State of Surveillance in India

Long Read
State of Surveillance in India

Written by: Centre for Internet and Society

This guest piece was written by representatives of the Centre for Internet and Society (CIS). It does not necessarily reflect the views or position of Privacy International.

Introduction

As part of the State of the Surveillance project, CIS conducted a review of surveillance law, policy, projects, and trends in India. Below we provide a snap shot of key legal provisions governing surveillance in India and touch on surveillance projects such as the Central Monitoring System, and provide information about initiatives that have possible implications for surveillance such as the Unique Identification Scheme and the draft Human DNA Profiling Bill. Going forward, we suggest that India's legal regime and surveillance infrastructure could benefit from adoption and incorporation of the International Principles on the Application of Human Rights to Communications Surveillance.

Past

Current surveillance laws in India are mostly remnants from India’s pre-technological colonial past. However, in our technological age, the most important tools for surveillance are in the digital space; digital surveillance is dealt with under two different statutes, the Telegraph Act 1885 (which deals with interception of calls) and the Information Technology Act, 2000 (IT Act) (which deals with interception of data).

Before 1996, the state machinery relied upon the provisions of the Telegraph Act to carry out interception of phone calls. However, 1in 996 the Supreme Court noticed the lack of procedural safeguards in the provisions of the Telegraph Act and laid down certain guidelines for interceptions. These guidelines formed the basis of the Rules defining the procedures of interception that were codified by the Telegraph Act in 2007. These Rules were, in part reflected in the Rules prescribed under the IT Act in 2009.

Present

Currently, telecommunications surveillance is carried out according to the procedure prescribed in the Rules under the relevant sections of the two statutes mentioned above, viz. Rule 419A of the Telegraph Rules 1951 for surveillance under the Telegraph Act, and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 for surveillance under the IT Act.

These Rules put in place various checks and balances and try to ensure that there is an established 'chain of custody' and paper trail for every interception request. The assumption is that with a clearly defined chain of custody and paper trail, the possibility of unauthorised interception taking place is reduced, thus ensuring that the powers of interception are not misused. However, even though these checks and balances exist on paper, not enough information is in the public domain regarding the entire mechanism of interception for anyone to make a clear judgment on whether the system is indeed reducing the number of unauthorised interceptions taking place.

Due to the secrecy inherent to surveillance, currently the only sources of information on interception in the public domain are news reports and a handful of right to information (RTI) requests –requests under the Right to Information Act by which individuals can access information from the government - that various activists have filed. The only other institutionalised source of information on surveillance in India are the figures reported in various transparency reports of companies such as Google, Yahoo, Facebook, etc. Thus, the bulk of the public debate, such as it is, on surveillance and privacy in India is informed byunofficial reports that journalists receive from unconfirmed sources.

That said, numerous news reports have covered stories of illegal and unauthorised interceptions. For example, there are a number of instances of private individuals indulging in illegal interception and surveillance; in2005, it was reported that a private detective had intercepted the telephone conversations of a well know political leader in order to blackmail him. The interception was allegedly carried out by stealing genuine government letters and falsifying them to obtain the necessary permissions.

The same detective was also implicated for tapping the telephone of the current finance minister. In 2012, a change of government in Himachal Pradesh revealed that the previous regime had targeted 1,371 telephone numbers for tapping and recording, but the State’s Home Secretary had granted permission for only about 2 percent of these.

Future

With the ever increasing penetration of internet and ICT technologies, more information pertaining to our lives will be available in a digital format. Most of this data will be susceptible to interception by the state, thus raising very serious questions about the safeguards needed to protect our privacy. With the advent of Big Data technologies, it is becoming the new norm, both in state action as well as the private sector, to collect and store as much data as possible in the hope that it can be utilised at a later point using data analytics. These Big Data technologies are adding an extra layer of complexity to an already complicated issue by making it possible for seemingly innocuous information (like communications metadata) to be changed into personally identifying information, revealing sensitive insights into individuals' lives.

This ability of new technology to reveal personally identifying information from virtually innocuous information challenges the existing norms of privacy policy and legislation in a significant way, because the current privacy framework exists upon the basic principle that information that is personal and/or intimate in nature (such as privacy of self, family, marriage, procreation, motherhood, child-bearing and education, etc) is protected.

However the advent of new technologies and increase in computing power available at a lower price means that now publicly available non-identifying information could be used and matched with other non-identifying information to actually create information that would be able to identify you. . It is in this context that different stakeholders are asking for the existing principles of privacy - such as consent, notice, collection limitation, etc. - to be redefined or abandoned in favour of newer principles.

Governments throughout the world are increasing their surveillancepowers. India is no exception, where the Government is increasingly using terrorism and Naxalist communist insurgency as a justification to grow and “improve” the law enforcement apparatus. Though cognisant of the challenge that law enforcement and governments face in ensuring security in a digital world, such measures are not acceptable when they circumvent or directly violate individual rights.

Part of this new thrust on improvement of law enforcement also focuses on increased surveillance for the purpose of gathering intelligence and prevention of criminal acts. The Indian government has proposed a number of surveillance-based intelligence gathering projects over the last few years, especially after the 2008 Mumbai terrorist attacks, such as NATGRID, CCTNS, LIM systems, NETRA, CMS, and the National Cyber Crime Coordination Centre.

In addition to these, India is considering policies that would expand law enforcement and security agencies powers. For example, in 2015 the Government released a draft Encryption Policy, which was withdrawn due to public criticism of its heavy handed provisions, such as mandating users to store plain text copies of encrypted messages for up to 90 days. Also in 2015, the Department of Biotechnology came out with a revised draft of the Human DNA Profiling Bill.

In addition to these projects, there is also a concern amongst a section of society that India’s flagship identification project UID (also known as Adhaar), which seeks to provide a unique identity number to each individual may be used by the state to conduct surveillance, given that the Government is seeking to link more and more services with Adhaar numbers. These concerns come against the backdrop of the writ petition filed by Judge K S Puttaswamy challenging the Aadhaar scheme in which the Attorney General argued that Constitution of India did not provide for a fundamental right to privacy. In March 2016, the Union Finance Minister introduced the Aadhaar Targeted Delivery of Financial and Other Subsidies, Benefits and Services Bill 2016. The Bill was approved by the Union Cabinet and is now being placed before the Lok Sabha, the Indian parliament. The Bill will provide legal grounding for the Aadhaar scheme. Its provisions try to address some of the concerns that have been raised around confidentiality and unauthorised disclosure.

Moving forward

There needs to be a real improvement in the transparency, oversight, and accountability of India's surveillance framework. While there exists a normative framework for the supervision of surveillance activities under the relevant pieces of legislation, the “leakages” in the system are not being caught by the current mechanism, which seems to indicate that there is a need to harmonize and amend the current regime of surveillance. However due to the opaqueness behind which state surveillance activities operate, it is not possible to access formal information as to where exactly the system is going wrong.

The advent of some of the proposed surveillance projects of the state such as CMS and NETRA makes it even more imperative to have robust mechanisms to supervise and provide checks on state surveillance. One must also keep in mind that such a new framework should be “future proof” and should take into account technologies that challenge existing privacy norms as well as be malleable enough to adapt to future technologies. The Necessary and Proportionate principles define standards that should be present in any surveillance regime to ensure that it is in line with international human rights standards. These principles are a good place to start and India's surveillance framework could benefit from adoption and incorporation of the same.