interceptionSurveillancee-surveillanceTelecom Act, 2023Telecom Interception Rules, 2024Telecom

A Draft to Surveil: IFF’s Analysis of the Draft Telecom Interception Rules, 2024

This post includes our in-depth analysis of the draft Telecom Interception Rules, 2024 and broadly India's surveillance architecture, along with a table comparing the 2024 draft Rules with the corresponding provisions under the Indian Telegraph Rules, 1951.

Tejasi Panjiar
Tejasi Panjiar
Gayatri Malhotra
Gayatri Malhotra

12 September, 2024
12 min read

Help us sustain the work we do

tl;dr

On August 28, 2024, the Department of Telecommunications [“DoT”], Ministry of Communications [“MoC”] released the draft Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 [“Interception Rules, 2024”]. First published on the Gazette of India website on August 29, 2024, the MoC also released three other draft Rules alongside the Interception Rules, covering internet shutdown, telecom cybersecurity, and critical telecom infrastructure. The MoC is seeking objections or suggestions for 30 days on all four draft Rules. Given the wide-ranging implications of these draft Rules on our constitutional freedoms, we will be releasing a detailed analysis of each of the Rules (Read our in-depth analysis of the draft Suspension Rules, 2024 here). This post includes our in-depth analysis of the draft Interception Rules, 2024, along with a table comparing the relevant modifications/ revisions under the Interception Rules, 2024 with the corresponding provisions under the Indian Telegraph Rules, 1951.

Important documents

  1. Draft Telecommunication Interception Rules, 2024 (link)
  2. Indian Telegraph Rules, 1951 (link)
  3. IFF’s analysis of the draft Interception Rules, 2024 (link)
  4. The Telecommunications Act, 2023 (link)
  5. E-gazette notification for enforcement of sections of the Telecommunications Act, 2023 dated June 21, 2024 (link)
  6. Public Brief on draft Indian Telecommunication Bill, 2022 dated October 27, 2022 (link)
  7. IFF’s first read of the Telecom Bill, 2023 (link)

Background

These draft Rules have been released in pursuance of Section 20(2)(a), Section 20(4) read with Section 56(2)(t)(u) of the Telecommunications [“Telecom”] Act, 2023, which was enacted amid widespread chaos in the Parliament while over 140 opposition Members were suspended. The Telecom Act, 2023 received Presidential Assent and was published in the gazette on December 24, 2024. On June 21, 2024, the MoC issued a gazette notification to bring into effect certain sections of the Act, namely Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62, from June 26, 2024. 

The draft 2024 Rules seek to supersede the Rules 419 and 419A of The Indian Telegraph Rules, 1951 under the Indian Telegraph Act, 1885. The draft Interception Rules, 2024 will not override existing interception orders issued under the old regime and the terms and conditions of such orders will continue to apply till the end day prescribed by such an order. As per a statement made by the Union Minister of Communications, Jyotiraditya Scindia, in July 2024, all the Rules and provisions of the Telecom Act, 2023 will be notified within six months. While some of the Telecom Rules have been notified, and some released for public input, some Rules are yet to be released. 

Comparative analysis of the draft Interception Rules, 2024 

  1. Interception directions in emergent cases: The Interception Rules, 2024 introduces some safeguards for situations where obtaining an interception order/ direction from the competent authority is infeasible (in remote areas or for other operational reasons). The 2024 draft Rules state that if the competent authority does not confirm the interception order that was issued in such infeasible cases within seven working days from the date of issue, copies of messages intercepted under such order shall be destroyed within two working days, and confirmation of the same shall be submitted in writing to the competent authority [Rules 3(3)(b)(iii)]. The 2024 Rules also state that any messages intercepted under such an order shall not be used for any purpose, including as evidence in a court of law [Rules 3(3)(b)(ii)]. These safeguards did not exist under the Indian Telegraph Rules, 1951.
  2. Specifications listed for the interception orders/ directions: The Interception Rules, 2024 do not require the interception order to specify (the name and designation of the officer or authority) to whom the intercepted messages will be disclosed (as was the case under the Indian Telegraph Rules, 1951). Instead, it requires the order to specify the authorised agency that will undertake/ conduct the interception [Rule 3(8)(a)]. Additionally, the draft Interception Rules, 2024 clarify that the order will remain in force for a maximum of 60 calendar days and for 180 calendar days after renewal [Rule 3(8)(c)]. The 1951 Rules did not include the word ‘calendar’ leaving it open to potential delay due to national and/or regional holidays, non-working days, etc.
  3. Maintenance and storage of intercepted data/records: While the draft 2024 Rules mandate the maintenance of secure records, there is no defined security threshold or standard, leaving the implementation of security measures ambiguous and potentially inadequate [Rule 3(9)]. Further, there is no clear requirement for citing the specific purpose for which records are maintained, resulting in a lack of clarity and oversight regarding the use and handling of such records. The Rules also do not specify any limitation on the duration for which records can be stored, effectively allowing records to be retained indefinitely without any legal or procedural constraints. 

While the 1951 Rules impose an obligation on the service providers and telegraph authority to destroy directions for interception while maintaining ‘extreme secrecy’, the Interception Rules, 2024 does not say that the order must be destroyed in secrecy. Due to the routine destruction of records, anonymised statistical data on the issuance of interception orders is not maintained. Moreover, the rules contain no provisions for the disclosure of this information, resulting in a troubling lack of transparency and accountability surrounding interception orders.

  1. Exemptions from application of Rules: The draft Interception Rules, 2024 does not apply to the testing and demonstration of lawful interception systems and monitoring facilities [Rule 3(12)]. Thus the conduct of these activities and any violation of the Rules that may arise due to them will not be regulated under these Rules. Notably, such an exemption did not exist in the 1951 Rules. 
  2. Safeguards in the Interception Rules, 2024: The 1951 Rules prescribe a higher threshold of “extreme secrecy” and “utmost care and precaution” while dealing with interception matters [Rule 419A(14)], whereas Rule 4(4) prescribes a lower threshold of only maintaining “confidentiality and secrecy”. The rule does not specify clear standards for safeguards, which is crucial in delegated legislation. By omitting such standards, it weakens the framework for oversight and enforcement. Furthermore, the removal of the phrase "utmost care and precaution" lowers the previously established threshold for protection, thereby reducing the level of care required in safeguarding sensitive information. The 2024 draft Rules also place significant emphasis on maintaining confidentiality and secrecy, akin to the provisions in Rule 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. These provisions are often invoked to obscure the functioning of the executive, evading necessary oversight and accountability. The confidentiality provisions can be used to withhold even anonymised statistical information, such as the number of interception orders issued. Moreover, in the absence of clear transparency measures, the executive can operate without meaningful accountability. The lack of publicly accessible information regarding surveillance activities allows the executive to evade scrutiny and continue operations with minimal oversight.

Rule 4(4) omits reference to the effect of interception on the “privacy of citizens”. Despite the recognition of privacy as a fundamental right, this rule fails to acknowledge or reference it. There is no mention of the right to privacy or the need to balance state surveillance with fundamental rights. 

Rule 4(4) however expands the list of entities who are required to ensure safeguards around interception matters from ‘service providers’ under the 1951 Rules to ‘authorised agency, the Department of Telecommunications, and telecommunication entity’.

  1. Liability of service providers: The provision pertaining to the liability of service providers in case of violation of licence conditions around maintenance of secrecy and confidentiality of information and unauthorised interception of communication has been removed from the draft Interception Rules, 2024. The latter also does not impose any penalty (a fine or suspension/ revocation of licence), marking a significant shift from the 1951 Rules. Notably, Sections 32 and 42(2) of the Telecom Act, 2023 empower the government to impose penalties, including fines, imprisonment, and suspension of telecommunication services, for violations of the terms and conditions of the licence granted under the Act or for the unlawful interception of messages. The draft 2024 Interception Rules does however introduce a provision stating that the telecom entity will be held responsible for any unauthorised interception or violation of these rules caused due to the actions of its employees as well as vendors. 

The authoritarian surveillance architecture continues…

  1. Widened Scope of Interception

Rule 20(2)(a) of the Telecom Act, 2023 closely mirrors the language of Section 5(2) of the Telegraph Act, with one notable change. Section 5(2) grants the Union and State Governments, or any officer authorised on their behalf, the power to intercept messages transmitted solely through “any telegraph”. However, Rule 20(2)(a) significantly broadens this scope by extending the interception authority to cover messages transmitted via “telecommunication equipment”, “telecommunication services” or “telecommunication networks”. These terms have been defined expansively in the Telecom Act, thereby widening the range of services and technologies subject to surveillance. For example, “telecommunication service” is broadly defined under Section 2(t) as “any service for telecommunication”, which could include various forms of communication and broadcasting services.

The 2022 draft version of the Telecom Bill was met with widespread opposition due to its extensive expansion of the definition of 'telecommunication services,' which encompassed numerous services, such as:

  1. Broadcasting services: Including Direct to Home (DTH) services like Dish TV and Doordarshan, community radio stations such as Radio Udaan in Punjab, and FM radio broadcasting through private agencies like Radio Mirchi.
  2. Internet-based services: Covering a range of services, from Internet Protocol Television (IPTV) services (e.g., MTNL), electronic mail (e.g., Gmail), voicemail (e.g., Airtel), to voice and video communication services (e.g., Vodafone and Skype).
  3. Data communication and connectivity services: Extending to audiotex, videotex, fixed and mobile services (e.g., BSNL), and internet and broadband services (e.g., ACT Fibernet).
  4. Satellite and machine-to-machine communication services: Including satellite-based communication (e.g., Bharti Airtel, Starlink), machine-to-machine communication (e.g., smartwatches, smart TVs), and in-flight and maritime connectivity services (e.g., Tatanet).
  5. Over-the-top (OTT) communication services: Such as Google Meet, FaceTime, Jitsi, and interpersonal communication end-to-end encrypted services like WhatsApp and Signal.

Although the 2023 version of the Telecom Act notably omits these explicit references, the lack of explicit exclusions for these services leaves ambiguity, allowing the possibility that several alarming provisions related to surveillance, possession, suspension, authorisation, interception, etc. in the Act could still be applied to a wide array of internet services. Although the then Union Minister of MoC, Ashwini Vaishnaw publicly clarified that OTT services will not fall within the scope of the Act, this assurance is not legally binding, as the text of the Act does not expressly exclude these services. To avoid expansion or re-interpretation of the scope in the future, we wrote to the current Union Minister urging him to explicitly exclude internet services in the definition of ‘telecommunication’ and ‘telecommunication services’ in the Act itself. 

  1. Parallel Surveillance regime under Section 69 of IT Act, 2000

While concerning, this is not the first Government effort to mandate surveillance for online communication providers. Previously, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 [“2009 Rules”], sought to compel providers to bypass end-to-end encryption. Additionally, Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) 2021 [“IT Rules, 2021”], requires major social media platforms/ intermediaries to enable traceability of information origin, although many platforms employ encryption and minimal data retention practises for security. The impact of the Telecom Act, 2023 and the draft Interception Rules, 2024 on online communication service providers like WhatsApp and Signal remains to be seen.

Challenges to the constitutional validity of the 2009 Rules and Rule 4(2) of the IT Rules, 2021, are pending before the Supreme Court and Delhi High Court, respectively. Regrettably, the Telecom Act, 2023 and the draft Interception Rules, 2024 fail to introduce meaningful reforms in surveillance practices. They do not advance privacy, transparency, or accountability within India’s surveillance framework. Despite attempts to incorporate safeguards under “public safety” and “public emergency” provisions, Section 69 of the IT Act, 2000, already grants MeitY the authority to intercept messages transmitted through a 'computer resource' without specifying 'public safety' or 'public emergency' criteria. This enables the Government, via MeitY, to bypass these thresholds, rendering the procedural safeguards in Rule 20(2)(a) read with the draft Interception Rules, 2024 largely ineffective.

  1. Concern with the functioning of the Review Committee

Composition: The Review Committee still lacks the necessary independence required to conduct an impartial review as the committee tasked with reviewing the order issued by the issuing authority includes members of similar rank within the same branch of government (the Executive). This raises legitimate concerns about a potential conflict of interest, as the Review Committee may include individuals from the same branch of government––violating the principles of natural justice that no one shall be a judge in their own cause. The only stakeholder heard by the Review Committee is the issuing authority of the interception order. Individuals against whom interception orders may be issued remain unaware that such orders have been enacted. As a result, they are deprived of the opportunity to challenge or present their case before the Review Committee, which undermines the fairness and transparency of the oversight process.

Functioning: The three-member Review Committee, comprising government officials, fails to provide effective oversight of government surveillance activities. In 2011, the Union Government, in response to RTI queries, disclosed that it issues between 7,500 and 9,000 interception orders each month. Given that the Review Committee convenes only once every two months, it is likely tasked with reviewing between 15,000 and 18,000 orders per meeting. As observed by the Srikrishna Committee on Data Protection, the sheer volume of surveillance orders makes it 'unrealistic' for the Committee to scrutinise them effectively, thereby undermining the accountability of state surveillance [pg. 125]. These figures are outdated, and due to the lack of transparency, there is no way to ascertain the current number of interception orders or how they have escalated over time. This Review Committee, responsible for examining orders under Sections 69, 69A, and 69B, operates with significant opacity. An RTI response from 2022 disclosed that the Committee for Section 69A had not invalidated any directions since 2009, raising concerns that the Committee may function merely as a rubber stamp. Consequently, the full extent of the Committee's overall burden remains unclear.

  1. Failure to adhere to the proportionality framework

The constitutionality of Section 5(2) of the Indian Telegraph Act, 1885, which permits telephone interception, was challenged in People’s Union for Civil Liberties (PUCL) v. Union of India [(1997) 1 SCC 301]. While the Court acknowledged that phone tapping infringes the right to privacy under Article 21 of the Constitution, it refrained from striking down Section 5(2). Instead, it laid down procedural safeguards through guidelines, which were subsequently enacted as Rule 419A of the Indian Telegraph Rules, 1951.

In the 27 years since the PUCL ruling, the judicial landscape has evolved significantly, and technological advancements have been nothing short of transformational. At the time, PUCL was concerned solely with telephone tapping—a form of surveillance that was relatively limited in scope and impact. However, today’s surveillance mechanisms have expanded far beyond the realm of phone tapping, encompassing a vast array of digital and electronic forms of monitoring that are far more invasive and pervasive.

The exponential growth of technology has introduced new tools for data collection, surveillance, and monitoring, which are now unbound by the traditional constraints that existed in the era of the PUCL challenge. These modern surveillance practices involve sophisticated technologies such as internet monitoring, facial recognition, geolocation tracking, and the interception of digital communications, all of which operate at a scale and efficiency unimaginable when the PUCL guidelines were framed.

 A 9-judge bench of the Indian Supreme Court affirmed the right to privacy as a fundamental right in K.S. Puttaswamy v. Union of India. However, like all fundamental rights, it is not absolute and may be subject to reasonable restrictions. These restrictions must be tested against the anvil of the proportionality test.

In his concurring opinion, Justice Kaul highlighted the impact of technology on modern surveillance—citizens leave deep digital footprints, and profiling, though useful for public interest and national security, can lead to discrimination based on religion, gender, or caste. He warned that state control over personal data could create a "Big Brother" state—undermining rights like freedom of expression. Justice Kaul highlighted the need for the state to balance surveillance technologies with the right to privacy.

Post-Puttaswamy, any surveillance framework must conform to the proportionality test. In PUCL, Section 419A was saved on two grounds: (1) the court had prescribed adequate safeguards in the form of guidelines, and (2) executive oversight was deemed "just, fair, and reasonable".

Judicial oversight is now considered the bare minimum requirement for any interception regime. Judicial authorisation, whether ex-ante or ex-post, could serve as a less restrictive alternative to executive oversight, offering greater scrutiny and potentially reducing interceptions. Moreover, the fifth prong of the proportionality test mandates the existence of sufficient safeguards to prevent abuse, including the establishment of an independent, impartial body to oversee interception orders. Legislative developments and judicial rulings have consistently affirmed the necessity of such independent oversight to ensure that surveillance measures remain within reasonable bounds.

  1. DPDPA fails to provide procedural safeguards

Existing safeguards, however minimal, are largely ineffectual given that the Union government can exempt itself under Section 17(2) of the Digital Personal Data Protection Act [“DPDPA”], 2023 from the application of its provisions, further weakening safeguards related to interception. The non-application of the law to government instrumentalities could result in mass surveillance. In addition to providing wide exemptions to the state, the DPDPB, 2023 also fails to put into place any meaningful safeguards against overbroad surveillance which weakens the right to privacy of Indian citizens.

Section 7 of the DPDPA, 2023 allows the Data Fiduciary (in case of interception, the government and telecom service provider) to assume the consent of the Data Principal if the processing of their data was considered necessary as per certain situations such as for “the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State” or for “fulfilling any obligation under any law for the time being in force in India

on any person to disclose any information to the State or any of its instrumentalities….”. The issue of providing notice to individuals subjected to surveillance remains contentious, as it would defeat the purpose of such surveillance. However, concerns about purpose limitation, data minimisation, and storage limitation are paramount in light of advancing technology. 

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!