Licensed Service Area Units of the Department of Telecom sought bulk Call Data Records from Telecom Service Providers as per official documents revealed through RTI. The RTI responses do not support DoT's claim that bulk Call Data Records were only sought for analysing call drops, and they reveal glaring factual inconsistencies and legal deficiencies.
Concern expressed by AACTI
The issue of bulk gathering starts from press reports in the Economic Times and the Indian Express dated March 15, 2020 and March 18, 2020. These news reports indicated that telecom operators wrote to the Department of Telecom (DoT) expressing concerns about surveillance through requisition of bulk Call Data Records (CDRs) by Licensed Service Area (LSA) units. Subsequent to this, we have obtained the text of this letter through a request filed under the Right to Information Act, 2005 .
On February 12, 2020 the Apex Advisory Council for Telecom in India (AACTI) wrote to the Ld. Secretary, Department of Telecom in which they highlighted that:
- Sensitivity of CDRs : “Call Data Records (CDRs)... contain various personal and sensitive information such as MSISDNs, IMSI, IMEI, Location etc….”. This is substantiated by the information sought by Department of Telecom's email dated 15.01.2020 that demands information for 13 fields including, “Calling Party Telephone Number, Called Party Telephone Number, Call Date, Call Time, Call duration (in seconds), Complete First Cell ID, Complete Last Cell ID, Call Type (IN/OUT/SMS_IN/SMS_OUT), IMEI of Party, IMSI of Party, Type of Connection (Pre-paid/Post-paid), SMS Centre Number / GGSN Address/SGSN address, First Roaming Network Circle ID.”
- Breach of existing SoPs : As per the AACTI, “various SOPs have been issued by the Department of Telecom” dated 04.08.2016 and 02.04.2019 and include, “various provisions like first ascertaining the identity of the subscriber, examining the justification carefully, detailing purpose for seeking CDRs and not using such CDRs received for any other purpose…”. “Various LSA units of DoT are not adhering to this process” and, “almost all LSA units of DoT continue to seek one day CDR details from the Licensee…”. In addition LSA units of DoT units also continue to seek additional CDR details on ad hoc basis. For this instance, CDR details sought on February 2-4, 2020 in Delhi is cited.
- Violation of privacy: The AACTI cites a lack of justification and purpose limitation by stating that, “neither the intended purpose for requirement of CDRs.. has been provided”. It further states, “CDRs sought for specific routes/areas may lead to allegations of surveillance…. of Ministers, MPs, Judges etc.”.
Statement by DoT
Subsequent to this a Press Information Bureau statement dated March 18, 2020 was made by the DoT. The stated justifications proceed on various grounds including the following:
- Big data tool to analyse call drops: “For this purpose, data on calls made from mobiles in any tower coverage area is analysed to ascertain calls terminated within 30 seconds and made again,” the department said. “DoT will be better equipped to take up such cases and areas with the telecom service providers based on actual data. For this purpose, total data of calls made during any particular time period from the identified cell phone tower locations from where the complaints are received is collected to enable analysis,” it added.
- Data is anonymous: “However, this data is anonymous and does not contain names of either the maker or receiver of calls. There is no infringement of privacy of any person. No personal details are collected. There is no tracking of any phone number.” Further, "it has been decided to seek such data only for short time period i.e. three to six hours normally covering the peak load of traffic on the Network for any cell tower.”
- Legal power and safeguards: “It is further clarified that DoT is empowered under Rule 419 of the Indian Telegraph Rules 1951 to access such anonymous data for improving network quality. Moreover, DoT has also put in place an in house standard operating procedure so that any authorization of such access to call drop data can be approved only by very senior officers.”
RTI requests and answers provided
On March 19, 2020 the Internet Freedom Foundation filed RTI requests with various LSA units of the DoT seeking further information why these CDRs were sought. The text of the RTI is provided below.
“The information sought herein relates to the following two news reports - 'DoT units seeking bulk call data record in routine, telcos raise concern' published by the Economic Times on 15 March, 2020 and 'Cellphone operators red-flag ‘surveillance’ after Govt wants call records of all users' published in the Indian Express on March 18, 2020. Please provide information in response to the following queries:
1. Please provide copies of all letters sent by the local departments of the DoT to TSPs from December 2019 to February, 2020 with regard to obtaining call data records including
(a) a full list of all TSPs with whom such directives were filed;
(b) all licensed service areas where such requests were made;
(c) the dates for which such information was sought; and
(d) the duration/time period for which these call data records were sought.
2. Please clarify the enabling legal provision under which the requests for call data records were made.
3. Please state the official purpose for which such bulk call data records were sought from TSPs
4. Please provide a copy of the complaint filed by the Cellular Operators Association of India on February 12, 2020 to Mr. Anshu Prakash, Secretary, Department of Telecommunications with regard to these requests to obtain the call data records.”
The responses we received are contained in the following table:
|LSA||Time and Extent of CDR||Reasoning and UA License Provision|
|Haryana||All subscribers of all telecom providers for "24 hour period of 17.12.2019; 23.01.2020; 28.02.2020||Condition 9, Chapter I and Condition 39.20 of Chapter No. 39.20 and as per answer “Illegal telecom setups” and “find invalid” and “non-genuine” IMEIs|
|Kolkata||“One week call data of Incoming international long distance calls of “all subscribers on RJIO and RCOM” as only “both of them have International Long Distance Gateways in Kolkata” for one week as per email dated 25.02.2020||Sole reliance on DOT Security Letter dated 14.02.2020, “MHA has desired” “future course of action on [illegible] of virtual number”|
|Kochi||All subscribers of all telecom providers for 24 hours of 15.11.2019; 15.12.2019; and 15.01.2020||“For detecting the numbers involved in Grey market telecom activities, for checking IMEI related issues”.|
|Shillong||No CDRs sought||No CDRs sought|
|Pune||No CDRs sought||No CDRs sought|
|Patna||Proper fees not attached||Proper fees not attached|
A quick and dirty analysis
We have conducted a preliminary analysis of the RTI responses. This analysis is without prejudice to broader legal claims that are pending adjudication before the Hon’ble Supreme Court of India.
Without prejudice to other legal arguments, the following is just a preliminary comment based on comparison of the information from RTI replies with the PIB press release:
- Use case does not match: There is a fundamental mismatch between the DoT press release cited above and the responses received through RTI. The records queried are for a multiplicity of reasons and none of them mention call drops. The stated justifications of the LSAs are varied and diverse. They also draw from legal powers and justifications which are independent of Rule 419 which is not cited in any of the RTI responses or the actual correspondence.
- Weak claim of anonymity and data limitation: The claims of anonymity are premised on the absence of the name of the subscriber and their residential address. However, the bulk CDRs are sought for all customers with data fields that have at least 13 fields where the inference of the identity of a person is relatively easy. At present mobile numbers are used as an identity field in several e-governance databases. Further, the stated justification of querying information for calls limited to durations of 30 seconds does not match the text of the actual requests.
- SoPs are not legal and deficient: The SoPs cited have been analysed in the past in a pending litigation filed by the Internet Freedom Foundation, and they are legally deficient and do not constitute as adequate safeguards (link). Further, the bulk requisitioning conflicts with the SoPs. For instance, the bulk collection of CDRs violates the very nature of the SoP safeguards which focus on requisitioning specific and individualised information.
In light of the above, the justifications offered by DoT in the PIB Press Release appear to be a face saving measure which do not hold up on closer scrutiny. As AACTI had noted, some of areas for which bulk CDRs were requisitioned include places where Members of Parliament and Judges reside. This creates a very real possibility of the Executive surveilling other branches of government i.e. the Legislature and Judiciary, which are intended to act as a check on the Executive within our constitutional scheme. In addition to this, bulk CDRs also facilitate mass surveillance of ordinary citizens and enable the government to keep a watch on our everyday interactions. These problems are emblematic of the larger need for surveillance reform in India and it is only through independent oversight that we can ensure the government acts in a transparent and accountable manner.
- RTI Reply for Haryana (link)
- RTI Reply for Kolkata (link)
- RTI Reply for Kochi (link)
- RTI Reply for Shillong (link)
- RTI Reply for Pune (link)
- RTI Reply for Patna (link)