Surveillance state Is a reality now
A year after a Constitution Bench of nine judges declared privacy a fundamental right, its fears of the emergence of a surveillance state
have come true.
“OUR GOVERNMENT WAS SUCCESSFUL IN compelling Blackberry to give to it the ability to intercept data sent over Blackberry devices. While such interception may be desirable and permissible in order to ensure national security, it cannot be unregulated.... George Orwell created a fictional State in 1984. Today, it can be a reality. The technological development today can enable not only the state, but also big corporations and private entities to be the ‘Big Brother’.”—justice Sanjay Kishan Kaul in Justice K.S. Puttaswamy (Retd) vs Union of India, a unanimous judgment declaring the right to privacy as a fundamental right, delivered by a nine-judge Constitution Bench on August 24, 2017.
On December 20, 2018, by issuing a terse Statutory Order (S.O.6227(E), the Union Home Secretary, Rajiv Gauba, vindicated Justice Kaul’s apprehension in the landmark judgment on privacy, unmindful of the order’s clear inconsistency with the Supreme Court’s pronouncement declaring the right to privacy an intrinsic part of the right to life and personal liberty
under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
The order drew its sustenance from Subsection (1) of Section 69 of the Information Technology (IT) Act, 2000, read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. The order, issued by the competent authority, authorised 10 security and intelligence agencies to intercept, monitor and decrypt any information generated, transmitted, received or stored in any computer resource under the Act.
The agencies are the Intelligence Bureau (I.B.), the Narcotics Control Bureau (NCB), the Enforcement Directorate (E.D.), the Central Board of Direct Taxes (CBDT), the Directorate of Revenue Intelligence (DRI), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Cabinet Secretariat (Research and Analysis Wing, or RAW), the Directorate of Signal Intelligence (or DSI, for the service areas of Jammu and Kashmir, North-east and Assam only), and the Commissioner of Police, Delhi.
The “authorisation” granted to these 10 organisations has astounded observers and dismayed civil society.
The word “any” before the words “computer resource” in the order sounded like “every”. Although the Supreme Court, in a recent case, held that “any” does not mean “every”, the implication, caused by a deep distrust of the state, was ominous.
The very mention of these 10 agencies in one order suggested that they had been handicapped by the problem of accessing information stored in “any
resource” to perform their duties effectively. The order gave no reasons as to why only these 10 agencies were authorised, leaving one to speculate whether other agencies already had that power and, therefore, required no authorisation, or whether they did not require this power, as per the Centre’s reasoning.
The term “computer resource”, as defined by Section 2(k) of the IT Act also points to the possibility of the order being overbroad and therefore amenable to misuse by the authorities. Originally, it meant computer, computer system, computer network, data, computer database or software; in 2008, the Act was amended in such a way that the term included any “communication device”, such as mobile phones, within the definition.
THE OFFICIAL JUSTIFICATION
Faced with civil society’s outrage against the order, the Home Ministry sought to clarify the rationale of the order through a press release, which read: “No new powers have been conferred to any of the security or law enforcement agencies by the S.O. dated 20.12.18. It has been issued in accordance with rules framed in 2009 and in vogue since then. Each case of interception, monitoring, decryption is to be approved by the competent authority, that is, the Union Home Secretary. These powers are also available to the competent authority in the State governments as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009.”
According to Subsection (1) of Section 69 of the Act, as amended in 2008, where the Central government or a State government is satisfied that it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, for the defence of India, for ensuring the security of the state and friendly relations with foreign states, or in the interest of public order or to prevent incitement to the commission of any cognisable offence relating to the above or for the investigation of any offence, it may, subject to the provisions of Subsection (2) for reasons to be recorded in writing, direct any of its agencies to intercept, monitor or decrypt any information transmitted, received or stored through any computer resource.
Subsection (2) of Section 69 says that the procedure and safeguards subject to which such interception or monitoring or decryption may be carried out shall be such as may be prescribed. The procedure and “safeguards” envisaged under this subsection, it appears, have not been sufficiently prescribed.
The only “safeguard” envisaged under rule 22 of the IT Rules, 2009, is that all such cases are to be placed before a review committee headed by the Cabinet Secretary, which shall meet at least once in two months to review such cases. In the case of State governments, a committee headed by the Chief Secretary concerned will carry out the review.
The Home Ministry’s press note claimed that the S.O. would help in these ways: Firstly, it would ensure that any interception, monitoring or decryption of any information through any computer resource is done as per the due process of law. The note seemed to be a tacit admission that until now agencies had engaged in these acts without complying with the due process of law.
Second, the order aims to prevent any unauthorised use of these powers by any agency, individual or intermediary. This could suggest that there have been instances of such unauthorised use of these powers by an agency, individual or intermediary, which led the government to proactively issue such a notification without receiving any complaint from an aggrieved party.
As state surveillance takes place without the knowledge of the person being watched, the question of receiving a complaint about any unauthorised use of these powers does not arise. Rather than investigate and bring to book those guilty of such unauthorised exercise of these powers, the order appears to provide an ex post facto justification for them and guarantee them legal protection from prosecution.
Third, the order would ensure that the provisions of law relating to lawful interception or monitoring of computer resource are followed and if any interception, monitoring or decryption is required for the purposes specified in Section 69 of the IT Act, the same is done as per the due process of law and with the approval of competent authority, that is, the Union Home Secretary. It is clear that in the absence of the order, the government was finding it impossible to ensure compliance with the law relating to interception or monitoring of computer resources and that the activity was being resorted to without the due process of law or the approval of the competent authority.
SIGNIFICANCE OF SAFEGUARDS
The order states “interception, monitoring and decryption” as its purpose. This implies that intelligence gathered by these agencies may be used for any purpose whatsoever so long as it satisfies the meaning of “monitoring”. It is here that safeguards assume significance. Effective safeguards can only be guaranteed by an exclusive data protection law, which the Centre is yet to enact, despite a draft Bill having been recommended by an expert committee headed by the former Supreme Court judge Justice B.N. Srikrishna.
Collecting data beyond the requisite amount or purpose specified and profiling of individuals or groups on the basis of such interception are the risks awaiting
country in the absence of a data protection law. The question remains whether the government will be the judge in its own case in deciding the extent and scope of monitoring data, as the existing safeguards do not provide a system of checks and balances.
The absence of effective safeguards against the misuse of these powers will likely make the Act’s provisions more draconian than one may assume. Subsection (3) of Section 69 requires the subscriber or intermediary or any person in charge of the computer resource to extend all facilities and technical assistance to the agency to (a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or (b) intercept, monitor, or decrypt the information, as the case may be; or (c) provide information stored in the computer resource. Subsection (4) enables the authorities to punish the subscriber or intermediary or any person who fails to assist the agency referred to in Subsection (3) with imprisonment up to seven years and a fine.
EXPERIENCE WITH THE TELEGRAPH ACT
The roots of the government’s efforts to snoop on digital content can be traced to Section 5(2) of the Indian Telegraph Act, 1885, whose constitutionality was tested by the Supreme Court in People’s Union for Civil Liberties (PUCL) vs Union of India in 1996. In this case, a bench of two Supreme Court judges dealt with telephone tapping. The petitioner challenged the constitutional validity of Section 5(2) of the Telegraph Act and urged that procedural safeguards against arbitrary acts of telephone tapping be adopted.
Section 5(2) authorises the interception of messages in transmission in the following terms: “On the occurrence of any public emergency, or in the interest of the public safety, the Central government or a State government or any officer specially authorised in this behalf by the Central government or a State government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the government making the order or an officer thereof mentioned in the order.”
A proviso to this section reads that press messages intended to be published in India of correspondents accredited by the Central government or a State government shall not be intercepted or detained unless their transmission has been prohibited under this subsection.
The PUCL had approached the Supreme Court in the wake of a report on the “tapping of politicians’ phones” by the CBI, which was published in the journal Mainstream. Investigation revealed serious lapses on the part of Mahanagar Telephone Nigam Limited (MTNL). The Supreme Court found in this case that the files pertaining to interception were not maintained properly.
The Supreme Court held in this case that telephone conversations were construed to be an important ingredient of privacy and the tapping of such conversations would infringe upon Article 21, unless permitted by procedure established by law. The court ruled that it would be necessary to lay down procedural safeguards for the protection of the right to privacy of a person until Parliament intervened by framing rules under Section 7 of the Telegraph Act.
The court accordingly framed guidelines to be adopted in all cases involving telephone tapping. The Supreme Court’s guidelines in the PUCL case were formally incorporated in the Telegraph Rules with the insertion of Rule 419-A. But the new rule could not offer effective remedies against telephone tapping in the absence of independent oversight of interceptions and parliamentary supervision or control over agencies entrusted with snooping.
In 2011, in the wake of the Niira Radia tapes, the Centre, through a press note, referred to the Supreme Court’s ruling in the PUCL case on December 18, 1996, which held that Section 5(2) of the Act envisages “occurrence of any public emergency” or “interest of public safety”, which is a sine qua non for the application of this provision. “Neither of these are secretive conditions or situations. Either of the situations would be apparent to a reasonable person,” the Centre observed in the note on April 25, 2011.
According to the note, “public emergency” means the prevailing of a sudden condition or state of affairs affecting the people at large that calls for immediate action. It is one which raises problems concerning the interest of public safety, the sovereignty and integrity of India, the security of the state, friendly relations with sovereign states or public order or the prevention of incitement to the commission of an offence.
“Public safety” means the state of freedom danger or risk for the people at large.
When either of these two conditions are not in existence, the authorities cannot resort to telephone
Collecting data beyond the requisite amount and profiling on the basis of such interception are the risks awaiting India.
tapping even though there is satisfaction that it is necessary or expedient to do so in the interests of the sovereignty and integrity of India, security of the state, friendly relations with sovereign states, public order or for preventing incitement to the commission of an offence.
Contrast this with the December 20 order issued by the Home Ministry, which is silent on both public emergency and public safety. Nor does it cite any of the grounds mentioned in Section 69(1) of the IT Act.
In 2011, the Cabinet Secretary, in response to a directive from the Prime Minister, recommended that the government either remove the Central Board of Direct Taxes (CBDT) from the list of agencies authorised to intercept telephone calls—since income tax laws fall within civil jurisdiction and do not always impinge on public safety—or delineate the stipulations for and the extent of surveillance the agency is allowed, including the level at which requests were to be made for authorisation by the Home Secretary.
The Centre clarified in a press note that the law did not permit use of telephone tapping and monitoring of conversations to merely detect tax evasion.
There are specific laws and rules that contain provisions for detection of unaccounted wealth and evasion of taxes, and interception of telephone calls without “public emergency” or “public safety” being at stake was not in accordance with the law, as exhaustively interpreted by the Supreme Court, the note said.
The inclusion of the CBDT among the 10 agencies authorised to snoop on digital data in the December 20 order exposes the lie being perpetrated by the current regime.
Justice B.N. Srikrishna Committee report on Data Protection, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, submitted to the Centre recently, observes that there is no general law in India today that authorises non-consensual access to personal data or interception of personal communication for the purposes of intelligence gathering or national security.
If there are any entities that are carrying out activities of such a nature without statutory authorisation (for example, solely through executive authorisation), such activities will be illegal as per the Puttaswamy judgment as they would not be operating under law.
The Intelligence Services (Powers and Regulation) Bill, 2011, was introduced to regulate the functioning of Indian intelligence agencies and institute an oversight mechanism. However, the Bill lapsed in 2011 and a legislative vacuum remains.
The Srikrishna Committee report took note of the existing legal framework in the form of Section 5 of Telegraph Act and Sections 69 and 69B of the IT Act. For each of these mechanisms, the report said, oversight was carried out through a review committee set up under the Telegraph Rules. This committee reviews interception orders passed under the Telegraph Act and Section 69B of the IT Act. It consists of the Cabinet Secretary, Secretary to the Government of India in charge of Legal Affairs, and the Secretary to the Government of India in charge of the Department of Telecommunications.
As per a recent right to information (RTI) application to the Home Ministry, 7,500 to 9,000 such orders are passed by the Centre every month. The review committee, which meets once in two months, has the unrealistic task of reviewing 15,000 to 18,000 interception orders in every meeting, the report said. (Comments in response to the White Paper submitted by Kalyan Biswas, associate vice president at Internet and Mobile Association of India, on January 31, 2018, are available on file with the committee.)
Additionally, the committee noted that surveillance practices were also enabled by the licence agreements entered into by telecom service providers with the government. For example, such agreements can mandate low encryption standards. This poses a threat to the safety and security of the personal data of data principals, the person, company or entity whose information is being collected.
More importantly, the Srikrishna Committee observed: “Surveillance should not be carried out without a degree of transparency that can pass the muster of the Puttaswamy test of necessity, proportionality and due process. This can take various forms, including information provided to the public, legislative oversight, executive and administrative oversight and judicial oversight. This would ensure scrutiny over the working of such agencies and infuse public accountability.”
The committee proposed that the surveillance architecture embed systematic risk management
techniques within itself. This would lead to the prioritisation and narrowing of its activities by devoting resources to credible risks, whether reputational or organisational.
For example, an assessment of whether a particular measure was the least intrusive to achieve a stated aim may be required. This will not only reduce the costs incurred by the state but will be consistent with civil rights protection.
“We hasten that this recommendation, albeit not directly made a part of the data protection statute, is important for the data protection principles to be implemented effectively and must be urgently considered,” the committee said in its report.
It said that the data protection law should require the law enforcement agencies to ensure that processing of personal data was actually necessary and proportionate to their purpose. For example, the maintenance of a DNA database of all citizens, some of whom may be innocent, to track crime, without legal sanction, would be a disproportionate law enforcement measure.
A similar exercise was undertaken in the United Kingdom, where the government later had to delete the records of more than a million innocent adults and children after the enactment of the Protection of Freedoms Act, 2012, which inter alia regulates the collection, retention, destruction of biometric data, surveillance mechanisms, etc.
Section 42 (1) of the Personal Data Protection Bill, 2018, proposed by the committee states that processing of personal data in the interests of the security of the state shall not be permitted unless it is authorised pursuant to a law and is in accordance with the procedure established by such law made by Parliament and is necessary for, and proportionate to, such interests being achieved.
Courts have traditionally deferred to the executive’s prerogative on national security grounds. The moot question is how much actual security such a measure would provide. Scholars such as Jennifer Chandler argue that heightened surveillance often leads to less rather than more security since these measures have been known to disproportionately affect racial and religious minorities, on the basis of profiling along those lines.
These measures also seem to increase a feeling of security but do not translate into an actual increase in physical safety. This condition is called “security theatre”, where the mental aspect of “feeling secure” is given greater importance than actual physical safety. If national security is the objective, it is unclear why organisations aiming to detect financial and narcoticsrelated offences have been empowered. The NCB and the CBDT pursue objectives other than national security.
Justice Kaul dealt with profiling in his concurring judgment in the Puttaswamy case (right to privacy). He referred to the European Union regulation of 2016 on data privacy, which defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Such profiling, Justice Kaul said, could result in discrimination based on religion, ethnicity and caste. However, he added, profiling could be used to further the public interest and for the benefit of national security.
The security environment, not only in India but throughout the world, makes the safety of persons and the state a matter to be balanced against the right to privacy, he observed. But then he warned: “Knowledge about a person gives a power over that person. The personal data collected is capable of effecting representations, influencing decision-making processes and shaping behaviour. It can be used as a tool to exercise control over us like the ‘Big Brother’ state exercised. This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford.” Even as the Centre seeks to acquire the power of surveillance in the name of national security, it would do well to read what Justice Kaul said in the Puttaswamy judgment on the right to privacy with regard to the role of privacy in preventing awkward social situations and reducing social friction.
The December 20 order fails the test of proportionality as laid down by the Supreme Court in several cases.
INSIDE GOOGLE’S DATA CENTRE in The Dalles, Oregon. Google uses these data centres to store email, photographs, video, calendar entries and other information shared by its users.
UNION HOME MINISTER Rajnath Singh.
THE TERM “computer resource”, as defined by the IT Act also points to the possibility of the order being overbroad and therefore amenable to misuse by the authorities. In 2008, the Act was amended in such a way that the term included any “communication device”, such as mobile phones, within the definition.
AT AN AADHAARregistration centre in New Delhi.