised.

It means that no government agency will be able to see what they are doing online and it will be almost impossible for their online activity to be traced back to them.

Using a VPN should protect internet users from the erosion of online rights the Indian Government is trying to implement. But it seems unlikely that it will stop the Modi administration from trying.

Filed under: