Descriptively, data retention refers to the gathering and storing of information relating to subscribers’ use of telecommunications networks. This storage happens at a remote location, inaccessible to the user whose activities are the origin of the stored data. Typically, data retention protocols require the continuous collection of certain parameters from internet users and the maintenance of comprehensive records of user activity, in one form or another. Retention can be done at the ISP level, as a commercial decision on the part of the service provider, or at the regulatory level, as a national policy decision on the part of the State in order to achieve larger goals of law enforcement and public order. Over the course of two posts, I will attempt to construct a brief critique of the policies adopted, first narrating the Indian stance and then using contemporary global trends as a yardstick against which this stance can be measured.
The Indian Scenario
In India, the data retention regime exists through the license agreements made between the DoT and service providers. The licenses are worded in an alarmingly ambiguous manner, with certain important terms being undefined.
The ISP license requires providers to create and maintain a log of subscribers and the services that they use. This log must be maintained on a password-protected webpage, with the password being supplied to the DoT and “intelligence agencies”, whose names are not specified in the agreement. At the very outset, a major concern with this mechanism raises its head. This rule implies that there exists, at any point in time, a real-time log of users on the internet. Password-protected webpages are notoriously unsecure in more than one way. For one thing, the webpages themselves are routinely hacked into. For another, exploits such as the Heartbleed bug in the OpenSSL protocol mean that entire data blocks on the web server can be lifted by a man-in-the-middle attack. Through these means, hackers can gain access to this log and, if necessary, track the internet activities of particular subscribers.
Network diagrams are also to be provided to the Government on demand, and location data for both subscribers and network infrastructure must be available for the Government at immediate notice. While the retention of location data for hard line subscribers is extremely problematic in itself, the concerns increase visibly when this rule is extended to mobile network providers. This data virtually enables the real time tracking of an individual on a 24-hour basis if the individual possesses a smartphone that is connected to a mobile data network.
The agreement also includes several “catch all” clauses, which can be invoked if the government requires a form of monitoring that is not specifically enumerated in the license. These provisions are worded extremely broadly. For example, ISPs “shall provide necessary facilities depending on the specific situation…to the Government to counteract espionage, subversive act, sabotage or any unlawful activity”. Other provisions state that the Government is entitled to take over operations of part or all of the provider’s network in the event of war, national emergency, low intensity conflict or “any other eventuality”.
Mobile network providers are bound by largely similar license agreements, including the provision for location data. In addition, they are required to log call records, including calls that were placed but failed to connect. Again, the same broad language is used to enable the government to take over operations when required. Still more ambiguous language is used to ensure that “active support” must be provided to the DoT and other organisations to detect and prevent the use of “clandestine/illegal telecommunication facilities”. Neither the scope of “active support” nor the meaning of “clandestine/illegal telecommunications facilities” has been defined in the agreement. Further, a burden is placed on service providers to conduct regular inspections of the premises of bulk users of their services. For this purpose, any cluster of 10 or more connections attached to an individual or an organisation is defined as a bulk user.
Leased circuits are also subject to this requirement, with service providers being required to inspect their bona fide use of the network “at reasonable intervals”.
It must be noted that in all instances above where location data is mentioned, I refer to what is known as “coarse” location data, which is obtained from proximity to mobile networks and/or Wi-Fi networks, accurate to a few hundred metres, as opposed to “fine” location data, which is obtained from the GPS module of the device itself, accurate to within 10 metres.
An interesting observation about both these license agreements and their data security regulations is that they seem to draw their legitimacy from S. 5(2) of the Indian Telegraph Act, as opposed to S. 69 and 69-B of the Information Technology Act. This is all the more interesting because the provisions under the Information Technology Act are significantly more vast and wide-ranging than those in the Telegraph Act. In the PUCL case (PUCL v. Union of India, AIR 1997 SC 568), which questioned the constitutional validity of S. 5(2), the Supreme Court pointed out that the riders in the clause justified their existence and ensured their judicious utilisation. The language of the section is clear in that it specifies that interception and monitoring can take place only in situations of “public emergency” and in the interest of “public safety”. The Supreme Court, in PUCL, defined these terms and held that their presence lent the section constitutional validity. However, S. 69 contains no such rider, and S. 69-B explicitly permits the collection of personally identifiable information in any situation.
This, then, is the Indian data retention scenario. In summary, it operates through the imperative of the law, and there are strong legal consequences for ISPs who do not abide by this imperative. These range from fines and penalties to criminal charges and the cancellation of telecom licenses, depending on the severity of the breach. Breaches of the license agreement can occur in many ways, such as failure to create and maintain logs, failure to provide them to authorised agencies with the data in reasonable time, etc. In addition, an interesting question arises, given the standard industry practice regarding data retention. RTI applications filed by CIS in 2012 indicate that state-owned ISPs are maintaining logs for durations longer than specified in the agreement. A reasonable case can be made that such conduct violates other parts of the agreement, which place huge burdens on ISPs to ensure that user privacy is held to the highest accord, and to ensure that data retention and other practices that compromise such privacy must only be conducted to the extent that is permitted by the government.