Response to the Technical Committee appointed by the Hon’ble Supreme Court of India on issues of Surveillance
- At the outset, please accept my gratitude for giving me an opportunity to address a very important issue. I believe this issue and what is decided today will have a major bearing on the health and the future of our democracy.
- I would also like to place on record my appreciation for the Technical Committee for all its endeavours to address the issue of surveillance.
- The issue of surveillance, though complex, is not a difficult one to deal with. It is recognised that surveillance is largely a function of the State. It is a power given to the government by citizens to use wisely, proportionally, when absolutely necessary and only through strictly legal means in exceptional circumstances only.
- It is often cited that curtailing surveillance powers of the State will lead to a major weakness in defence of India. This is an absolutely false notion and in fact, there is no data available to substantiate this position. Also, upholding Constitutional freedoms, values and norms is a critical part of defending the Nation.
- It is also known that threats to the safety and security of the Nation are many. However, India’s intelligence and police have not been able to keep pace with the reforms and modernisation that are needed to meet these challenges. Surveillance offers an easy solution to such agencies, but come at a huge cost to India’s constitutional framework and democracy. Also, any legislation that is passed based on an exceptional situation always leads to bad law, and
- India is one of the few democracies in the world, where its intelligence agencies have not been created by an Act of Parliament. Any attempt at reforming India’s surveillance laws will not succeed until the agencies empowered to carry out surveillance are also brought under direct parliamentary statutes.
- There has to be a marked distinction between surveillance of Indian citizens and foreign nationals. Indian citizens have constitutional rights and protections that must be factored in while shaping surveillance laws/powers. All my responses are primarily in the context of domestic surveillance.
- Finally, surveillance is an enormous power given to the State. It can help a government manipulate the very citizens who have temporarily reposed this power in them. If it remains unchecked, it will only help governments perpetuate themselves and undermine the power of the citizens enormously. Therefore, surveillance powers must be governed by broadly using a three-tiered process:
a. Due Process: This can be done by additions/changes to existing subordinate rules of the Indian Telegraph Act, The Information Technology Act and the Indian Postal Act – laws that have provisions for carrying out surveillance/legal interception of communications. Eventually, India should have a dedicated law for surveillance in the long-term.
b. Oversight and Liability: This can be done by (i) Ensuring a strong Data Protection Act, as envisaged by the Hon’ble Supreme Court in its August 2017 nine-bench Puttaswamy-I judgement(ii) Ensuring all agencies empowered to carry out surveillance are mandated by Acts of Parliament, using existing provisions of the Constitution (iii) Ensuring Parliamentary, Judicial and Bureaucratic oversight mechanisms .
c. Transparency and Accountability: This can be done through the (i) Right To Information Act and (ii) the proposed Data Protection Authority
Response to Specific Queries
Query 1: Whether the existing boundaries of State surveillance of personal and private communications of citizens, for the purposes of national security, defence of India, maintenance of public order, and prevention and investigation of offences, are well defined and understood?
- No, the terms that set the boundaries for surveillance are not well defined and understood for a number of reasons and are open to a wide interpretation and misuse. Nearly every action can misuse these terms to circumvent the necessity and proportionality threshold as laid down by the Hon’ble Supreme Court and thus, make the surveillance order legal.
- This is especially true for the term “National Security” (most used for targeted surveillance) “public order” and “investigation” of a crime. Besides, India lacks a national security strategy that could clarify the definition of national security and the government’s objective in ordering surveillance. I propose the following definition: “National Security is the ability of a State to cater for the protection and defence of its citizenry and the preservation of the norms, rules, institutions, national interests, objectives and constitutional values.”
- The lack of understanding and clear boundaries of “national security” allowed the State to refuse to file a detailed affidavit to the Supreme Court of India under this case (Manohar Lal Sharma v. Union of India and others [Writ Petition (Crl.) No. 314 of 2021]). In doing so, the State claimed that disclosure of specific facts might affect the national security and defence of the nation. [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 13)]
- The Hon’ble Supreme Court contested this claim [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 49)] and mentioned that the State must prove that the information sought risks national security [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 50) ]. But as long as critical terminologies like national security remain too broad and overarching, it is difficult and futile to make the State accountable and prove that the information is being kept secret for legitimate national security concerns.
- How terms such as national security, public order and investigations are defined/limited will leave room for expansive interpretations and thus, facilitate state surveillance of personal and private communications.
Query 1(a): Are there any other purposes for which State surveillance may be justifiable and necessary?
- No, there is no other purpose for which the State surveillance would be justifiable as it would violate the verdict of the Supreme Court in Puttaswamy Judgement-I [(2017) 10 SCC 1 ] in the following ways:
- It will not satisfy the proportionality test [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 636)] as any other purpose will not qualify as proportional and necessary interference with the right to privacy.
- Does not fall within the reasonable restrictions [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 87)] as per the right to privacy held by the Supreme Court.
Query 2: Whether the procedures prescribed under the Telegraph Act, 1885 and Information Technology Act, 2000 and rules made thereunder for digital/telecommunication surveillance (with executive oversight measures for interception/decryption orders), are sufficient to effectively prevent (i) unwarranted excessive/routine use; or (ii) misuse; or (iii) abuse of State surveillance, purportedly undertaken for the aforesaid purposes?
- No, the procedures prescribed under the rules [In People’s Union for Civil Liberties vs Union of India & Ors, the supreme Court upheld the constitutionality of Section 5(2) of the Telegraph Act, 1885. Still, it provided procedural guidelines for wiretapping of phones to reserve privacy. These guidelines led to the amendment of Rule 419A of the Telegraph Rules, 1951. Subsequently, they formed the base for the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.] are flawed in the following ways and insufficient to prevent unwarranted orders, misuse, and abuse of State surveillance:
a. Lack of capacity
i. An RTI application that I had filed with the Union Ministry of Home Affairs revealed that about 100,000 phones are tapped annually by the central government (numbers could be more if I include state government requests).
ii. Breaking down this annual figure, about 7000 to 9000 per month and 300 per day interception requests are made by the central government agencies. The union home secretary has to single handedly clear all of them.
iii. In addition to this, the google transparency report indicates they had received about 24,799 data interception requests from the government in 2020. This volume of orders shows that:
- It nearly impossible for the Union Home Secretary and the review committee (single committee for both phone tapping and computer data interception [“Review Committee” in Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 is same as the one constituted under Rule 419A of Indian Telegraph Act.]) to perform their due diligence in approving and reviewing such a large volume of interception warrants in addition to their other daily activities.
- There is no capacity within the legal enforcement agencies and intelligence agencies to analyse this massive amount of data collected through surveillance.
b. No Data Limit
i. While the existing procedures limit the duration of the interception, record keeping and usage of intercepted information, it doesn’t limit the amount of data that can be accessed through surveillance. Due to no limitations, the agencies can retrieve data for a lifetime, i.e., from the day one of an individual using a phone or internet service without any purpose for the same.
c. No oversight and accountability
i. The authorisation mechanism of interception within the executive wing16 without parliamentary or judiciary oversight is problematic because
- the maximum number of fundamental rights breaches are against the state.
- executive oversight over another executive authority does not bring any accountability. Besides, the Union Home Secretary (the Approver), the heads of law enforcement and intelligence agencies (the Proposer) and the members of the Monitoring Committee (the Checker) all belong to the All India Services. They also don’t hold any special qualifications or expertise to perform this function.
ii. Similar to the competent authority, the review committee is also extensively executive driven [The guidelines provided by the Supreme Court in the PUCL case mandated the need of forming a review committee for examining surveillance activities and to bring in accountability.# Adopting this suggestion, Rule 41A(16) provisioned for forming central and state-level review committee, which is now also used for data interception under Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.] comprising Cabinet/Chief Secretary and Secretaries in charge of legal affairs and telecommunications which is near to no oversight and accountability for reasons discussed above. In addition, the review committee doesn’t have parliamentary or judiciary representations, which makes oversight and accountability provided by the review committee more symbolic than substantive.
iii. The state utilises the taxpayers’ money to purchase surveillance tools to monitor the citizens (who may or may not be guilty) without any accountability on the expenditure as Public Accounts Committee (PAC) do not get to examine all the audit reports of the Controller and Auditor General (C&AG).
d. Discretionary powers to the executive
i. Some of the intelligence agencies notified as central (LEAs) under the rules, such as the Intelligence Bureau (IB), Research and Analysis Wing (R&AW) and the National Technical Research Organisation (NTRO), don’t have clear cut roles and limitations of powers. In fact, IB, R&AW, NTRO and CBDT are not law.
ii. The Parliament has exclusive power to make laws on matters in union list and the 7th Schedule of the Indian constitution (where Entry 8 has provision to create a Central Bureau of Intelligence). However, these powers have never been used. As a result, the IB, R&AW and NTRO are created through gazette notifications. In the United Kingdom, the Security Service (equivalent of the IB, popularly known as MI-5) was created using the Security Service Act, 1989 and their Secret Intelligence Services (equivalent to R&AW) was brought under the Intelligence Services Act.
iii. While the rules provide procedures for ordering surveillance, they don’t have any provisions that restrict the State from using tools and software that would infringe upon the right to privacy and threaten national security.
iv. Rules don’t have guidelines for the State to determine safe tools for surveillance purposes. For instance, when the state uses tools like Pegasus, domain name used by Command and Control (C&C) server resolve to cloud-based virtual private servers rented by the NSO Group, a registered private company in another country (Israel).
v. This increases the national security risks as the Indian government doesn’t have any visibility into the source code of the software and data storage policy of the cloud-based virtual private servers.
vi. While Rule 6 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 outlines procedure for ordering interception beyond the State jurisdiction, [Rule 419(A) doesn’t outline the procedure for ordering interception beyond the State jurisdiction.] it does not distinguish between domestic and foreign surveillance. This lack of distinction provides room for the State to exercise discretion in determining terms of surveillance for both citizens and foreign nationals at the same levels.
Query 3: If your response to Query 2 is in the negative:
Query 3(a) What substantive and procedural safeguards – involving administrative, judicial and/or independent authorities – would you suggest to adequately balance individual rights with national security and public order interests?
Creating A Robust Oversight and Accountability Mechanism
a. Parliamentary Oversight:
i. A Multi-Party parliamentary standing committee should oversee the law enforcement agencies and intelligence agencies’ operations. A mechanism followed by the UK should advise the model because India inherited and emulated the Westminster model of parliamentary government. The UK has the Intelligence and Security Committee of Parliament formed under the Intelligence Services Act 1994 (reinforced by Justice and Security Act, 2013 [Sections 2, 3, and Schedule I of the Justice and Security Act, 2013]) to oversee the policies, expenditure, administration and operations of various intelligence agencies subjected to secrecy. [Section 1(1)(b) of the Official Secrets Act 1989]
ii. It has been argued that Members of Parliament should not have access to such information. However, in advanced democracies such as the UK, the Prime Minister retains control over who will be part of the Committee, provided they are drawn from other parties besides his/her own.
iii. In addition to this, the parliamentarian must be granted access to information held by intelligence and law enforcement agencies without restricting any information under the ambit of preserving national security. A similar mechanism is followed by the United States, where US Congress monitors the law enforcement agencies and intelligence agencies, and there are no statutory restrictions on information access.[F Smist, Congress oversees the intelligence community, 2nd edition, University of Tennessee Press, Knoxville, 1994.]
b. Judicial Authorisation:
- It would safeguard the right to privacy of the individuals from unwanted state surveillance as the Supreme Court recognised privacy as a negative content. [Puttaswamy Judgement I, (2017) 10 SCC 1 [Para 232 (iv)] ]
- Judicial authorisation could be split into two areas.
I. For prevention and investigation of criminal offences (warrant of interception from the concerned court, with expiring time duration and archiving of intercepted contents and submission to the court) and
II. A special authority (to be created), and for intelligence purposes that can be on the lines of the UK Investigative Powers Commissioner.
- It would bring about a separation of powers to check and oversee the executive actions, which could at times hamper the democratic safeguards due to malicious motives.
- The State agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intrude into the private communications between individuals. Various jurisdictions follow this mechanism [Under the Canadian Security Intelligence Service Act, 1985, specially designated judges of the Federal Court provide the approval to the warrant of the intelligence agencies. In the United States, intelligence and law enforcement agencies must take warrants, court orders etc., for domestic surveillance activities under the Electronic Communication Privacy Act of 1986. In addition, in Riley v. California, the United States Supreme Court marked that search and seizure of digital data are considered to be unconstitutional.] and India must pick inferences from those to devise a more nuanced judicial authorisation system.
- The court warrant must access the constitutional validity of the request for surveillance through four prerequisites (as follows) for infringing upon an individual’s privacy and personal liberty discussed in Puttaswamy Judgement I [Puttaswamy Judgement I, (2017) 10 SCC 1 [S.K. Kaul, J part] ]
a. Legality: Existence of a law by Parliament (which was also emphasised by the Supreme Court in the Maneka Gandhi case of 1978 [1978 SCR (2) 621])
b. Legitimate goal: The intelligence and law enforcement agencies must prove the legitimate aim for conducting surveillance with proper justification.
c. Proportionality: The request must show that surveillance is necessary to achieve the aim. In addition, the request must prove the rational nexus between the objects and the means adopted to achieve them – in terms of (a) the amount of data required to be tapped or retrieved (b) tools used for surveillance (for which it is important to equip judges with technical expertise).
d. Procedural guarantees: The state abuse and misuse must be minimal by having concrete procedural safeguards followed by the state agencies, including the below discussed safeguards.
e. Administrative Oversight:
1. In addition to the external oversight proposed that has been proposed above, I recommend revamping the existing review committee model [Review Committee formed under Rule 419A of Indian Telegraph Act.]. The constituted authority should be answerable to the parliamentary committee and the Parliament in general.
2. In addition, the authority must audit and review the practices and safeguards followed by the agencies.
3. Besides, the authority should be empowered to take complaints related to unauthorised disclosure of classified or sensitive national security information, illegal surveillance activity, administrative misconduct etc. For instance, in the United States, under the U.S. Code, the office of the Inspector General of the Intelligence Community is in place to oversee programs and activities within the purview of the Director of National Intelligence (DNI).
f. Internal Oversight:
1. I propose that every law enforcement and intelligence agency must have an independent Inspector General who will scrutinise the surveillance request before it reaches the court for approval.
2. Many jurisdictions follow a similar kind of model. For instance, in the UK every law enforcement agency has independent officials to scrutinise surveillance requests.
3. Independent Inspector Generals must also audit and review the practices and safeguards followed by respective agencies and be answerable to the Parliamentary committee and the Parliament in general.
i. Technical safeguards: Various technical safeguards must be established to protect the privacy of individuals following some of the universal principles such as: 1. Data minimisation: The data collected through means of surveillance should not exceed the purpose for which it was collected and should not be held/stored post the completion of the purpose.
2. Proportionality: The data required through surveillance must have a rationale connection with the object of the investigation, such that data demanded is absolutely necessary. The UK also propagates this principle through its Investigatory Power Act, 2016 (previously Regulation of Investigatory Powers Act, 2000), which mandates that data demanded by the intelligence agencies must be necessary and proportionate.
3. Purpose limitation: The information received through surveillance must be processed only for the case/investigation it was accrued. The investigating agency must initiate a new request to use the same evidence in other cases/investigations. Besides, usage of evidence for anything other than law enforcement must be prohibited.
4. Privacy by design: The processing of evidence by law enforcement agencies and intelligence agencies should be privacy-friendly and doesn’t trade-off privacy at the cost of other State interests such as national security, public order etc. It should use Privacy Enhancing Technologies to ensure that unnecessary personal details are not exposed. The access control must be designed to be adequately granular, with audit trails, to enforce privacy and accountability.
5. Fair and lawful processing: The data acquired through surveillance must be processed fairly and lawfully such that unintended consequences like discrimination, historic disposition, oppression do not translate into the action.
6. Training: The personnel engaged in surveillance, including supervisory officials, must attend trainings on privacy and ethics annually, to ensure that the right culture is built and nurtured.
7. Data provenance: Law enforcement agencies and intelligence agencies must have legal and technical measures to differentiate citizens from foreign nationals within the bulk of data gathered through the surveillance. By identifying the provenance of the data it should be treated differently.
8. Data security: The data collected through surveillance should be encrypted at rest to ensure the safety of the information stored.
9. Data deletion: The data collected through surveillance must not be retained longer than necessary, which is followed by intelligence agencies in the UK under Investigatory Powers Act, 2016 [Sections 87 and 150 of the Investigatory Powers Act, 2016]. At the laps of data retention mandate by regulations, the information gathered through surveillance by law enforcement and intelligence agencies must be destroyed.
10. Data disclosure: When a crime or security threat is not established from the data collection and processing exercise, the agencies must inform the individuals about the surveillance and reveal the data collected (after a period of time) to them. h. Administrative safeguards
Every legal enforcement agency and intelligence agency must have privacy/ethics officers within their agencies to ensure day-to-day operations are not violating ethicality and privacy. The officer should also provide advice and guidance to the officials on matters related to privacy and ethicality. Many countries, including the US, UK and Germany, follow this system, for instance, in the US, the Office of Privacy and Civil Liberties is formed within the CIA, NSA etc.
Query 3(b) In what manner can the existing procedure/s prescribed by law enabling (i) intelligence agencies and (ii) law enforcement agencies, for targeted surveillance, be further strengthened, improved upon and meaningful?
a. Short term: Enhance the procedures under existing laws and rules: The following three principles have to be enhanced to make a meaningful improvement to the existing procedures:
- Due process: The process for approving the warrant has to be enhanced by adopting judicial authorisation suggested in Query 3.The state agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intercept communication.
- Oversight: The envisioned Data Protection Authority (DPA) of India under the upcoming Data Protection law must be empowered to oversee the legal enforcement agencies and intelligence agencies’ operations. The DPA must have a sight over the policies, administration and operations of various agencies subjected to secrecy. But, for this to operationalise Clause 35 of the Draft Personal Data Protection Bill, 2019 must be amended as it empowers the government to exempt its agencies from the purview of the Bill.
- Liability: The agencies must be liable to the public by making the operations transparent through the Right to Information Act (RTI). The exemption to agencies under Section 24 of RTI must be amended to create gradations on the nature of the information to be disclosed after a period of secrecy.
b. Long Term: Fresh Surveillance Legislation
To set India’s trajectory towards empowering citizens, I suggest having more precise, purposive, proportionate, and comprehensive surveillance legislation for the country [considering some aspects discussed in Query 3(a)]. The bill should aid us in exercising our fundamental rights by weeding out the caveats discussed in Queries 1 and 2. I make a case for new legislation by submitting below bolstering arguments:
- The Indian surveillance legal framework is archaic [Historically, in India, surveillance has been a right of the state to deploy intrusive measures against citizens with minimal checks and balances. A slew of colonial laws that were passed in the 19th century by the British allowed the Raj to monitor communications, be it postal or telegraph. These laws continued to exist with impunity until the Supreme Court intervened in December 1996 (PUCL case), passing specific guidelines as safeguards against illegal or excessive surveillance by the State.], since then the world has changed, technology has changed, and so have the techniques used for surveillance in India and the legal fabric (Puttaswamy judgement I [Puttaswamy Judgement I, (2017) 10 SCC 1 ]). This calls for the overhaul of the legal framework of surveillance to keep up with the pace.
- The Indian surveillance legal framework came into existence when bulk surveillance barely existed and discourse around privacy and surveillance was not well developed. Over time, surveillance technologies, data processing and analytics tools at the disposal of government has evolved massively, which has paved the way for extensive interceptions (intentionally and unintentionally). This development calls for revamping our existing legal framework for surveillance which would consider the evolving technological developments.
- Many jurisdictions have revamped/enacted surveillance legislation [For instance, in the UK, the government enacted the Investigatory Powers Acts, 2016, which applies to intelligence agencies to ensure powers and principles fit the digital age.] to cater to the recent technological developments. India must pick inferences from various jurisdictions and enact more comprehensive surveillance legislation for the country.
Query 4: What should be the grievance redressal mechanism for a person whose data is subjected to targeted surveillance technologies by the State
Query 4(a) where no crime or security threat is established from the data collection and processing exercise;
There is no risk or liability associated with the agencies in the current system. This is due to non-disclosure of data where non-guilty individuals never come to know that they are victims of surveillance. Therefore, agencies must disclose data following the principle suggested in Query 3.
Besides, agencies must be held accountable by non-guilty individuals through a grievance redressal mechanism. Below are two different scenarios under which non-guilty individuals or groups of individuals (collective action) can seek compensation and justice.
Scenario A: When the individual is established not guilty through the data collected and processed through legal means, the individual (or a group) should reach out for redressal if they consider it to be unnecessary surveillance. If the individual manages to prove that their data is (a) misused, (b) compromised, (c) infringed privacy (of themselves and others) etc.:
- The agencies must compensate them.
- The chief and designated officer of investigation must be suspended, pending investigation.
iii. Individuals (or a group) must be able to appeal to the court for further investigation and penalise the chief and designated officer after investigation that has established gross negligence or malice.
Scenario B: When the individual is established not guilty through the data collected and processed through illegal means [Citing decisions in R.M. Malkani and Pooran Mal v. Director of Inspection, State v. Navjot Sandhu, in 2013 Supreme Court held that there is no bar on data procured by improper or illegal means if it is relevant and its genuineness is proved.], the individual (or a group) should reach out for redressal if they consider it to be unnecessary surveillance. If the individual manages to prove that their data is (a) misused, (b) compromised, (c) infringed privacy (of themselves and others) etc.:
- The agencies must compensate them.
- The chief, designated officer of investigation, and competent approval authority must be suspended.
- Strict actions against other officials of the agencies involved must be taken.
- Individuals (or a group) must be able to appeal to the court for further investigation and penalise the chief, designed officer of investigation and competent approval authority.
- In case of involvement of the review committee, the members of the committee must be subjected to investigation by the court.
Query 4(b) where involvement in a crime or threat to national security is established from the data collection processing exercise?
Suppose the individual is guilty of a crime or security threat through the data collected and processed through both legal and illegal means. In that case, they will not get a grievance redressal as the court trial would compensate for it.
But, as fiduciaries, the agencies must immediately take the case to court if they establish that the acts of the individual can be construed to be guilty through the data collected and processed. In the case of delay in taking the matter to court, the chief and designated officer of investigation/intelligence collection must be penalised, considering as an accessory to the alleged crime.
Query 4 (c) what should be the forum/fora for grievance redressal in regard to any targeted surveillance by the State or its instrumentalities
There shall be three separate forums for individuals and service (communication and internet) providers to get their grievances redressed.
(i) Surveillance Tribunal: There shall be an independent surveillance tribunal in India to take grievances from individuals (or groups of individuals) related to scenarios discussed in queries 4 (a) and 4 (b). The tribunal must adopt a system that assures efficiency, quick turnaround, and cost-effectiveness. A tribunal system is followed in the UK, where the Investigatory Powers Tribunal is established under the Regulation of Investigatory Powers Act, 2000. The individuals can approach the tribunal in the UK if they believe their right to privacy, property and communication is infringed.
(ii) High Courts: There shall be provisions to approach the High Courts where citizens as well as service (communication and internet) providers file petitions if they believe the interception order is excessive. They shall also challenge the order and seek a modification to the order. This approach was implemented in the US under Foreign Intelligence Surveillance Act (FISA). Electronic communication service providers can approach the Foreign Intelligence Surveillance Court to modify or challenge the government interception orders [Section 702 of the Foreign Intelligence Surveillance Act]. While the FISA court is only for foreign intelligence purposes, India must adopt this model for domestic surveillance by drawing inference from FISA.
(iii) Data Protection Authority: Since much of the data will come under proposed privacy laws, the Data Protection Authority, as envisaged under the Data Protection Bill will be a platform to deal with grievances under violation of privacy laws.
Query 5: Should there be special safeguards for the State surveillance of certain categories of persons? If so, what categories of persons should these cover and what form should these take?
No, there should not be any special safeguards for state surveillance of certain categories of persons. Every individual should be treated equally in congruence with Article 14 of the Indian Constitution, which states that government shall not deny to any person equality before the law or the equal protection of the laws. The protections against surveillance must apply to all Indian citizens equally.
Query 6: In what contexts and to what extent should sovereign/State immunity and State access be extended to acts of hacking of computer systems, mobile devices, online accounts, telecommunication/digital networks, unauthorised access, technology backdoors, decryption of private records, and to legal mandates to share information under intermediary or data processor’s obligations under intermediary rules and data protection laws, respectively?
This query has two parts:
- acts of hacking of computer systems, mobile devices, online accounts, telecommunication/digital networks, unauthorised access, technology backdoors, decryption of private records
- and to legal mandates to share information under intermediary or data processor’s obligations under intermediary rules and data protection laws,
My response to Query 6(a) and 6(b):
Any provision to acts of hacking of computer systems, mobile devices, online accounts, telecommunication/digital networks, unauthorised access, technology backdoors, decryption of private records will inevitably lead to mass surveillance. This is a very real danger to citizens and their constitutional rights. No degree of safeguards can protect them if such capabilities are allowed to the State.
It is also important to understand the role that meta-data can play in aiding investigations along with the data adequacy.
Also, any backdoor to any system will inevitably lead to vulnerabilities in the code that can be exploited by all bad actors. Such a move will not only cause irreparable harm to citizens and their constitutional rights, it will also make them vulnerable to attacks by foreign attackers, that can have serious consequences for India’s national security.
Deploying tools will render computer resources of several unsuspected individuals vulnerable to access by government and hackers alike. Therefore, no such provisions should be allowed under any circumstances. State immunity for domestic surveillance (or against Indian citizens) should be limited by all the safeguards and purpose limitations presented by me in response to earlier queries.
The Puttaswamy-I judgement has categorically held that the right to privacy stems from article 21 and any restriction of the right to privacy must meet the test under Article 21 of the Constitution, i.e. it must be just, fair and reasonable. The test laid down in Puttaswamy [Puttaswamy I, (2017) 10 SCC 1] categorically state that the three-prong test of legality, proportionality and legitimate purpose must be met for any infringement on the right to privacy. While legality and legitimacy can be met in the case of interception, when it is carried out under legal means, the proportionality of the infringement needs to be closely looked at.
Modern technology has evolved at a rapid pace to a point where our devices are constantly tracking every activity we involve ourselves in and our private moments. Justice Sanjay Kishen Kaul held [Puttaswamy I, (2017) 10 SCC 1] that the proportionality test also encapsulates within itself the principle of necessity, which requires that interception of communication should take place only when it is the least restrictive way of achieving the legitimate purpose.
My response to specific to part 6(b), “To what extent and context at which the data protection law can have mandatory sharing of data”
Section 69(3) imposes an additional obligation on intermediaries, subscribers and persons in charge of the computer resource to “extend all facilities and technical assistance” to the intercepting agency. Failure for compliance results in penalties for intermediaries from whom information is sought.
This provision could lead to arbitrary application of the law, in the absence of adequate checks and balances. Further, Section 69B empowers the Central Government who may authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource for the purposes of cyber security. Traffic data is defined to include metadata as well. Put together, the intermediaries are obligated to collect information.
I believe that sharing of data with law enforcement must occur in a transparent manner and penalties for the non-co-operation need to be re-looked.
Moreover, to comply with the requirement to share information and to ensure traceability of communications, intermediaries will have to break end to end encryption. To facilitate and cooperate in tracing the origin of certain communications, the net effect is the introduction of a vulnerability in the technical system. State and non-state, domestic and foreign bad actors will inevitably take advantage of these vulnerabilities.
Query 7: Should the State be obliged to
(a) record or disclose surveillance technology/access that is procured by it, available with it or used by it for the purposes of national security or defence of India?
(b) To whom should such disclosure be made and in what form?
(c) Should these records be accessible under the Right to Information or otherwise made public once a certain amount of time has elapsed?
Response to part 7(a):
Yes, the State must be obliged to disclose surveillance, technology/access that it has procured. In a democracy, anything procured from public funds should stand up to scrutiny. A case in point is India’s routine procurement of weapon systems from abroad. While these are not hidden, only their actual capabilities in combat and how they are deployed is what is kept secret. Surveillance tools are invasive and their harms far outweigh the gains. Therefore, it is pertinent that such technologies are not kept secret from citizens.
Response to part 7(b):
These disclosures should be made available to the judicial and parliamentary oversight committees. This will help the judiciary appreciate the quality of evidence gathered and how it was collected, while it will also give fair insights to the parliamentary oversight committee to examine how effective the tools are, while also assessing their invasiveness and violation of fundamental rights.
Response to part 7(c):
The records must be made available for a number of reasons.
First, all surveillance material must inevitably go to a court, since the idea is to use it as a means of defending India, maintaining public order and investigation of offences. The courts will be an integral part of this process and therefore must have access to all such records at the appropriate time (which should not be more than a year from the date of sanction of the surveillance). For example, Estonia follows a model where there are four tiers. The State Secrets and Classified Information of Foreign States Act specifically lay out the limits for which information collected through radar and surveillance systems can be stored, and caps it at an upper limit of ten years.
Second, it is important that the surveillance records be analysed on a continuous basis to understand the efficacy of these tools as well as the harms that they can cause.
Third, in this vein, section 4 of the Right to Information Act, 2005 is pertinent to note. Multiple judicial developments in Bennett Coleman & Co. and Ors. v. Union of India & Ors. [1973 AIR 106], State of U.P. v. Raj Narain [1975 AIR 865], etc., has contributed immensely to the inclusion of the Right to Information under Article 19 (1)(a) of the Constitution of India.
Fourth, some of the agencies that are empowered to undertake surveillance are not established through parliamentary statutes. According to the government order (2018), 10 central agencies are empowered to conduct surveillance activities. The lack of their creation by an Act of Parliament prevents various stakeholders from exercising oversight over the functioning of these agencies. Disclosures that are made by LEAs and other intelligence agencies must be a part of the intended surveillance reform. Governmental transparency and openness are celebrated values under our Constitution [Anuradha Bhasin v. Union of India, (2020)3 SCC 637].
Query 8: Would your suggestions be practical and feasible to implement under the Indian federal constitutional framework, with States having control over state law enforcement agencies?
Yes, they are practical and feasible to implement under current Indian laws and there are adequate provisions under the Indian Constitution for further implementation. In fact, the lack of such laws/due process/safeguards harms citizens and undermines India’s democracy and national security.
As regards to the fact that law and order fall under the State, it does not bar such reform. Surveillance is mandated through communication laws (such as the Telegraph Act and the Information Technology Act), which are central subjects and come under the Union List.
In this vein, I propose the following amendments to existing legislation: Enhance the existing procedures under existing law
The following three principles have to be enhanced to make a meaningful improvement to the existing procedures.
- Due process: The process for approving the warrant must be enhanced where judicial authorisation suggested in Query 3 must be adopted. The state agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intercept the information.
- Oversight & Liability: The parliamentary and judicial oversight mechanisms can we added to the existing rules and regulations of existing laws such as the Telegraph Act and the Information technology Act. The envisioned Data Protection Authority (DPA) of India under India’s upcoming Data Protection law must be empowered to oversee the legal enforcement agencies and intelligence agencies’ operations. The DPA must have oversight on the policies, administration and operations of various agencies subjected to secrecy. But, for this to operationalise Clause 35 of the draft Personal Data Protection Bill, 2019 must be amended as it empowers the government to exempt its agencies from the purview of the Bill. The approach taken in the Law Enforcement Directive (“LED”) in the EU deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR. Although it is in the form of a directive, it has been embedded in domestic legislation across Europe. The LED regime only applies in cases where the data controller is a ‘competent authority’, and the processing is done for ‘law enforcement purposes. In short, a combination of specific legislation that speaks of the manner in which large scale data collection and analysis for legitimate purposes of Law enforcement, along with an empowered Data Protection Authority can serve as effective oversight mechanisms.
- Transparency and Accountability: The agencies must be liable to the public by making the operations transparent through the use of section 4 of the Right to Information Act. The exemption to agencies under Section 24 of RTI must be amended to create gradations on the nature of the information to be disclosed after a period of secrecy.
Query 9: What steps can be taken to (a) improve and increase the cyber security of the Nation and its assets? Is there a need for a separate authority or organisation to (i) investigate cyber security vulnerabilities for threat assessment relating to cyber attacks and (ii) to ensure the cybersecurity of public and private digital infrastructure?
The availability of functionalities and integration of many services on mobile phones, while adding ease of access, has also made citizens vulnerable to a number of State and Non State bad actors. Many of the functions carried out by citizens on their mobiles are also recognised a “Critical Information Infrastructure” as defined by Section 70 of the Information Technology Act (amended) 2008. This means, citizens are now frontline targets for bad actors, and an attack on or through them can have “debilitating effect” on India’s national security. The US Federal Information Security Management Act, (FISMA) 2002 offers a good example of how to manage our nation cybersecurity posture.
Under such circumstances, the right and the need of citizens to protect themselves should not be curtailed. Doing so would be like the classic adage, a case of penny-wise, pound foolish. Therefore, I suggest the following measures to improve our national cybersecurity posture:
- Deploy end-to-end encryption (E2EE): As it stands right now encryption does not apply to most phone calls, making them vulnerable to interception. E2EE messaging tools and applications are now being used by at least 400 million users in India, which is 25% of the population. These are the first and, in many cases, the only line of defence.
- Re-energizing the existing organisations and authorities: Existing structures such as the National Critical Information Infrastructure Protection Centre (NCIIPC) created under Section 70(A) of the Information Technology Act (amended) 2008 and Computer Emergency Response Team-INDIA (CERT-IN) created under Section 70(A) of the Information Technology Act (amended) 2008 must be energised and leveraged to monitor and aid in improving cyber security. Further, modern intelligence and assessment frameworks such as a STIX framework for threat intelligence and data sharing should be encouraged for adoption by all.
- Create a national responsible vulnerability disclosure programme: Except for one programme run by NCIIPC, there are no government-led vulnerability disclosure programmes. The world over, there is recognition that cybersecurity is a shared responsibility between the State, the public and private sectors and the citizens. Such a programme will enable cybersecurity and information security researchers to share key data responsibly and also ensure a national database of all such threats that can be accessed by all key authorities.
- Updating the cyber security policy: National standards and an updated cyber security policy that takes into consideration the swiftly changing landscape of cyber threats, and which can help in improving the response and improving the landscape in India. This will also introduce software, hardware and firmware standards that will vastly improve India’s cybersecurity posture.
- Building global alliance and databases: While there are alliances and databases already existing to share threat intelligence (a site like virustotal.com offers a comprehensive database of malicious code)
Query 10: What laws and safeguards should be put in place by the State to protect its citizens from targeted surveillance by non-State/private entities and foreign agencies?
i. Update the Cyber Security policy to reflect the changes in the space of surveillance technology as detailed in my response to Query 9.
ii. Allow for uptake of end-to-end encryption technology to uphold the integrity of communications as detailed in my response to Query 9.
iii. Narrowly construe the exemptions to government agencies from the application of the upcoming data protection bill and ensure there are no backdoors to any technology that is deployed.
iv. Strengthen enforcement actions under Section 43 of the Information Technology Act as a deterrent for private parties in indulging in non-consensual tracking and add provisions to the proposed Data Protection law to ensure better enforcement and compliance of privacy laws/frameworks.
Query 11: Do you have any other suggestions or comments relating to the Terms of Reference?
- The Technical Committee should be expanded and its work should carry on beyond the Terms of Reference. The continuing work should look at building databases to study:
a. Efficacy of surveillance in national security
b. Audit ongoing surveillance and establish how much of it ends up in courts for prosecution
- Those tasked with surveillance (institutions/personnel/individuals) during the period when Pegasus was allegedly deployed should be asked to provide sworn affidavits on its purchase, use and targets.
- The secret audit of some of the organisations empowered to carry out surveillance by the Comptroller and Auditor General (CAG) of India should be accessed for the same period and examined.