On Thursday, the Indian government gave ten agencies the legal authority "to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer."
The order, approved on December 20 by the Indian Ministry of Home Affairs, is an expansion of India's IT Act of 2000 and effectively gives the Indian government the legal power to snoop on all its citizens' Internet traffic, and the authority to request access to any encrypted information.
Individuals and entities who don't comply with requests to intercept, monitor, or access citizens' data face up to seven years in prison or a fine.
The ten agencies authorized to intercept or request access to user data under the new order are:
- the Intelligence Bureau
- the Narcotics Control Bureau
- the Enforcement Directorate
- the Central Board of Direct Taxes
- the Directorate of Revenue Intelligence
- the Central Bureau of Investigation
- the National Investigation Agency
- the Cabinet Secretariat (R&AW)
- the Commissioner of Delhi Police, and
- the Directorate of Signal Intelligence (for service areas of Jammu & Kashmir, North-East, and Assam only)
The order sparked outrage in India, among citizens, privacy watchdogs, and opposing political parties, who called it a stepping stone towards an Indian surveillance state.
The same rhetoric heard in all countries where similar surveillance laws exist, or governments tried passing a surveillance law, were also heard from the Delhi government today.
Government officials argued that the order expanding India's IT Act was needed for national security, to maintain public order, and to deal with foreign government interventions.
To calm some of the rumors swirling online, the Ministry of Home Affairs also issued a clarification today, explaining that any interception, monitoring, or data decryption will be "done as per due process of law" with approval from the Union Home Secretary. The ministry also said that adequate safeguards against abuse exist under both the IT and Telegraph Acts.
"Every individual case will continue to require prior approval of Home ministry or state government," the government said. "MHA has not delegated its powers to any law enforcement or security agency."
The order is expected to be challenged in court as unconstitutional.
More cybersecurity coverage:
- Two Android apps used in combat by US troops contained severe vulnerabilities
- US charges two Chinese nationals for hacking cloud providers, NASA, the US Navy
- Five other countries formally accuse China of APT10 hacking spree
- DOD doesn't keep track of duplicate or obsolete software
- Shamoon malware destroys data at Italian oil and gas company
- Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks
- How to enable spam call filtering on your Android phone TechRepublic
- New antiphishing features come to Google G Suite CNET