Interception Evidence: Indian Telegraph Act, UK IPA and EU ePrivacy

The Indian Telegraph Act 1885, section 5(2), authorises the central or state government to intercept messages transmitted through any telegraph (a term interpreted to include telephones, mobile networks, and internet-transmitted voice) on grounds of public safety, the interests of the sovereignty or integrity of India, the security of the state, friendly relations with foreign states, public order, or the prevention of incitement to commission of an offence. No judicial authorisation is required; interception is authorised by the Union Home Secretary or a state Home Secretary.

The Supreme Court of India addressed this power in People's Union for Civil Liberties v. Union of India (PUCL), reported at (1997) 1 SCC 301. The court found that telephone tapping under section 5(2) constituted an interference with the right to privacy under Article 21 of the Constitution, and held that such interference required procedural safeguards. The court directed the government to issue rules specifying the grounds for interception, the authority required to authorise it, the period of authorisation, and the review mechanism. The resulting rules, the Indian Telegraph Rules 1951 as amended in 1999 following the PUCL judgment, established a review committee under the Cabinet Secretary at the central level and under the Chief Secretary at the state level. The committee reviews surveillance orders after they are issued, not before.

Section 69 of the Information Technology Act 2000 (IT Act) provides a parallel interception power for electronic records (including internet communications), allowing the government to direct any agency to intercept, monitor, or decrypt information transmitted through computer resources. The grounds mirror section 5(2) of the Telegraph Act. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 (Rule 419A) govern the procedural framework. These rules require authorisation by the Union Home Secretary or state equivalents, a seven-day review period, and destruction of intercept records after 180 days.

The PUCL framework and the IT Act Rules together create a system of executive authorisation without prior judicial oversight, distinguishing India from most common-law jurisdictions. The absence of prior judicial scrutiny has been challenged in subsequent litigation; the Supreme Court in Puttaswamy v. Union of India (2017) directed that surveillance powers must be proportionate and subject to adequate safeguards, but did not impose a judicial warrant requirement on Telegraph Act interceptions.

The admissibility of intercepted communications evidence in Indian courts has evolved alongside the broader framework for electronic evidence. Under the Indian Evidence Act 1872, a certificate under section 65B was required to prove the authenticity of electronic records. This section was the subject of substantial litigation; the Supreme Court in Arjun Panditrao Khotkar v. Kailash Kushanrao Goratyal (2020) held that a section 65B certificate was mandatory for electronic evidence and could not be substituted by oral testimony from a computer expert.

The Bharatiya Sakshya Adhiniyam 2023 (BSA), which replaced the IEA with effect from 1 July 2024, re-enacts the electronic record authentication requirement in section 63 and adds explicit provision for interception records as electronic records requiring authentication. The BSA also incorporates the Supreme Court's direction in Khotkar by making the certificate requirement absolute: no electronic record, including intercepted call data records or voice recordings, is admissible without a certificate from a responsible official of the device or service through which the record was produced.

Courts have also examined the chain-of-custody requirement for intercept evidence. In several High Court decisions on criminal appeals, intercept recordings tendered as prosecution evidence were excluded where the prosecution had not demonstrated that the recording had been produced by the authorised interception system, transmitted without modification to the investigating agency, and stored under conditions preventing tampering. These requirements are analogous to the UK's requirement under the Investigatory Powers Act 2016 for a Warrants Commissioner's oversight and the US requirement under 18 USC 2518 for a wire interception order and a judicially supervised chain of custody.

Critically, Indian courts have not imposed a rule that intercept evidence obtained without prior judicial authorisation is inadmissible per se. Section 5(2) authorisations by the Home Secretary are treated as lawful, and the resulting evidence is admitted provided the procedural requirements under the Telegraph Rules and the IT Act Rules have been followed. The contrast with the UK position, under which intercept evidence is inadmissible under a statutory exclusionary rule (discussed below), is stark.

The Investigatory Powers Act 2016 (IPA) is the UK's primary statute governing the interception of communications by intelligence and law enforcement agencies. It replaced the Regulation of Investigatory Powers Act 2000 (RIPA) and consolidated several other pieces of surveillance legislation. The IPA authorises four main types of warrant: targeted interception warrants (for interception of communications of specific named persons), targeted equipment interference warrants (for accessing data stored on specific devices), bulk interception warrants (for large-scale interception of overseas-related communications), and bulk personal dataset warrants (for accessing large collections of personal data held by intelligence agencies). Targeted warrants require authorisation by the Secretary of State and approval by a Judicial Commissioner from the Investigatory Powers Commissioner's Office (IPCO). Bulk warrants require the same dual authorisation.

The Investigatory Powers Commissioner, a role currently held by a senior judicial figure, oversees the warrant process and publishes an annual report. The Commissioner's 2022 report noted approximately 15,000 targeted interception warrants issued in that year across all agencies.

The most distinctive feature of the IPA framework, inherited from RIPA, is the statutory inadmissibility of intercept evidence in legal proceedings. Section 56 of the IPA provides that no evidence may be adduced and no question may be asked that would tend to reveal that a warrant has been issued, or that anything has been intercepted. This prohibition applies in all domestic legal proceedings, including criminal trials. Intercept material gathered under the IPA may be used for intelligence purposes (to generate leads, identify suspects, inform surveillance operations) but it cannot be produced in court as evidence.

The rationale for this rule, set out in the report of the Joint Committee on Human Rights in 2009 and reiterated in a 2019 review by Lord Anderson QC (subsequently Lord Anderson of Ipswich), is that using intercept evidence in court would require agencies to disclose their interception capabilities and methods to defence counsel, jeopardising ongoing operations and foreign intelligence partnerships. Critics, including the International Association of Prosecutors and a series of academic commentators, have argued that this results in guilty defendants being acquitted because the best evidence against them cannot be used, and that allied jurisdictions (including the US and Australia) manage to use intercept evidence in court without catastrophic disclosure of methods.

The Veale Review (referring to the 2019 publication by independent legal expert David Anderson) and the Lobban Review (the 2023 independent review conducted by Sir Iain Lobban, former GCHQ Director) both examined the intercept evidence admissibility question. Lobban's review concluded that the prohibition should be maintained in its current form, but recommended exploring a mechanism for "exceptional cases" where the evidence could be used in proceedings conducted under stringent disclosure controls. No legislative change had been made as of early 2025.

The EU's electronic communications privacy framework rests on the ePrivacy Directive (Directive 2002/58/EC on privacy and electronic communications), which governs the confidentiality of communications content and traffic data transmitted over publicly available electronic communications networks. Article 5 of the ePrivacy Directive requires member states to ensure the confidentiality of communications, prohibiting interception, surveillance, and storage of communications by anyone other than the parties to the communication, except with the users' consent or pursuant to a legal authorisation under national law.

Member states' interception powers are governed by national law, subject to the requirements of the European Convention on Human Rights Article 8 (right to respect for private life) and, since Brexit, the EU Charter of Fundamental Rights (for EU member states). The European Court of Human Rights has developed a substantial jurisprudence on the requirements for lawful interception under Article 8 ECHR. In Kennedy v. United Kingdom (2010), the court found that RIPA-governed interception was compatible with Article 8 provided the safeguards were effective. In Big Brother Watch and Others v. United Kingdom (2021), the Grand Chamber found the UK's RIPA bulk interception regime incompatible with Article 8 in part, because it did not include sufficient safeguards at the authorisation stage (a finding substantially addressed by the IPA's judicial commissioner requirement).

The GDPR (EU) 2016/679, applicable alongside the ePrivacy Directive, governs the processing of personal data associated with communications (traffic data, location data, metadata) to the extent it is processed by the communications provider for other than transmission purposes. Law enforcement processing is separately governed by the Law Enforcement Directive (LED, 2016/680/EU), which requires member states to ensure that personal data collected for law enforcement purposes is used only for the purpose for which it was collected, retained only as long as necessary, and accessed only by authorised personnel.

The proposed ePrivacy Regulation, which was intended to replace the ePrivacy Directive and bring electronic communications privacy into alignment with the GDPR framework, was first introduced by the Commission in 2017. Negotiations between the Council and the European Parliament remained unresolved as of early 2025, primarily over the extent to which communications metadata (including data required for child sexual abuse material detection) could be retained and processed without user consent.

Most internet communications services, including voice-over-IP calls on WhatsApp, Telegram, Signal, and Zoom, route data through servers operated by technology companies headquartered in the United States. When an Indian, UK, or EU law enforcement agency seeks the content or metadata of such communications, it must either rely on the service provider's voluntary disclosure policy or initiate a cross-border legal process.

The primary mechanism in the absence of a specific bilateral agreement is the Mutual Legal Assistance Treaty (MLAT). India has MLATs with 41 countries, including the United States, the United Kingdom, and most EU member states. An MLAT request for electronic communications data from a US-based provider follows a defined process: the Indian central authority (the Ministry of Home Affairs, Foreign Litigation Division) sends a request to the US Department of Justice Office of International Affairs, which reviews the request for compatibility with US law (principally the Stored Communications Act, 18 USC 2701-2712) and, if satisfied, compels production from the provider through a court order. The process typically takes six months to two years.

The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) created a faster pathway. The CLOUD Act allows US-based companies to comply with foreign government data demands without an MLAT, provided the foreign government has signed a bilateral "CLOUD Act Agreement" with the United States. The US and the UK signed the first such agreement in October 2019; it entered into force in October 2022. Under this agreement, UK law enforcement with a warrant can compel production directly from a US provider without the MLAT process. The US-EU "enhanced MLAT" framework (not a CLOUD Act agreement as of 2025) remains under negotiation; India has not signed a CLOUD Act Agreement with the US, meaning India continues to rely on the slower MLAT process.

An additional complexity for voice and biometric interception evidence is encryption. End-to-end encrypted communications (Signal, WhatsApp in its default configuration) are not readable by the service provider even if legally compelled to produce them. The provider can produce the encrypted ciphertext and associated metadata (timestamps, sender and recipient identifiers, message sizes), but not the plaintext content. This technical limitation means that, for encrypted communications, the only way to obtain readable content is through device-level access (obtaining a judicial warrant to access the device before or after the communication) or through an attack on the encryption (not lawful in most jurisdictions without explicit legislative authorisation).

The UK's IPA 2016 includes a Technical Capability Notice (TCN) power (section 253) under which the Secretary of State can require a communications provider to maintain the capability to produce intelligible intercept data, including by maintaining the ability to decrypt. This power has been used, but the government has not publicly identified which providers have received TCNs. Apple's public dispute with the UK government in 2024 over a TCN requiring access to iCloud backups (reported in the Washington Post in March 2024) illustrated the commercial and diplomatic tensions this power generates.

Intercepted voice recordings raise two distinct evidentiary questions: whether the interception was lawfully authorised (the procedural question addressed in preceding sections) and whether the speaker on the recording can be identified (the substantive forensic question). The second question involves forensic speaker comparison, a discipline that shares methodological debates with other pattern-recognition forensic sciences.

Forensic speaker comparison encompasses two approaches. In auditory-phonetic comparison, a trained phonetician listens to the questioned recording and the known voice sample and assesses whether the same speaker produced both, using features such as speaking rate, vowel quality, prosodic patterns, and dialect markers. In automatic speaker recognition (ASR), a machine-learning system extracts acoustic feature vectors (typically i-vectors or x-vectors derived from the short-term spectral envelope) from both recordings and computes a likelihood ratio or similarity score.

In UK practice, expert speaker comparison evidence is admissible under the Criminal Procedure Rules Part 19, subject to the expert's compliance with the Part 19 duties (opinion expressed with stated reasoning, qualifications, and awareness of counter-arguments). The UK Forensic Science Regulator's Codes of Practice (2021, volume 2) include standards for forensic speaker comparison, requiring validation of the examiner's or system's performance and a likelihood ratio framework for reporting. ENFSI's Speaker Recognition Working Group has produced guidelines recommending LR-based reporting as the standard.

In the United States, speaker comparison evidence is admitted under Daubert, requiring the proponent to establish the method's tested error rate, peer review, standards of application, and general acceptance. Courts have admitted both auditory-phonetic expert testimony and ASR-based evidence, but some courts have excluded ASR evidence from specific vendors where the vendor has not published validated performance data. The FBI's forensic speaker comparison programme at Quantico has published internal validation studies under the NIST SRE (Speaker Recognition Evaluation) framework.

In India, voice spectrography evidence (the older technique using visible speech patterns, now largely superseded by ASR) has been admitted in several High Court matters under IEA section 45 and its successor BSA 2023 section 39, subject to the expert demonstrating familiarity with the methodology and the known voice sample being authenticated. The CFSL Hyderabad forensic science laboratory has a voice analysis unit; its reports are among the most frequently tendered voice comparison evidence in Indian courts. The Andhra Pradesh High Court in A. Abdul Rashid v. State (1980) and subsequent Delhi High Court decisions have admitted voice spectrography evidence, but courts have noted that the reliability of the method requires corroboration.

Biometric voice identification from Aadhaar voice enrolment data is not currently a feature of the Aadhaar authentication system, which uses fingerprint and iris modalities. However, some private-sector deployments in Indian banking have used voice biometric authentication, and the potential for voice biometric evidence from these systems to appear in fraud prosecutions is increasing. The authentication logs for such systems would be subject to the same BSA 2023 section 63 certificate requirement as other electronic records.

1. Authorisation verification
   Confirm that the interception was authorised under the applicable statute (Telegraph Act s.5(2) + Rules; IPA 2016 targeted warrant; member-state national law implementing ePrivacy Directive). Document the authorising authority, the grounds, and the period.
2. Chain-of-custody documentation
   Trace the recording from the interception system (lawful interception interface at the telecom provider) to the investigating agency's storage system to the forensic examiner. For UK material, note the IPCO oversight reference. For Indian material, obtain the BSA 2023 s.63 authentication certificate.
3. Cross-border data request (if applicable)
   If the data is held by a US provider: determine whether an MLAT request or a CLOUD Act Agreement route is available. Document the request date, the responding authority, and the conditions attached to the production.
4. Voice recording authentication
   Establish that the recording has not been edited or modified. Hash verification of the original file against the production copy. Expert evidence on audio authentication (SWGDE guidelines; ENFSI speaker recognition guidelines).
5. Speaker comparison
   Auditory-phonetic comparison and/or ASR-based comparison. Report in likelihood ratio form (UK standard; ENFSI recommendation). State the reference population used to calibrate the LR. State the system's validated error rates.
6. Admissibility assessment
   India: BSA 2023 s.39 (expert opinion) + s.63 (electronic record certificate). UK: CrimPR Part 19 + IPA s.56 (intercept inadmissibility check). EU: national law + ECHR Art. 6 (fair trial). US: Daubert + 18 USC 2515 (exclusionary rule for unlawful interception).