Part 3 of 7

Working with Service Providers

🕑 90-120 minutes 📖 Practical Focus 📋 Module 5

Introduction to Service Provider Cooperation

Digital evidence often resides with service providers - telecom companies, Internet Service Providers (ISPs), email providers, social media platforms, and cloud services. Effective cyber crime investigation requires understanding the legal mechanisms for obtaining this data and building relationships with these entities.

📱

Telecom Service Providers

Call Detail Records (CDR), subscriber information, cell tower data, SMS records, mobile internet usage logs.

🌐

Internet Service Providers

IP allocation logs, subscriber details, connection timestamps, bandwidth usage, DNS query logs.

📧

Email & Cloud Providers

Email headers, login records, IP logs, account activity, stored content (with proper authorization).

📰

Social Media Platforms

Account information, IP logs, content posted, direct messages, friend lists, activity logs.

Section 94 BNSS (formerly Section 91 CrPC)

📚 Summons to Produce Document or Electronic Record

Section 94 of BNSS empowers a court or officer in charge of a police station to issue a written order requiring any person to produce a document or electronic record that is necessary for investigation or trial.

Key Points of Section 94 BNSS:

  • Can be issued during investigation or trial
  • Must specify the document/record required
  • Production can be ordered in person or by post/electronic means
  • Non-compliance is punishable
  • Special provisions for electronic records and documents in custody of banks

IT Act Provisions

Section Purpose Authority
Section 69 Interception, monitoring, decryption of information Central/State Govt (Secretary level)
Section 69A Blocking of public access to information Central Govt
Section 69B Monitoring and collection of traffic data Central Govt
Section 79 Intermediary liability and due diligence -

IT Interception Rules, 2009

The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 provide the framework for lawful interception:

  • Competent Authority: Secretary in the Ministry of Home Affairs (Central) or Secretary in charge of Home Department (State)
  • Emergency Provision: Joint Secretary level officer can authorize in emergencies, subject to confirmation within 3 days
  • Duration: Initial order valid for 60 days, renewable up to 180 days total
  • Review: Orders must be placed before Review Committee within 7 days
  • Record Keeping: Intercepted records to be destroyed within 6 months unless required for court
Important: Investigator's Limited Role

Regular police officers cannot directly order interception under Section 69. They must route requests through appropriate channels. However, officers can directly request CDR, subscriber information, and IP logs under Section 94 BNSS or through administrative procedures established by service providers.

Types of Data from Service Providers

Subscriber Information (Non-Content Data)

  • Name and address of subscriber
  • Identity verification documents submitted
  • Account creation date and method
  • Payment information (for verification, not financial details)
  • Contact phone numbers and email addresses

Transactional/Traffic Data

  • CDR (Call Detail Records): Caller/called numbers, duration, timestamps, cell tower IDs
  • IP Logs: IP addresses assigned, connection timestamps, duration
  • Login Records: IP addresses from which account accessed, timestamps
  • IPDR (IP Detail Records): Similar to CDR for internet communications

Content Data (Requires Higher Authorization)

  • Email body and attachments
  • Chat messages and media files
  • Stored files in cloud services
  • Recorded voice calls (where legally recorded)
💡 Authorization Levels
  • Subscriber Information: Section 94 BNSS notice from IO
  • CDR/IP Logs: Section 94 BNSS or administrative request
  • Content Interception: Section 69 IT Act (requires Secretary-level authorization)

Working with Indian Telecom Providers

Major Providers and Nodal Points

Telecom Service Providers (TSPs)

Each TSP has a designated Nodal Officer for law enforcement cooperation. Contact through:

  • Dedicated Law Enforcement Portal (LEA Portal)
  • Written request to Circle Nodal Officer
  • Emergency requests via designated hotline

Typical Response Time: 3-7 days for regular requests, 24-48 hours for emergencies

Information Typically Available from Telecom Providers

Data Type Retention Period Request Mechanism
CDR (Call Detail Records) 1-2 years Section 94 BNSS / LEA Portal
Subscriber Details Lifetime of account Section 94 BNSS / LEA Portal
Cell Tower Dumps 1-2 years Section 94 BNSS (requires justification)
IPDR (Internet Data) 90 days to 1 year Section 94 BNSS / LEA Portal
SMS Content Generally NOT stored Not available post-delivery
Recharge/Payment History 1-2 years Section 94 BNSS

Working with Internet Service Providers

Types of ISPs

  • Category A ISPs: National level (e.g., Reliance Jio, Airtel, BSNL)
  • Category B ISPs: Regional/state level
  • Category C ISPs: District/city level
  • Public WiFi Providers: Hotels, cafes, airports

Key Data Points from ISPs

  • IP Assignment Logs: Which subscriber was assigned which IP at what time
  • MAC Address Mapping: Device identification for WiFi connections
  • Connection Logs: Session start/end times
  • Subscriber KYC: Identity documents, address proof
💡 Tracing IP Address - Process
  1. Obtain IP address from email header, website log, or platform data
  2. Identify ISP using WHOIS lookup
  3. Send Section 94 notice to ISP with exact timestamp (in IST)
  4. ISP provides subscriber details assigned that IP at that time
  5. Note: Dynamic IPs change frequently - exact timestamp is critical

Section 94 BNSS Notice to Service Provider

To, The Nodal Officer (Law Enforcement) [Service Provider Name] [Address] Subject: Request for Information under Section 94 BNSS - FIR No. [XXX/2026] Reference: FIR No. [XXX/2026] dated [DD/MM/YYYY] PS: [Police Station Name] Under Sections: [66C, 66D IT Act / 316, 318 BNS] Sir/Madam, In connection with the above-referenced case, I am investigating an offense of [brief description - e.g., "online financial fraud"]. The following information is urgently required for investigation purposes: 1. Subscriber details of mobile number: [+91-XXXXXXXXXX] - Name, address, identity proof submitted - Alternate contact number, if any - Date of activation 2. Call Detail Records (CDR) for the period: From: [DD/MM/YYYY] To: [DD/MM/YYYY] - Incoming and outgoing calls - SMS records - Cell ID/Tower location data - IMEI of handset used 3. Recharge/payment history for the same period The information is required urgently within [7 days] to prevent further offenses and trace the accused. Non-compliance shall attract consequences under law. You are requested to provide the information in electronic format (CD/DVD/encrypted email) along with a certificate under Section 63 of Bharatiya Sakshya Adhiniyam, 2023. [Name] [Rank] Investigating Officer [Police Station] [Contact Number] [Official Email] Date: [DD/MM/YYYY] Encl: Copy of FIR

Notice for IP Address Details

To, The Nodal Officer (Law Enforcement) [ISP Name] Subject: Request for Subscriber Details - IP Address Investigation Reference: FIR No. [XXX/2026] Sir/Madam, Please provide subscriber details for the following IP address: IP Address: [XXX.XXX.XXX.XXX] Date: [DD/MM/YYYY] Time: [HH:MM:SS] IST (Indian Standard Time) Required Information: 1. Name and address of subscriber 2. Subscriber account/connection ID 3. KYC documents submitted 4. MAC address of device (if WiFi) 5. Connection type (broadband/leased line/mobile data) 6. Installation address IMPORTANT: Please note the exact timestamp mentioned above. Given dynamic IP allocation, accuracy of time is critical. [Name and Designation] Investigating Officer

Common Challenges and Solutions

Data Retention Periods

Challenge: Data may be deleted after retention period expires. Solution: Send preservation requests immediately upon FIR registration.

🕐

Delayed Response

Challenge: Providers take weeks to respond. Solution: Mark urgent, follow up via phone, escalate to senior nodal officer.

🌐

Foreign Service Providers

Challenge: MLAT process is slow for foreign providers. Solution: Use law enforcement request portals, explore emergency disclosure procedures.

🔐

Encrypted Communications

Challenge: End-to-end encrypted content unavailable. Solution: Focus on metadata, device seizure, and other investigative leads.

💡 Best Practices
  • Always include exact timestamps in IST
  • Reference FIR number and relevant legal sections
  • Request Section 63 BSA certificate with the data
  • Send preservation request immediately, detailed request later
  • Maintain communication log with providers
  • Build relationships with nodal officers for faster response
📚 Key Takeaways
  • Section 94 BNSS is the primary mechanism for requesting data from service providers
  • Content interception requires Section 69 IT Act authorization at Secretary level
  • Data retention periods vary - send preservation requests immediately
  • Always specify exact timestamps in IST for IP-related requests
  • Include FIR reference and request Section 63 BSA certificate
  • Indian telecom providers have established LEA portals for efficient processing
  • Foreign provider requests may require MLAT or platform-specific law enforcement channels
  • Build relationships with nodal officers for faster emergency response
Previous: Search & Seizure Next: Preservation Requests