The Paranoid Panopticon: Draft Indian Telecommunication Bill

Presently the Indian telecom sector is regulated by the Indian Telegraph Act 1885, Wireless Telegraphy Act 1933 and the Telegraph Wires (Unlawful Possession) Act 1950. The current Bill wishes to repeal and replace these three Acts. However, the Indian Telegraph Act, 1885 and the Draft Bill operate on the same premise, that is concentration of power in the hands of the Central Government. The Central Government has wide-ranging and unilateral authority to regulate the entire sector by having the power of registration, licensing and revocation.

The Bill falls short on providing precise definitions and consists of various incomplete provisions which can give rise to grave issues such as invasion of privacy, intrusive surveillance and centralised arbitrary powers.

Ambiguous Definitions

The Draft fails to provide holistic and clear definitions of key terms while in some provisions completely evades the responsibility to define essential terms. The definition provided for telecom services (which is key to increasing the ambit of the Bill) is not only wide and ambiguous but also runs in tautological loops. Thereby there is no clear way to interpret the definition.

Additionally, under Section 5 which expands on spectrum management and states different ways to auction spectrum, fails to define the term "administrative process". Absence of a concrete definition holds the potential to result in the abuse of process by the Central Government.

Further, the definition of "national emergency" and "public interest" has been left open ended, giving the Central Government a wide scope for interpretation. Such broadly worded exceptions give unrestricted authority in the hands of the Central Government.

Incomplete Provisions

The Draft not only consists of ambiguous definitions but also contains certain provisions which when read either individually or with the remainder of the Draft fail to fulfil their objectives.

For instance, Section 4(8) which requires telecom services to inform the receiver of the identity of the sender does not specify the modus operandi to undertake the action nor does it elaborate on the methodology of collecting, processing and storing of involved data. The particular provision when read together with Section 32 is a recipe for disaster. Section 32 of the Draft places a duty on the Central Government to specify security standards from "time to time". There are two blatant loopholes in the provision. Firstly, the ambit of the term "telecom services" has been widened under the definitions provided in Section 2. Thereby the same security standards may not apply to all telecom service providers uniformly; this requires a system which establishes different sets of security standards for different types of telecom service providers. Secondly, lack of a specific time duration for the government to review the said security standards leaves it open for the Central Government to update the standards as per their convenience and not as per evolving industry requirements and consumer interest.

Section 33 has been inserted with the objective to control the circulation of spam messages and empowers the users to report lapses in case any company fails to abide by the same. Unfortunately, the Draft Bill fails to specify a redressal mechanism which telecom service providers should follow to correctly implement this provision. Cue can be taken from IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which established a robust redressal mechanism which was accessible to users in case of content takedown.

The draft has also come up with a provision of voluntary undertaking for telecom providers who have breached any terms and conditions of their agreement. However, the Draft Bill does not provide any incentive for service providers to follow this scheme of voluntary undertaking. It is absurd on the part of the Central Government to expect service providers to voluntary accept the breach without any incentive. Instead the Department of Telecommunication (DoT) should take cue from the Income Tax Department, which provides incentives in the form of decrease penalty and fines in cases when anyone voluntarily discloses black money.

Due to a lack of a complete holistic legal framework and being riddled with ambiguous definitions, the Bill paves way for grave privacy and surveillance concerns and also provides the Central Government with unchecked power without any safeguards to demand accountability and transparency.

Privacy Concerns

One can argue that it is not the domain of the DoT to set data security standards. However, a counter to the argument is that the RBI & SEBI have always been clearly setting security standards that institutions which come within their domain should abide by when dealing with consumers' data.

Similarly, DoT too while requiring companies to maintain registers of users who have given their consent, should specify security standards to protect consumers' data, the mode of taking consent and intricacies pertaining to sharing data with third parties. Additionally, lack of a comprehensive data protection policy regime in India should be taken into consideration while drafting such provisions.

Surveillance

The makers of the Draft have taken almost all the provisions pertaining to interception of communication from the Indian Telegraph Act, 1885 and inserted the same provisions in the Draft Bill. The thinking of the colonial regime has been replicated by the current government, which essentially defeats the very purpose of having a new legislation.

Chapter 6 of the Draft which elaborates on the standards, public safety and national security is the most controversial part of the Draft Bill. Section 24 of the Draft authorises the Central Government, State Government and any designated Officer to pass an order to intercept, detain or disclose any communication which is transmitted with the help of telecommunication network or services if he/she/they feel that the public order or national security is at risk. The issue that arises is the use of vague terms such as public order, preventing incitement of offence and national security.

Further, the Draft has no provision pertaining to duration for which an interception can be allowed, whether it will be a onetime occurrence or a continuous interception. This creates a grave issue in case for messaging platforms and OTT services which have implemented end to end encryption (E2EE). In order to implement an order of interception, the organisation will have to do away with E2EE which will essentially require them to redo the entire security system. This will entail incurring of huge operation cost. Removing E2EE is a dual sword, which puts the security of millions of users at risk of attack from hackers and miscreants in general.

Centralisation Of Power & Lack Of Accountability

The Draft fails to impose any duty on the Central Government to pass reasoned orders or to seek judicial permission prior to taking any action, howsoever far-reaching. The Central Government has been given the authority to pass orders in case of any breach of terms and conditions, to issue orders intercepting & monitoring networks without taking any judicial or legislative permission. Lack of accountability, transparency and no scope for checks by a third party are the ingredients to forming a path of bestowing arbitrary powers.

Further, unlike the Emergency articles provided in the Constitution of India, the Draft fails to mention the duration for which any order passed in pursuance of national security or public health should be applicable for. It also does not provide a process of re-imposing or extending the application of such an order. These are glaring loopholes which have the potential to enable an authoritarian regime.

Further, the blanket power given to the Government to carry out searches in the premises of service providers on account of suspecting any criminal activities without taking any prior judicial sanction can be used to threaten service providers.

It is important to reiterate that while the Draft is being projected as forward looking, its roots are firmly planted in the colonial, controlling mindset permeating the legislations the Draft intends to replace. Restricting the powers of the Telecom Regulatory Authority of India (TRAI) pertaining to recommending institutions to the Government for assignment of spectrum, is just one of the many ways that the Draft motivates centralisation of power in the hands of the Central Government. Lack of a robust system which will hold the Central Government accountable for its actions is an obvious gap that the Draft not only fails to address but rather further progresses in.

The incident of the latest CERT-in directions should act as a cautionary tale for the Government that international organisations are not afraid to pull out of the nation, if pestered to abide by its contrary and arbitrary laws. Prime examples of this being Nord VPN which has closed its services in India, when pestered to conform to KYC norms for its Indian users. If a similar situation arises, India and its users will greatly suffer.

Views are personal.