When the state plays I spyhttps://indianexpress.com/article/opinion/columns/snooping-computer-surveillance-it-act-mha-spying-cbi-ed-5514301/

When the state plays I spy

Recent MHA notification authorising surveillance powers for 10 agencies points to asymmetries and loopholes in law and policy on privacy.

The notification, and the underlying section and rules of the IT Act have re-ignited the debate on the constitutionality of such surveillance measures. (Illustration by C R Sasikumar)

A recent Gazette of India notification from the Ministry of Home Affairs, authorising 10 agencies with interception, monitoring, and decryption powers under Section 69 of the Information Technology Act (IT Act), has provoked considerable disquiet. While it might be tempting to portray the angry exchanges across different political parties inside and outside Parliament as partisan posturing, we would be missing the significance of pre-existing — and rapidly growing — privacy and surveillance concerns in India.

Privacy concerns regarding the state, in terms of the exercise of surveillance powers, stems from the asymmetry and monopoly of power in favour of the executive. These concerns have only increased in a digital world where our intimate details, thoughts, and relationships are contained in our smartphones and computers.

The notification, and the underlying section and rules of the IT Act have re-ignited the debate on the constitutionality of such surveillance measures. First, unlike the Telegraph Act, the powers under the IT Act are broader, and include the power to intercept, monitor, and decrypt “any information” generated, transmitted, received, or stored in “any” computer resource (think all your WhatsApp conversations, Facebook messages on your computer and smartphone). Second, while the amended Section 69 of the IT Act, and its 2009 regulations, empowered the central and state governments, or “any of its authorised officers”, to conduct such activities, the notification has empowered 10 agencies (including the Commissioner of Police, Delhi) to do so. The existing statutory framework indicated a case-by-case basis for invoking such surveillance powers, based on authorisation by the “competent authority”. Orders for such digital surveillance actions could only originate after the pre-approval of the Union home secretary or the appropriate state government’s home secretary; law enforcement agencies had no competence to do so. However, the MHA notification denudes the competent authority of such powers and sets up the stage for mass surveillance.

The actual notification itself does not clearly require the Union Home Secretary to pre-approve such surveillance orders. Though the Union Government has sought to rebut the view that the Home Secretary’s requirement to oversee and pre-approve has been curtailed, government spokespersons have justified the notification stating the need to reduce the burden on the Home Secretary and de-centralise such data access and surveillance actions. In contrast, the legal regime under the older Telegraph Act and its rules still explicitly requires the appropriate home secretary to pre-approve wiretapping orders, except in emergency situations. Third, after the Supreme Court’s decision in the privacy (emphasising the need for necessity and proportionality) and Aadhaar cases (that allowing disclosure of information in the interest of national security in the hands of a joint secretary is unconstitutional and judicial scrutiny may be necessary), these legal provisions are untenable.

Advertising

Finally, it is also jarring that the notification was not preceded by any public discussion, consultation or parliamentary debate, even though Parliament’s Winter Session had already commenced at the time of its issuance. At the very least, the current widespread controversy has demonstrated the need for discussion and explanation of legal measures on surveillance to happen before the fact; not in response to public outrage and controversy.

The MHA notification raises the larger issue that our current communications surveillance and data access laws are contradictory, anachronistic and insufficient to protect privacy, rule of law and institutional accountability in digital India. We have the second-largest internet user base in the world. However, we have the unfortunate honour of being an outlier amongst major democracies with respect to how we regulate government intrusion into the privacy of our communications and data.

Our current surveillance infrastructure lacks proper transparency and accountability. It is completely under executive control, with no parliamentary or judicial oversight, either ex-ante or ex-post, of surveillance measures. This is in stark contrast to the situation in other countries such as Germany, South Africa, UK and the US. Even the report released by the Justice Srikrishna Committee on Data Protection noted that the lack of inter-branch oversight in surveillance, “is not just a gap that is deleterious in practice but, post the judgment of the Supreme Court in Puttaswamy, potentially unconstitutional.” Notably, many agencies listed in the notification, such as the Intelligence Bureau and R&AW lack statutory basis.

The situation is further exacerbated because illegally obtained evidence is admissible in India. Indeed, in 2014, in response to a question in Parliament, the government acknowledged that there had been multiple incidents of physical and electronic surveillance taking place without authorisation across Gujarat, Himachal Pradesh, and the NCT of Delhi. A statutory commission of inquiry was stated to have been approved by the then Union Cabinet to investigate and report on this — a promised commission of which no information or updates are available.

India urgently needs a Privacy Act, which will specifically address issues of surveillance and interception, an issue left unaddressed in the draft Data Protection Bill released by the Justice Srikrishna Committee. The current Section 69 of the IT Act — brought in by the same amendment that included the infamous Section 66A which passed without debate in 2008 due to disruptions in Parliament — is not fit for the purpose. The Indian Privacy Code, 2018, is a model Bill that stipulates that all communications surveillance and data access orders require approval by serving high court judges designated to special surveillance review tribunals. It also envisages a division of a privacy commission to help regulate and oversee surveillance activities, with regular briefings to Parliament to ensure democratic accountability.
Surveillance is a serious issue that affects all of us. Urgent legislative action is needed if we are to avoid sleepwalking into a surveillance society.

(Chima and Bhandari are lawyers and volunteer with the SaveOurPrivacy.in campaign)