Expert Speak Digital Frontiers
Published on Feb 17, 2022
As India makes rapid technological advancements, should it rethink its regulatory framework governing surveillance?
The state of surveillance in India: National security at the cost of privacy?

Surveillance as statecraft finds its roots in history, where social theorists have conceptualised various institutional designs and measures to monitor the actions of citizens for both defined and undefined purposes. One defined and legitimate purpose is to preserve national security, but the current state of surveillance reform in India is on an uneven keel between national security and privacy. Adding to this, recent technological developments have completely changed the surveillance architecture, where the tools have become more intrusive and damaging to our democratic safeguards. For instance, the recent case of Pegasus “snoop gate”—a zero-click malware illustrated the evolution of the surveillance architecture, which can take control over the infected devices without the knowledge of the recipient.  Thus, this unfolding begs the question—is it time for India to rethink its regulatory framework governing surveillance?

Surveillance practices in India

Historically, in India, surveillance has been a right of the state to deploy intrusive measures against citizens with minimal checks and balances. A slew of colonial laws that were passed in the 19th century by the British allowed the Raj to monitor communications, be it postal or telegraph. These laws continued to exist with impunity until the Supreme Court intervened in December 1996 (PUCL Vs Union of India SCC 1997), passing certain guidelines as safeguards against illegal or excessive surveillance by the State.  Since then, the world has changed, technology has changed, and so have the techniques used for surveillance in India, which calls for the overhaul of the legal framework of surveillance to keep up with the pace.

These laws continued to exist with impunity until the Supreme Court intervened in December 1996 (PUCL Vs Union of India SCC 1997), passing certain guidelines as safeguards against illegal or excessive surveillance by the State. 

At the macro-level, the state uses various digital surveillance tools like CCTVs and facial recognition cameras to track the actions of the citizens as a mass. Recently, India bagged a couple of top ranks in Forbes list of the most surveilled cities in the world, where Delhi stood at rank one with about 1,826.6 cameras per square mile beating Chinesecities like Beijing, Wuhan, Xiamen, etc., and London; Chennai at rank three with 609.9 cameras per square miles and Mumbai at rank 18 with 157.4 cameras per square miles. The Delhi government has restarted phase 2 of their CCTV project to install 140,000 CCTVs.

Besides, the state in the past has incentivised lateral surveillance at the peer-to-peer level to encourage citizens to monitor others for unlawful activities and report to the authority. For instance, recently Indian Cyber Crime Coordination Centre under the Ministry of Home Affairs launched the cyber volunteers’ programme,, which seeks citizens to report unlawful activities on the internet and social media. This trend was more prominent during the pandemic when the government had resorted to various technological measures to tackle the spread of the virus through applications like Aarogya Setu, Quarantine watch, etc., and for administering the vaccination.

At the micro-level, the state is empowered to perform targeted surveillance in the form of interception. There are various lawful interception systems available in the Indian market which are installed into the networks of telecom services and internet services by the government through the license agreement. Though interception is legal in India under specific legal grounds, hacking is a punishable offence under the Information Technology (Amendment) Act, 2008 (Section 43 and 66).

However, the Pegasus ‘snoop gate’ revealed that hacking operations may take place without even the target possessing any knowledge of the said infringement. An international media consortium (Pegasus project) investigation revealed that about 50,000 phone numbers and consequently linked devices across the globe were infected by the Pegasus spyware. The investigation reported that targets were concentrated in countries where unlawful surveillance and poor legislative protections were prevalent. Within the target list, around 300 phone numbers that were surveilled belonged to serving ministers, journalists, opposition leaders and judges, businesspersons, and activists from India.

An international media consortium (Pegasus project) investigation revealed that about 50,000 phone numbers and consequently linked devices across the globe were infected by the Pegasus spyware.

Although such level of technology is employed by the state for national security and to preserve state order, at present, in India, they are developed and administered in the absence of a data protection regime and robust surveillance reform. The data collected through these disruptive technological means are not safeguarded against misuse; who can access data and whether it is only used for the stipulated purpose is unknown, and measures to prevent and tackle breach and abuse are not specified. The profiling of the individuals is therefore taking place in silos, without key terms like suspects, suspicious activities, etc., being defined. For example, the Niira Radia phone tapping case revealed that the government doesn’t always follow procedures with intercepted files to protect the right to privacy of the target, where the personal conversations were retained in addition to the relevant portions, since these interceptions did not concern national security, to begin with.

While mass and lateral surveillance equally curb the right to privacy and freedom of expression. But targeted surveillance happens in an ad-hoc, clandestine manner paved through the caveats in the regulatory architecture, where recent technological developments help in secrecy, which could be unlawful at times. Therefore, this article will deep-dive into the status quo of the current regulatory framework of targeted surveillance, which is behind the times and undermines the democratic fabric of the nation.

Caveats in the regulatory framework of targeted surveillance

Under the legal grounds of the Indian Telegraph Act, 1885

and Information Technology (Amendment) Act, 2008 (Section 69), the state can “intercept, monitor, and decrypt any information for protecting sovereignty, national security, friendly relations with international governments, integrating public order etc.” But this regulatory framework of surveillance is lacking in certain areas, which raise the rights implications for citizens and bring forward concerns that such a broad sweep may undermine the democratic fabric of the nation. At present, the legislations have cracks that allow state actors to perform targeted surveillance at their discretion in the absence of appropriate checks and balances.

The lack of clarity in these terminologies also provides leeway to the state to operate in opacity, exacerbated in the absence of an oversight mechanism, which doesn’t go beyond the same department.

Both the legislations discussed above, aside from being outdated, also allow the state to perform surveillance under broad mandates such as “to maintain public order, national security, and public safety”. While these are legitimate concerns of the state, these terms stand undefined, and their contours are not clear in the legislation or backed by clearly-worded SoPs. These uncharted terminologies have led towards surveillance for reasons that go beyond the purposes intended by the legislation. In addition, the lack of clarity in these terminologies also provides leeway to the state to operate in opacity, exacerbated in the absence of an oversight mechanism, which doesn’t go beyond the same department. For instance, once, the state refused to file a detailed affidavit to the Supreme Court of India under the Pegasus probe, stating national security reasons, which was also contested by the court later. On the contrary, various countries like the US, France, Mexico, etc., have released official responses and sanctioned investigations from the government regarding Pegasus revelation.

In specific to targeted surveillance, the current regulatory framework allows the Central and state government directly or notified agencies to conduct an interception of the communication. This provides discretionary power to the state in determining legal enforcement agencies that can perform targeted surveillance without any oversight or contestation of the Parliament and judiciary.

While under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, no agency or a person can perform interception without direction and approval of the competent authority. The definition of the competent authority under the rules remains at an inter-department level, at present, the Home Secretary or Joint Secretary (in case of emergency during the absence of the Home Secretary). This authorisation mechanism of interception within the executive wing without any parliamentary or judiciary oversight or involvement is meagre. This is especially concerning as the maximum number of fundamental rights breaches are against the state, whereas excessive executive oversight has also kept the judiciary at arm’s length.

On the other hand, while the Public Accounts Committee (PAC), formed by the parliament, audits the revenue and expenditure of the state, the national security funding like the National Technical Research Organisation budget are categorised as special funds which don’t come under the purview of the PAC.

A way forward

As a country that houses one of the largest democracies, our duty to empower our citizens towards their rights is as important as our duty to preserve national security. National security and privacy have largely been viewed as competing interests over the years; however, with the advent of technology and means of digital surveillance, protecting citizens’ information is also important. It is perhaps the best time to begin to view protecting the privacy and information of citizen’s as a facet of preserving national security. At present, the legislation thrust apparent through the amendments made to the IT Act 2000 via the IT Rules 2021 and the wide exemptions to government and allied agencies in the proposed Data Protection Bill 2021 are taking the route that prefers to exempt or weaken privacy practices towards citizens as opposed to putting in place privacy-respecting practices. An unfortunate consequence of adopting such methods is that often this compromises the privacy and security of law-abiding citizens themselves. For example, the IT Rules set out a mandate for originator traceability to aid law enforcement likely to compromise encrypted communication and add vulnerabilities to other services that can be easily exploited by unethical actors.

An unfortunate consequence of adopting such methods is that often this compromises the privacy and security of law-abiding citizens themselves.

To combat such issues, it is time to overhaul the Indian surveillance framework completely rather than adopting broad mandates or privacy infringing methods. At present, one of the main issues faced is that the base framework being employed is outdated; it is proving difficult for us to adapt and employ these principles to more advanced security issues and surveillance methods such as digital surveillance. Any new framework in this space must strive to put in place a precise, purposive, proportionate, and comprehensive system while making privacy-respecting practices the norm.

At present, our system is riddled with obstacles. At the crux, the terminology used in our legislations, that decide its ambit or lay down justifications are loosely defined; they have allowed surveillance activities to go beyond intended purposes. The system must also strengthen the accountability mechanisms in the form of judicial or parliamentary oversight and establish appropriate procedural safeguards. These steps would help to largely reduce the discretionary powers of the state, which, at present, have a wide scope to determine the extent to which it may use its powers of surveillance.

The Supreme Court in the K.S. Puttaswamy v. Union of India upheld a citizen’s right to privacy, specifically including informational privacy. In the same judgement, the Court stated that any infringement of this right may only take place within the contours of proportionality, legality, and necessity, effectively requiring even state-led surveillance to abide by these caveats. More recently, in the Manohar Lal Sharma vs Union of India (known as the Pegasus case), set up a committee of experts to recommend amendments to the existing law around surveillance to secure the right to privacy. Thus, the need to regulate surveillance activities, especially in light of privacy concerns, is even backed by a judicial push in India. Recent developments such as the Pegasus snooping scandal and widespread surveillance methods like facial recognition technology and contact tracing without adequate safeguards or legislation have also made the citizenry wary. How we approach surveillance regulation in the future may even have implications on digital trade, considering jurisdictions evaluate the level of privacy protections afforded to data within other jurisdictions, while arriving at data flow arrangements.

Recent developments such as the Pegasus snooping scandal and widespread surveillance methods like facial recognition technology and contact tracing without adequate safeguards or legislation have also made the citizenry wary.

As we adopt newer technologies such as Web 3.0 and increase digital penetration in India, we are hopeful that revamping the framework governing surveillance is amongst the government’s top regulatory priorities.

While we have deep-dived into the need for an overhaul of the legal framework of targeted surveillance (micro-level), future research must discuss other facets like mass and lateral surveillance, which currently don’t have any concrete legal framework. For instance, it has been reported that drones with cameras are used for monitoring purposes, but it is unclear how video footage will be used later. The profiling of the individuals using these videotapes is happening in silos without defining terms like suspects, suspicious activities, etc., which stands against the rules of natural justice. Also, in most cases, individuals never know about the data collection and profiling happening through these digital surveillance tools, thus, violating privacy.

Therefore, we believe the push for robust surveillance reform for targeted surveillance will initiate a conversation on laying the pathway and foundations for new legal reforms for other forms of surveillance to find a balance between privacy and national security.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

Contributors

Kamesh Shekar

Kamesh Shekar

Kamesh Shekar is a Senior Research Associate at The DialogueTM and Fellow at The Internet Society. His area of research covers informational privacy surveillance technology ...

Read More +
Shefali Mehta

Shefali Mehta

Shefali Mehta is Programme Manager at The DialogueTM. Her responsibilities include policy analysis and outreach. Her interests lie at the intersection of law society and ...

Read More +