Over two decades ago, allegations of surveillance against politicians led to a CBI inquiry and report against V P Singh’s government. The allegations revealed that imaginary reasons were given for ordering phone-tapping without authorisation. This led to the Supreme Court issuing the last substantive legal reform on surveillance laws in India. The SC’s directions are likely to remain the last reforms, as the Union government has published the Draft Telecommunications Bill, 2022 to replace the Telegraph Act, 1885.
The Telegraph Act contains broad and excessive powers of interception and surveillance of communications carried out through any telegraph. The surveillance power is principally contained under Section 5(2), and has resulted in an unaccountable, opaque and unconstitutional exercise of surveillance that has led to accusations across the political spectrum. This same provision is being replicated today, almost to the word, under the proposed Clause 24(2) of the Telecommunications Bill, 2022. Worse, the application of the power now clearly extends to “telecommunication services”, defined to include “over-the-top (OTT) communications services” that are usually internet-based text or audio-visual transmissions through providers such as Signal, Telegram, Whatsapp or Zoom. Essentially, the privacy preserving technology of end-to-end encryption will be sought to be broken. This technology keeps messages private by preventing anyone other than the recipient from seeing them. Even today, large amounts of metadata, including phone numbers and user profiles that include membership of groups and conversations (without their content) are available to law enforcement without any data protection or surveillance reform. Clause 24(2) will lead to greater surveillance by making even personal conversations over OTT communication services available to law enforcement agencies.
There are two additional powers which raise further concerns. First, the central government may, under Clauses 3 and 4, require licensing of “telecommunications services”. The second is the power to prescribe standards under Clause 23, which may result in regulations as recently issued by the Computer Emergency Response Team (CERT-In) that have resulted in the closure of servers or services by leading, global VPN providers such as Proton and TunnelBear. All of this practically means that users will have less choice in the privacy and security of their digital footprint, as these powers will foreseeably lead to requirements to locally register and host data, and comply with requirements to identify users (KYC requirements). This means smaller service providers like Signal will be unable to comply due to compliance costs and privacy concerns, also leading to less innovation on privacy and the market concentration of a few dominant firms.
Finally, even law enforcement access is being expanded under vague grounds while maintaining the unaccountable enforcement structure of the Telegraph Act. Clause 25 provides for extensive powers to the government, including, “taking over the control… suspending the operation… [and even] manage any or all… telecommunications services”, for reasons of, “national security”. The term, “national security” is left undefined and does not match constitutional precedent or text which instead uses the phrase, “in the interests of the security of state”. With each subsequent provision, the Bill becomes worse. For instance, Clause 34 imposes a positive duty on users not to provide “false particulars” that may even lead to legal prosecution, and Clause 51 requires service providers to supply user information to authorised officers not only for pending but also for “apprehended civil or criminal proceedings”. The coup-de-grace is served by Clause 53 that, despite an expansion of power under the Draft, continues with the insufficient procedural safeguards made under the Telegraph Act.
This massive expansion in legally sanctioned surveillance of millions of Indians is being proposed at a time when access to mobile internet has increased, and when there exist unprecedented methods of data collection. This is being done without a data protection law and with little transparency. Take two instances as examples: First, the Ministry of Home Affairs refuses to disclose even aggregate data on the number of surveillance orders issued by it each year; and second, there exist reported cases in which illegally gathered evidence is being sought to prosecute people. For instance, the Bombay High Court about three years ago noted in a case pending appeal before the Supreme Court, that premier investigating agencies such as the CBI have used, “interception orders (that) neither have sanction of law nor issued for legitimate aim”. All of these issues in the Draft Communications Bill, 2022 portent an Orwellian state, before one even utters, “Pegasus”.
The writer are Counsels at the Internet Freedom Foundation