FULL EXPOSURE
It kicked up quite a row, that home ministry notification in December authorising 10 central agencies to access, intercept and decrypt data on any computer in India. The government raised an eyebrow at the fuss. Arun Jaitley quickly clarified that this plan was nothing new, just more of the routine followed for a decade.
Well, it isn’t all new. Interception and surveillance were long granted legitimacy in India by the Telegraph Act, Post Office Act, the IT Act of 2000. But digital platforms multiplied their potency manifold. Tapping phones was a dreary, laborious task for underpaid staffers. Now, you have real-time voice search software. You have freely available metadata—who called whom, when, from where, to where, for how long. All scanned in real time since 2009 by India’s Central Monitoring System, for patterns such as bursts of calls from any location at late hours, or multiple calls to a neighboring country. DRDO’s NETRA does real-time internet surveillance, and there’s NATGRID, all offspring of 26/11.
As with 9/11, the Mumbai attacks of November 26, 2008, led to a ramp-up of surveillance. The Information Technology Act was enhanced, with monitoring and decryption rules under Section 69 and Section 66A, which continues to be misused by cops long after being struck down by the Supreme Court. In 2009, new rules for digital surveillance focused on data from online platforms—a phone-tapping framework on steroids.
Good citizens, said the State, should have nothing to hide from us.
But let’s flip that question around. Think of the silly security ‘car scans’ when you enter a hotel. If someone’s really bringing in something bad, it’s
not going to be bright yellow with a BOMB sign and a timer display. Today, no terrorist worth their salt would make an unencrypted call. Even my friends in politics, government and the security agencies call me only on WhatsApp.
Why should the State have unfettered access to your computer? Let’s take Justice Srikrishna’s metaphor further (“I’m an open, transparent man but that doesn’t mean I’ll keep the windows of my bathroom open while having a bath”). Even people who don’t have much of value at home lock their doors at night. Faced with an intruder with mala fide intent, everyone has something to hide. And that intruder may not be the State, but its employees, actors, associates, or influential non-state actors, all of whom are more likely to abuse personal data and metadata.
Remember August 2017? The Supreme Court declared privacy a fundamental right. And a year later, a committee that had been quickly set up before the SC judgment submitted a draft Personal Data Protection (PDP) Bill. The bill, which did not get tabled this winter session reportedly due to the public submissions swamping the ministry (MeitY), may not be the privacy panacea many hoped for. The draft proposes to exempt the State from requiring citizen consent for “the provision of any service or benefit”, which could be interpreted to mean anything. Yet it proposes severe penalties for data breaches for private parties, including criminal prosecution, which, as a member of the committee noted in her dissent, is draconian and excessive.
We don’t know what the final bill will look like, but not having the bill in place before late 2019 leaves the government and regulators to do their own thing, whether surveillance, or the RBI’s hard data localisation mandate (financial data of citizens to be stored only in India). The PDP draft even proposes that all passwords of Indian citizens be stored in India!
With the track record of agencies going after the wrong people, I’d seriously worry if I were a minority, or an RTI activist, a government critic, a prominent journalist, or simply a doctor helping tribals. Real terrorists, safe behind their encryption and VPNs, are far less likely to be touched. And with the support of all political parties (most of the extant post-2008 laws came from the Congress-led UPA), whatever happens after May 2019, we’ll likely have moved closer toward a regime of legitimate mass surveillance.
Your adversary isn’t the State, but may well be its employee who’ll abuse your personal data