In the last few days several media reports have been carrying articles to the effect that according to an alleged “internal Government note” the Department of Telecom (DoT) of India will ask Research in Motion and Skype to make their content “readable”.
“DoT will call the representatives of Research In Motion (manufacturer of Blackberry devices) and Skype and ask them to ensure that the content going through the telecom service providers is in readable format. They have to ensure that this is implemented within 15 days failing which services that do not allow lawful interception on a real-time basis would be blocked/banned,” said an internal Government note. (source)
While all noise that ensued has been on the basis of a leaked note that may or may not exist (none of the reports really say who has seen this mysterious note), this author has reasons beyond the article to believe that such steps are indeed being discussed and acted on.
For those who ask whether there is international precedence on government laws and actions along same lines, look no further than the US. The Communications Assistance for Law Enforcement Act (CALEA) forces telcom providers operating in the US to provide similar support to the government. This applies to VoIP based providers too. According to the FCC website:
All facilities-based broadband Internet access providers and providers of interconnected VoIP service have until May 14, 2007 to come into compliance with CALEA. In the May 12, 2006 Commission order, the Commission found that section 107(c)(1) may not be used by entities seeking extensions for equipment, facilities, and services deployed on or after October 25, 1998 (the effective date of the CALEA section 103 and 105 requirements).
The question of whether the DoT has any legal standing in this matter is to an extent answered by the IT (Amendment) Act 2008. Amended Section 69 now reads:
(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign State or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provision of sub-section (2), for reasons to be recorded in writing, by order direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted, monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
sub-section (3) clarifies further:
(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to–
(a) provider access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or
(b) intercept, monitor, or decrypt the information, as the case may be; or
(c) provide information stored in computer resource
The term “computer resource” is defined as follows:
(i) “computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;
(j) “computer network” means the interconnection of one or more computers through—
(i) the use of satellite, microwave, terrestrial line or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;
(k) computer resource” means computer, computer system, computer network, data,computer data base or software;
(l) “computer system” means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
In addition, s.118 of the IPC has been amended to recognize the use of encryption as a possible means of concealment of a ‘design to commit [an] offence punishable with death or imprisonment for life’.
It is not sure however, whether applications like Skype can be held accountable when it operates in a pure p2p manner and does not use the PSTN (which forces a central server into the picture). But the government could argue that the end peer should log all the encryption keys used in a session at the peer, thus allowing the agencies to retrieve it.
The other point that needs clarification is whether one can enforce one part of the Act without having mechanisms in place to enforce another. Sub-section (2) of section 69 states:
(2) The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
I am no lawyer, but as a layman (a) I have no idea what that means and (b) I don’t know whether such procedures and safeguards have indeed be “prescribed”.
Update (08/07/2010): I have been told by someone who knows a lot more about legals things than me that indeed, the safeguards are a prerequisite for the actions considered under the section. The question of whether such procedures and safeguards are in place is still an open one.