Ensuring Privacy in a Regime of Surveillance

According to India’s Telecom Regulatory Authority, at the end of 2013 India had over 904 million telecom subscribers. This includes both wireless and wireline subscribers – a significant number of India’s population that with modern communication technologies can help improve the quality of their lives. These modern technologies have another benefit – user data can be collected, users themselves can be tracked, monitored, intercepted and traced by the long arm of the Indian government. The competing need for privacy, data collection and surveillance, in part, lays out the landscape of a technology-led society we are building today. This paper examines the legality of surveillance structures in India today (including mass surveillance programmes), and an expanding e-government project, and juxtaposes them against the missing privacy legal framework that is needed in a liberal democracy such as India. It concludes that accountability mechanisms and laws are needed to safeguard a society that is increasingly adapting to mass surveillance and the lack of privacy. In India, as is the case globally, there is no doubt that a necessary argument must and will be made for being able to use the same technologies for policing and security as are used to perpetrate crimes and acts of terror. With increasing Internet penetration in the country, India released its first Cyber Security Policy in 2013, flagging the biggest areas of concerns for the country, including protecting critical information infrastructure and training more cyber security personnel. There is also growing concern in the country about the security of mobile networks given the increasing number of cheap and unverified products entering the market. With the increasing frequency of terror attacks on Indian soil there is a necessity for law enforcement officials to be able to investigate suspects with speed. At the same time, there is also a need and desire to use digital technologies to make governance more effective and efficient for the citizenry. Therefore, there are two broad aspects that need to be examined. The first relates to the surveillance mechanisms that exist via previous legislation, and new mass surveillance schemes that are being built by leveraging current technology. The second concerns the mass (and secure) collection of citizen data to build governance tools for smoother delivery of public services. A recent NATO publication flagged the problems with the first issue well: ‘State-sponsored surveillance tends to be discounted as a "passive" or invisible intrusion, but when conducted on a pervasive scale, it is an activity that can severely harm rights in several dimensions. First, the invasion of privacy occurs at the point of intrusion and capture of material, not only at the point of access or use of information. The inability to direct one’s communications to only those who are intended recipients is a serious loss of control over one’s identity and autonomy; everyone has experienced the sensation of literally "being a different person" when in public, as opposed to among intimates. The uncertainty over which communications will be accessed when, and by whom, can also chill the exercise of many rights: freedom of expression, access to information, association with others, religious belief and practice, and assembly, for example.’¹ India has a number of laws that offer a basis for the kinds of surveillance that exists in the country. Some of these are listed below:

• The Indian Telegraph Act of 1885 was drafted to cover the use of telegraphy, phones, communication, radio, telex and fax in India. Section 5 of the act allows for legal wiretapping, and the guidelines state that only the home secretary, either of the Government of India or of a state government, can give an order for lawful interception. The order for the wiretapping is valid for a period of two months and should not exceed six.
• The Indian Wireless Telegraphy Act of 1993 does not permit anyone to own wireless transmission apparatus without a license, and in Section 7 gives power to any officer specially empowered by the central government to search any building, vessel or place if there is reason to believe that there is any wireless telegraphy apparatus which has been used to commit an offence.
• The Indian Post Office Act of 1898, Section 26, confers powers of interception of postal articles for the ‘public good’.
• Section 91 of the Code of Criminal Procedure, 1973, grants other powers to the police; it states that: ‘Whenever any court or any officer in charge of a police station considers that the production of any document or other thing is necessary or desirable for the purposes of any investigation, inquiry, trial or other proceeding under this code by or before such court or officer, such court may issue a summons, or such officer a written order, to the person in whose possession or power such document or thing is believed to be, requiring him to attend and produce it, or to produce it, at the time and place stated in the summons or order.’

The most recent and currently controversial legislation is the Information Technology Act of 2000, amended in 2008 after the horrific Mumbai terror attack. Currently, the act contains some sections that require persons to reveal personal information without much room for recourse. Section 44 lays out punishment and fines in case of failure to furnish any document, return or report to the controller or the certifying authority. Section 66a lists out punishment upto three years with a fine for sending any communication through electronic means which could be considered grossly offensive, menacing, false information for annoyance, inconvenience, hatred, ill-will and so on. Section 80 gives police and senior government officials the power to enter any public place and search and arrest without warrant any person found therein who is reasonably suspected or having committed or of committing or about to commit an offence under this act. However, in 2013, information about a mass surveillance scheme being rolled out by the Government of India came to light. The Central Monitoring System (CMS) was launched in 2009, but became public knowledge four years later. According to reports and interviews, the CMS will automate already existing data from other interception and monitoring programmes, and will have a non-erasable command log of all provisioning activities. Simply put, ‘CMS targets private information of individuals since it will enable real-time tracking of online activities, phone calls, text messages and even social media conversations.’² Further, CMS will not need permission from nodal officers of the Telecommunication Service Providers (TSPs), and will provision requests from all law and enforcement agencies. It isn’t quite clear what the legal basis of CMS is, but it has been suggested that it will operate under Section 52 (2) of the Indian Telegraph Act, which as we know allows for interception of (telegraphic) messages for various reasons including ‘public emergency’ and ‘public safety’. It has not been created by, or answers to, Parliament. According to available information, the CMS can tap information from various other monitoring and interception schemes across India. These include the Crime and Criminal Tracking Networks and Systems (CCTNS), Lawful Intercept and Monitoring Program (LIM), Telephone Call Interception System (TCIS) and the Internet Monitoring System (IMS). The various department/agencies that will have access to all this gathered data, through CMS, include the Central Bureau of Investigation (CBI), Defence Intelligence Agency (DIA), Department of Revenue Intelligence (DRI), Enforcement Directorate, Intelligence Bureau, Narcotics Control Bureau, National Intelligence Agency, Central Board of Direct Taxes, Ministry of Home Affairs, the Military Agencies of Assam and Jammu & Kashmir, and the Research and Analysis Wing (RAW). As reported in The Hindu, ‘The CMS will have unfettered access to the existing Lawful Interception Systems (LIS) currently installed in the network of every fixed and mobile operator, ISP, and International Long Distance service provider. Mobile and long distance operators, who were required to ensure interception only after they were in receipt of the "authorization", will no longer be in the picture. With CMS, all authorizations remain secret within government departments. This means that government agencies can access in real time any mobile and fixed line phone conversation, SMS, fax, website visit, social media usage, Internet search and email, including partially written emails in draft folders, of "targeted numbers". This is because, contrary to the impression that the CMS was replacing the existing surveillance equipment deployed by mobile operators and ISPs, it would actually combine the strength of two, expanding the CMS’s forensic capabilities multiple times.’³ At the same time, limited resources to store citizen data are becoming a thing of the past. New technologies like cloud computing have allowed space for storage to increase exponentially. Therefore, as the capacity of the state to accumulate data increases, for example with MeghRaj, a National Cloud launched by the Government of India in February 2014, it will be able to expand its e-government services. Therefore, the common refrain among privacy experts and other stakeholders is that the crux of the matter lies in India passing an all-inclusive privacy law. This, they believe, would take into account not just protection for the individual viz-a-viz civil and criminal laws in India, but ensure there are privacy safeguards in the ambitious projects that the government of India is undertaking with regards to citizens private data. These would include the massive rollout of e-governance projects under the National e-Government Programme, which includes 31 mission mode projects that seek to, in the first phase, digitize all available citizen data (such as land records and health records) for respective ministries, and then, in the second phase, build responsive and efficient government service delivery platforms. In some states this means accessing healthcare through smartcards, while in others citizens can access and pay their electricity bills online. For example, Bhoomi, an e-government project in Karnataka under the revenue department has already computerized over 20 million land records of over 6.7 million farmers. These digitized ministries will soon not function as islands. The NATGRID – the National Intelligence Grid – is a system that will connect several government departments and data-bases to collect ‘comprehensive patterns of intelligence that can be readily accessed by intelligence agencies.’ While this means a single point to access citizen data from a variety of sources, it also allows a single window to steal this personal information. Then there is the controversial UID – Universal ID card – that the Government of India plans on issuing to every resident of India, after collecting his or her biometric data. Simply put, the UID will become a citizen identifier. This means that the government will now be able to confirm that it is indeed citizen ‘x’ who is making phone calls or sending emails of some interest to the authorities, by immediately identifying the person through biometric data available with the state. Conversely, this also means that the state now has not just biometric data on its people, but it will be linked to all their communication data in an easy-to-find manner. All this is happening without a comprehensive privacy law passed by the Indian Parliament. Article 21 of the Indian Constitution declares that no citizen can be denied his life and liberty except by law, and the right to privacy has been interpreted to be part of that. Further, Article 43A of the IT Act directs corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure. This must necessarily extend to the government as well. It is instructive to refer to the Report of the Group of Experts on Privacy, chaired by Justice A.P. Shah, former Chief Justice of the Delhi High Court.⁴ The report suggested a conceptual framework for privacy regulation in India, touching upon five salient points.

1. Technological neutrality and interoperability with international standards: the privacy act should not refer to any specific technologies and should be generic enough to adapt to changes in society, helping build trust of global clients and users.
2. Multi-dimensional privacy: the privacy act must include concerns related to a number of platforms including audio, video, personal identifiers, DNA, physical privacy and so on.
3. Horizontal applicability: any legislation must extend to the government and private sector.
4. Conformity with privacy principles: this means that the data controller should be accountable for the collection, processing and use of the data, therefore, guaranteeing privacy.
5. Co-regulatory enforcement regime: establishing the office of a privacy officer is also recommended as the primary authority for the enforcement of provisions in the act. However, it is also suggested that industry specific self-regulation organizations also be established.

The document also refers to court judgments from Indian courts that have helped shape some form of privacy safeguards into the system. For example, in the 1997 case, PUCL vs Union of India, the court observed: ‘Telephone-tapping is a serious invasion of an individual’s privacy. It is no doubt correct that every government, howsoever democratic, exercises some degree of sub rosaoperation as a part of its intelligence outfit, but at the same time citizen’s right to privacy has to be protected from being abused by the authorities of the day.’ The court then placed restrictions on the class of bureaucrats who could authorize such surveillance and also ordered the creation of a review committee, which would look at all surveillance measures authorized under the act. The Shah Report lays out a road map of acts passed by the Indian Parliament that would need to be reviewed for balance between individual privacy and national security. For example, when reviewing the UID scheme, the report points out that citizens should be informed if their data is breached. They should also be informed about where and how their data will be used, and notified of any changes in UID’s privacy policy. These and other suggestions are then placed in a broader regulatory framework that imagines a privacy commissioner for India. At the same time it is pertinent to remember that while there is no privacy law to safeguard citizens, the government itself does not have a legal framework for the kind of mass surveillance India is moving towards. As pointed out by privacy experts: ‘The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception. The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.’⁵ Where do these competing interests end up? There is no privacy law to shield citizens from upgraded mass surveillance technology and systems, which themselves constantly need updated legal grounding. Ironically, just before the Snowden revelations, in his April 2013 report to the Human Rights Council of the United Nations, Special Rapporteur Frank La Rue noted that he was ‘deeply concerned by actions taken by states against individuals communicating via the Internet, frequently justified broadly as being necessary to protect national security or to combat terrorism. While such ends can be legitimate under international human rights law, surveillance often takes place for political, rather than security reasons in an arbitrary and covert manner.’⁶ The report also highlights the fact that national legal standards that impose little or no judicial oversight, or allow warrantless surveillance powers in the name of national security without any particular demonstration of a genuine need or threat and that ‘every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files.’ Today, the concept of privacy is also undergoing a sea change due to the increasing ease with which citizens and customers are handing over data to governments and businesses. This has been seen with information shared on social media – 93 million Indians are on Facebook – and was seen in the almost unquestioned way in which e-governance projects were welcomed in the early days without any flags being raised about any data security or privacy safeguards in the design. In his essay, ‘The Real Privacy Problem’,⁷ writer Evgeny Morozov wrestles with the evolving concept of ‘privacy’. He writes of a privacy scholar named Spiros Simitis who grappled with data protection in the 1980s, and the three ideas he grappled with. The first was that with virtually every employee, taxpayer, patient, bank customer, welfare recipient, or car driver handing over their personal data to private companies (and of course, government) privacy was now everyone’s problem. The second was that CCTV and other recording technologies like smart cards were normalizing surveillance, weaving it into our everyday life. The third was that by allowing everyday activities to be recorded, citizens were actually allowing ‘long-term strategies of manipulation intended to mould and adjust individual conduct.’ Ultimately, while technology itself is always faulted for being the cause of privacy failures, the truth is that these gaps enter the system through poor legislation. As discussed, when projects are created without thinking of who could have unwarranted access to information, or how the information could be used and abused outside the scope of what it is collected for, is when the problems truly begin. Privacy safeguards, transparency about the intent and extent of a project (even when it was intended for surveillance) injects accountability into a system that remains static, despite the dynamic leaps in technology. This is the best way forward should India want to retain its spirit and label of being a liberal democracy.     Footnotes: 1. Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. International Law, International Relations and Diplomacy. NATO CCD COE Publication, Tallinn, 2013. 2. Kalyan Parbat, ‘India’s Rs 40 Crore Automated Surveillance System Faces Delay’, The Economic Times, 1 February 2014. Accessed at: http://articles.economictimes.indiatimes. com/2014-02-01/news/46897898_ 1_cms-project-surveillance-system-cdot 3. Shalini Singh, ‘India’s Surveillance Project May be as Lethal as PRISM’, The Hindu, 21 June 2013. Accessed at: http://www.thehindu. com/news/national/indias-surveillance-project-may-be-as-lethal-as-prism/article 4834619.ece 4. Report of the Group of Experts on Privacy, chaired by Justice A.P. Shah, Planning Commission, October 2012. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf 5. Pranesh Prakash, ‘How Surveillance Works in India’, India Ink, The New York Times, 10 July 2013. Accssed at: http://india.blogs. nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0 6. Frank La Rue, Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression (UN GA Doc. A/66/290, 10 August 2011). Accessed at: http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf 7. Evgeny Morozov, ‘The Real Privacy Problem’, Technology Review, 22 October 2013. Accessed at: http://www.technologyreview. com/featuredstory/520426/the-real-privacy-problem/?src=longreads     Source: Seminar Magazine, March 2014 http://www.india-seminar.com/2014/655/655_mahima_kaul.htm

• Privacy & Data Protection
• America
• Bhutan
• The Pacific
• East and Southeast Asia
• East Asia
• Agenda
• Copyrights
• Covid 19
• COVID-hit
• DEVELOPING AND EMERGING ECONOMIES
• EAST AND SO
• EAST AND SOUTH EAST ASIA
• EAST AND SOUTHEAST
• gasht-e-ershad
• impeachment trap
• INTERNATIONAL TRADE AND INVESTMENT
• life-saver
• marine resources
• Mohammad Jafar Montazeri
• Pedro Castillo
• PRIVACY & DATA PROTECTION
• rioters
• severe infection
• sustainable development
• एपेक 2022
• जी20
• तकनीकी विशेषज्ञ
• ताताइवान
• पूर्व एवं दक्षिण-पूर्व एशिया
• बीसीजी बैंकॉक मॉडल
• विकासशील एवं उभरती अर्थव्यवस्थाएं
• सीपीएन – एमसी
• सैन्य सुरक्षा
• हिंद प्रशांत

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.