BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 69B

Power to Authorise to Monitor and Collect Traffic Data or Information through Any Computer Resource for Cyber Security

THE STATUTE

Original Text

The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of intrusion or spread of computer contaminant in the country, by order, authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. (2) The Competent Authority shall, for purposes mentioned in sub-section (1), issue directions to any person in-charge of a computer resource, intermediary or any service provider in India to provide technical assistance and extend all facilities to the agency referred to under sub-section (1) to enable it to collect or monitor traffic data. (3) Any person in-charge of a computer resource, intermediary or any service provider who fails to comply with the directions issued by the Competent Authority under sub-section (2) shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine. (4) The procedure and safeguards for monitoring and collecting traffic data or information under this section shall be such as may be prescribed.

Simplified

Section 69B is the cyber security-specific surveillance provision, distinct from Section 69 (which covers interception of content for national security) and Section 69A (which covers website blocking). Section 69B's narrow stated purpose is cyber security enhancement — identification, analysis, and prevention of intrusion or spread of computer contaminants (malware, viruses). It authorises traffic data monitoring, not content interception. Traffic data (also called metadata) includes: source and destination IP addresses, timestamps, packet headers, routing information, and protocol data. It does not include the content of communications — that is governed by Section 69. CERT-In (established under Section 70B) is the primary agency that exercises powers under Section 69B to monitor network traffic for signs of cyber attacks, malware campaigns, and distributed denial-of-service attacks. Internet Service Providers and Critical Information Infrastructure operators must provide technical assistance and access to enable this monitoring. Non-compliance by intermediaries and service providers is a criminal offence. The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules 2009 prescribe the procedural framework — directions must be authorised by the Competent Authority (designated senior government official) and must be in writing.

Common Queries

Section 69 authorises interception of the content of communications (what is being said or sent). Section 69B authorises monitoring of traffic data only — metadata like IP addresses, timestamps, and routing information, not the content itself.
CERT-In is the primary agency authorised to monitor and collect traffic data under Section 69B for cyber security purposes — specifically for identifying and preventing intrusions and malware spread.
The CERT-In Directions issued in April 2022 under the authority of Section 70B (and partly Section 69B) require mandatory 6-hour incident reporting, 5-year log retention by VPN providers, and clock synchronisation — representing the most expansive use of CERT-In's direction powers.

Legal Evolution

Section 69B was inserted by the IT (Amendment) Act 2008 alongside Sections 69 and 69A — creating a three-tier government power over digital communications: content interception (69), website blocking (69A), and traffic monitoring (69B). The 2009 Traffic Data Monitoring Rules operationalised the provision. CERT-In's expanded mandate under Section 70B is the primary institutional vehicle for Section 69B powers.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no equivalent in original IT Act 2000.

Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data) Rules 2009 prescribe safeguards.

CERT-In Directions 2022 significantly expanded data-retention and reporting obligations on intermediaries under this framework.