Response to the Technical Committee appointed by the Hon’ble Supreme Court of India on issues of Surveillance

Executive Summary

1. At the outset, please accept my gratitude for giving me an opportunity to address  a very important issue. I believe this issue and what is decided today will have a  major bearing on the health and the future of our democracy.  
2. I would also like to place on record my appreciation for the Technical Committee for all its endeavours to address the issue of surveillance.
3. The issue of surveillance, though complex, is not a difficult one to deal with. It is recognised that surveillance is largely a function of the State. It is a power given to the government by citizens to use wisely, proportionally, when absolutely  necessary and only through strictly legal means in exceptional circumstances  only. 
4. It is often cited that curtailing surveillance powers of the State will lead to a major weakness in defence of India. This is an absolutely false notion and in fact, there is no data available to substantiate this position. Also, upholding Constitutional  freedoms, values and norms is a critical part of defending the Nation.  
5. It is also known that threats to the safety and security of the Nation are many. However, India’s intelligence and police have not been able to keep pace with the reforms and modernisation that are needed to meet these challenges.  Surveillance offers an easy solution to such agencies, but come at a huge cost to  India’s constitutional framework and democracy. Also, any legislation that is  passed based on an exceptional situation always leads to bad law, and 
6. India is one of the few democracies in the world, where its intelligence agencies have not been created by an Act of Parliament. Any attempt at reforming India’s surveillance laws will not succeed until the agencies empowered to carry out  surveillance are also brought under direct parliamentary statutes. 
7. There has to be a marked distinction between surveillance of Indian citizens and foreign nationals. Indian citizens have constitutional rights and protections that must be factored in while shaping surveillance laws/powers. All my responses  are primarily in the context of domestic surveillance. 
8. Finally, surveillance is an enormous power given to the State. It can help a government manipulate the very citizens who have temporarily reposed this power in them. If it remains unchecked, it will only help governments perpetuate  themselves and undermine the power of the citizens enormously. Therefore,  surveillance powers must be governed by broadly using a three-tiered process:
   a. Due Process: This can be done by additions/changes to existing subordinate rules of the Indian Telegraph Act, The Information Technology Act and the Indian Postal Act – laws that have provisions for carrying out  surveillance/legal interception of communications. Eventually, India should  have a dedicated law for surveillance in the long-term.
   b. Oversight and Liability: This can be done by (i) Ensuring a strong Data Protection Act, as envisaged by the Hon’ble Supreme Court in its August 2017 nine-bench Puttaswamy-I judgement(ii) Ensuring all agencies  empowered to carry out surveillance are mandated by Acts of Parliament,  using existing provisions of the Constitution (iii) Ensuring Parliamentary,  Judicial and Bureaucratic oversight mechanisms .
   c. Transparency and Accountability: This can be done through the (i) Right To Information Act and (ii) the proposed Data Protection Authority

Response to Specific Queries 

Query 1: Whether the existing boundaries of State surveillance of  personal and private communications of citizens, for the purposes of  national security, defence of India, maintenance of public order, and  prevention and investigation of offences, are well defined and  understood? 

1. No, the terms that set the boundaries for surveillance are not well defined and understood for a number of reasons and are open to a wide interpretation and misuse. Nearly every action can misuse these terms to circumvent the necessity and proportionality threshold as laid down by the Hon’ble Supreme Court and thus,  make the surveillance order legal.  
2. This is especially true for the term “National Security” (most used for targeted surveillance) “public order” and “investigation” of a crime. Besides, India lacks a national security strategy that could clarify the definition of national security and  the government’s objective in ordering surveillance. I propose the following  definition: “National Security is the ability of a State to cater for the protection  and defence of its citizenry and the preservation of the norms, rules, institutions,  national interests, objectives and constitutional values.” 
3. The lack of understanding and clear boundaries of “national security” allowed the State to refuse to file a detailed affidavit to the Supreme Court of India under this case (Manohar Lal Sharma v. Union of India and others [Writ Petition (Crl.) No. 314 of 2021]). In doing so, the State claimed that disclosure of specific facts might affect the national security and  defence of the nation. [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 13)]

4. The Hon’ble Supreme Court contested this claim [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 49)] and mentioned that the State must prove that the information sought risks national security [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 50) ]. But as long as critical terminologies like national security remain too broad and overarching, it is  difficult and futile to make the State accountable and prove that the information is  being kept secret for legitimate national security concerns. 
5. How terms such as national security, public order and investigations are defined/limited will leave room for expansive interpretations and thus, facilitate state surveillance of personal and private communications.

Query 1(a): Are there any other purposes for which State surveillance  may be justifiable and necessary? 

1. No, there is no other purpose for which the State surveillance would be justifiable as it would violate the verdict of the Supreme Court in Puttaswamy Judgement-I [(2017) 10 SCC 1 ] in the following ways:
2. It will not satisfy the proportionality test [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 636)] as any other purpose will not qualify as proportional and necessary interference with the right to privacy.
3. Does not fall within the reasonable restrictions [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 87)] as per the right to privacy held by the Supreme Court.

Query 2: Whether the procedures prescribed under the Telegraph Act,  1885 and Information Technology Act, 2000 and rules made thereunder  for digital/telecommunication surveillance (with executive oversight  measures for interception/decryption orders), are sufficient to  effectively prevent (i) unwarranted excessive/routine use; or (ii)  misuse; or (iii) abuse of State surveillance, purportedly undertaken for  the aforesaid purposes? 

1. No, the procedures prescribed under the rules [In People’s Union for Civil Liberties vs Union of India & Ors, the supreme Court upheld the constitutionality  of Section 5(2) of the Telegraph Act, 1885. Still, it provided procedural guidelines for wiretapping of  phones to reserve privacy. These guidelines led to the amendment of Rule 419A of the Telegraph Rules,  1951. Subsequently, they formed the base for the Information Technology (Procedure and Safeguards for  Interception, Monitoring and Decryption of Information) Rules, 2009.] are flawed in the following ways and insufficient to prevent unwarranted orders, misuse, and abuse of State surveillance:
   a. Lack of capacity
   i. An RTI application that I had filed with the Union Ministry of Home Affairs revealed that about 100,000 phones are tapped annually by the central government (numbers could be more if I include state  government requests).
   ii. Breaking down this annual figure, about 7000 to 9000 per month and 300 per day interception requests are made by the central government agencies. The union home secretary has to single handedly clear all of them.
   iii. In addition to this, the google transparency report indicates they  had received about 24,799 data interception requests from the  government in 2020. This volume of orders shows that:
   1. It nearly impossible for the Union Home Secretary and the review committee (single committee for both phone tapping and computer data interception [“Review Committee” in Information Technology (Procedure and Safeguards for Interception, Monitoring and  Decryption of Information) Rules, 2009 is same as the one constituted under Rule 419A of Indian Telegraph  Act.]) to perform their due  diligence in approving and reviewing such a large volume of  interception warrants in addition to their other daily activities.
   2. There is no capacity within the legal enforcement agencies and intelligence agencies to analyse this massive amount of data collected through surveillance.

         b. No Data Limit

i. While the existing procedures limit the duration of the interception, record keeping and usage of intercepted information, it doesn’t limit the amount of data that can be accessed through surveillance. Due  to no limitations, the agencies can retrieve data for a lifetime, i.e.,  from the day one of an individual using a phone or internet service  without any purpose for the same.  

c. No oversight and accountability

i. The authorisation mechanism of interception within the executive wing16 without parliamentary or judiciary oversight is problematic because 

1. 1. the maximum number of fundamental rights breaches are against the state.
   2. executive oversight over another executive authority does not bring any accountability. Besides, the Union Home Secretary (the Approver), the heads of law enforcement and intelligence agencies (the Proposer) and the members of the Monitoring  Committee (the Checker) all belong to the All India Services.  They also don’t hold any special qualifications or expertise to perform this function.

ii. Similar to the competent authority, the review committee is also extensively executive driven [The guidelines provided by the Supreme Court in the PUCL case mandated the need of forming a review  committee for examining surveillance activities and to bring in accountability.# Adopting this suggestion,  Rule 41A(16) provisioned for forming central and state-level review committee, which is now also used for  data interception under Information Technology (Procedure and Safeguards for Interception, Monitoring and  Decryption of Information) Rules, 2009.] comprising Cabinet/Chief Secretary and Secretaries in charge of legal affairs and telecommunications  which is near to no oversight and accountability for reasons  discussed above. In addition, the review committee doesn’t have  parliamentary or judiciary representations, which makes oversight  and accountability provided by the review committee more symbolic  than substantive.

iii. The state utilises the taxpayers’ money to purchase surveillance  tools to monitor the citizens (who may or may not be guilty) without  any accountability on the expenditure as Public Accounts Committee  (PAC) do not get to examine all the audit reports of the Controller  and Auditor General (C&AG).

d. Discretionary powers to the executive

i. Some of the intelligence agencies notified as central (LEAs) under the rules, such as the Intelligence Bureau (IB), Research and Analysis Wing (R&AW) and the National Technical Research  Organisation (NTRO), don’t have clear cut roles and limitations of  powers. In fact, IB, R&AW, NTRO and CBDT are not law.

ii. The Parliament has exclusive power to make laws on matters in union list and the 7th Schedule of the Indian constitution (where Entry 8 has provision to create a Central Bureau of Intelligence). However,  these powers have never been used. As a result, the IB, R&AW and  NTRO are created through gazette notifications. In the United  Kingdom, the Security Service (equivalent of the IB, popularly known  as MI-5) was created using the Security Service Act, 1989 and their  Secret Intelligence Services (equivalent to R&AW) was brought  under the Intelligence Services Act. 

iii. While the rules provide procedures for ordering surveillance, they don’t have any provisions that restrict the State from using tools and  software that would infringe upon the right to privacy and threaten  national security.  

iv. Rules don’t have guidelines for the State to determine safe tools for surveillance purposes. For instance, when the state uses tools like Pegasus, domain name used by Command and Control (C&C)  server resolve to cloud-based virtual private servers rented by the  NSO Group, a registered private company in another country  (Israel). 

v. This increases the national security risks as the Indian government doesn’t have any visibility into the source code of the software and data storage policy of the cloud-based virtual private servers.  

vi. While Rule 6 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 outlines procedure for ordering interception  beyond the State jurisdiction, [Rule 419(A) doesn’t outline the procedure for ordering interception beyond the State jurisdiction.] it does not distinguish between  domestic and foreign surveillance. This lack of distinction provides  room for the State to exercise discretion in determining terms of  surveillance for both citizens and foreign nationals at the same  levels. 

Query 3: If your response to Query 2 is in the negative: 

Query 3(a) What substantive and procedural safeguards – involving  administrative, judicial and/or independent authorities – would you  suggest to adequately balance individual rights with national security  and public order interests? 

Creating A Robust Oversight and Accountability Mechanism

a. Parliamentary Oversight:

 i. A Multi-Party parliamentary standing committee should oversee the law enforcement agencies and intelligence agencies’ operations. A mechanism followed by the UK should advise the model because India inherited and emulated the Westminster model of parliamentary government. The UK has the Intelligence and  Security Committee of Parliament formed under the  Intelligence Services Act 1994 (reinforced by Justice and Security Act, 2013 [Sections 2, 3, and Schedule I of the Justice and Security Act, 2013]) to oversee the policies, expenditure, administration  and operations of various intelligence agencies subjected to  secrecy. [Section 1(1)(b) of the Official Secrets Act 1989] 

ii. It has been argued that Members of Parliament should not have access to such information. However, in advanced democracies such as the UK, the Prime Minister retains control over who will be  part of the Committee, provided they are drawn from other  parties besides his/her own.  

iii. In addition to this, the parliamentarian must be granted access to  information held by intelligence and law enforcement agencies  without restricting any information under the ambit of preserving  national security. A similar mechanism is followed by the United  States, where US Congress monitors the law enforcement  agencies and intelligence agencies, and there are no statutory  restrictions on information access.[F Smist, Congress oversees the intelligence community, 2nd edition, University of Tennessee Press, Knoxville,  1994.] 

       b. Judicial Authorisation:

2. It would safeguard the right to privacy of the individuals from unwanted state surveillance as the Supreme Court recognised privacy as a negative content. [Puttaswamy Judgement I, (2017) 10 SCC 1 [Para 232 (iv)] ]
3. Judicial authorisation could be split into two areas.
   I. For prevention and investigation of criminal offences  (warrant of interception from the concerned court, with  expiring time duration and archiving of intercepted  contents and submission to the court) and
   II. A special authority (to be created), and for intelligence  purposes that can be on the lines of the UK Investigative Powers Commissioner.
4. It would bring about a separation of powers to check and oversee the executive actions, which could at times hamper the democratic safeguards due to malicious motives. 
5. The State agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intrude into the private communications between individuals. Various jurisdictions follow this  mechanism [Under the Canadian Security Intelligence Service Act, 1985, specially designated judges of the Federal Court  provide the approval to the warrant of the intelligence agencies. In the United States, intelligence and law  enforcement agencies must take warrants, court orders etc., for domestic surveillance activities under the  Electronic Communication Privacy Act of 1986. In addition, in Riley v. California, the United States Supreme  Court marked that search and seizure of digital data are considered to be unconstitutional.] and India must pick inferences from those to devise a more  nuanced judicial authorisation system.
6. The court warrant must access the constitutional validity of the request for surveillance through four prerequisites (as follows) for infringing upon an individual’s privacy and personal liberty discussed in Puttaswamy  Judgement I [Puttaswamy Judgement I, (2017) 10 SCC 1 [S.K. Kaul, J part] ]
   a. Legality: Existence of a law by Parliament (which was also emphasised by the Supreme Court in the Maneka Gandhi case of 1978 [1978 SCR (2) 621])
   b. Legitimate goal: The intelligence and law enforcement agencies must prove the legitimate aim for conducting surveillance with proper justification.
   c. Proportionality: The request must show that surveillance is necessary to achieve the aim. In addition, the request must prove the rational nexus between the objects and the means adopted to achieve them – in terms of  (a) the amount of data required to be tapped or retrieved (b) tools used for  surveillance (for which it is important to equip judges with technical  expertise).
   d.  Procedural guarantees: The state abuse and misuse must be minimal by having concrete procedural safeguards followed by the state agencies, including the below discussed safeguards.
   e. Administrative Oversight:
   1. In addition to the external oversight proposed that has been proposed above, I recommend revamping the existing review committee model [Review Committee formed under Rule 419A of Indian Telegraph Act.]. The constituted authority should be answerable to the parliamentary committee  and the Parliament in general.
   2. In addition, the authority must audit and review the practices and safeguards followed by the agencies.
   3. Besides, the authority should be empowered to take complaints related to unauthorised disclosure of classified or sensitive national security information, illegal surveillance activity, administrative misconduct etc. For  instance, in the United States, under the U.S. Code, the office of the  Inspector General of the Intelligence Community is in place to oversee  programs and activities within the purview of the Director of National  Intelligence (DNI).
   f. Internal Oversight:
   1. I propose that every law enforcement and intelligence agency must have an independent Inspector General who will scrutinise the surveillance request before it reaches the court for approval.
   2. Many jurisdictions follow a similar kind of model. For instance, in the UK every law enforcement agency has independent officials to scrutinise surveillance requests.
   3. Independent Inspector Generals must also audit and review the practices and safeguards followed by respective agencies and be answerable to the Parliamentary committee and the Parliament in general.
   g. Safeguards
   i. Technical safeguards: Various technical safeguards must be established to protect the privacy of individuals following some of the universal principles such as:

   1. Data minimisation: The data collected through means of surveillance should not exceed the purpose for which it was collected and should not be held/stored post the completion of the purpose.
   2. Proportionality: The data required through surveillance must have a rationale connection with the object of the investigation, such that data demanded is absolutely necessary. The UK also propagates this principle  through its Investigatory Power Act, 2016 (previously Regulation of  Investigatory Powers Act, 2000), which mandates that data demanded by  the intelligence agencies must be necessary and proportionate.
   3. Purpose limitation: The information received through surveillance must be processed only for the case/investigation it was accrued. The investigating agency must initiate a new request to use the same evidence in other  cases/investigations. Besides, usage of evidence for anything other than  law enforcement must be prohibited.  
   4. Privacy by design: The processing of evidence by law enforcement agencies and intelligence agencies should be privacy-friendly and doesn’t trade-off privacy at the cost of other State interests such as national  security, public order etc. It should use Privacy Enhancing Technologies  to ensure that unnecessary personal details are not exposed. The  access control must be designed to be adequately granular, with audit  trails, to enforce privacy and accountability.
   5. Fair and lawful processing: The data acquired through surveillance must be processed fairly and lawfully such that unintended consequences like discrimination, historic disposition, oppression do not translate into the  action.
   6. Training: The personnel engaged in surveillance, including supervisory  officials, must attend trainings on privacy and ethics annually, to ensure that  the right culture is built and nurtured.
   7. Data provenance: Law enforcement agencies and intelligence agencies must have legal and technical measures to differentiate citizens from foreign nationals within the bulk of data gathered through the surveillance. By  identifying the provenance of the data it should be treated differently.
   8. Data security: The data collected through surveillance should be encrypted at rest to ensure the safety of the information stored.
   9. Data deletion: The data collected through surveillance must not be retained longer than necessary, which is followed by intelligence agencies in the UK under Investigatory Powers Act, 2016 [Sections 87 and 150 of the Investigatory Powers Act, 2016]. At the laps of data retention  mandate by regulations, the information gathered through surveillance by  law enforcement and intelligence agencies must be destroyed.
   10. Data disclosure: When a crime or security threat is not established from  the data collection and processing exercise, the agencies must inform the  individuals about the surveillance and reveal the data collected (after a  period of time) to them.

   h. Administrative safeguards

Every legal enforcement agency and intelligence agency must have privacy/ethics  officers within their agencies to ensure day-to-day operations are not violating ethicality  and privacy. The officer should also provide advice and guidance to the officials on  matters related to privacy and ethicality. Many countries, including the US, UK and  Germany, follow this system, for instance, in the US, the Office of Privacy and Civil  Liberties is formed within the CIA, NSA etc. 

Query 3(b) In what manner can the existing procedure/s prescribed  by law enabling (i) intelligence agencies and (ii) law enforcement  agencies, for targeted surveillance, be further strengthened, improved  upon and meaningful?

a. Short term: Enhance the procedures under existing laws and rules: The following three principles have to be enhanced to make a meaningful improvement to the existing procedures: 

1. Due process: The process for approving the warrant has to be enhanced by adopting judicial authorisation suggested in Query 3.The state agencies (both intelligence and law enforcement  agencies) must take a prior warrant from the court to intercept  communication.  
2. Oversight: The envisioned Data Protection Authority (DPA) of India under the upcoming Data Protection law must be empowered to oversee the legal enforcement agencies and intelligence  agencies’ operations. The DPA must have a sight over the policies,  administration and operations of various agencies subjected to  secrecy. But, for this to operationalise Clause 35 of the Draft  Personal Data Protection Bill, 2019 must be amended as it  empowers the government to exempt its agencies from the purview  of the Bill.
3. Liability: The agencies must be liable to the public by making the  operations transparent through the Right to Information Act (RTI).  The exemption to agencies under Section 24 of RTI must be  amended to create gradations on the nature of the information to be disclosed after a period of secrecy.  

b. Long Term: Fresh Surveillance Legislation

To set India’s trajectory towards empowering citizens, I suggest having more precise,  purposive, proportionate, and comprehensive surveillance legislation for the country  [considering some aspects discussed in Query 3(a)]. The bill should aid us in exercising our fundamental rights by weeding out the caveats discussed in Queries 1 and 2. I make  a case for new legislation by submitting below bolstering arguments: 

1. The Indian surveillance legal framework is archaic [Historically, in India, surveillance has been a right of the state to deploy intrusive measures against citizens  with minimal checks and balances. A slew of colonial laws that were passed in the 19th century by the British  allowed the Raj to monitor communications, be it postal or telegraph. These laws continued to exist with  impunity until the Supreme Court intervened in December 1996 (PUCL case), passing specific guidelines as  safeguards against illegal or excessive surveillance by the State.], since then the world has changed, technology has changed, and so have the techniques used for surveillance in India and the legal fabric  (Puttaswamy judgement I [Puttaswamy Judgement I, (2017) 10 SCC 1 ]). This calls for the overhaul of the legal  framework of surveillance to keep up with the pace. 
2. The Indian surveillance legal framework came into existence when bulk surveillance barely existed and discourse around privacy and surveillance was not well developed. Over time, surveillance  technologies, data processing and analytics tools at the disposal of  government has evolved massively, which has paved the way for extensive interceptions (intentionally and unintentionally). This  development calls for revamping our existing legal framework for  surveillance which would consider the evolving technological  developments.
3. Many jurisdictions have revamped/enacted surveillance  legislation [For instance, in the UK, the government enacted the Investigatory Powers Acts, 2016, which applies to  intelligence agencies to ensure powers and principles fit the digital age.] to cater to the recent technological developments.  India must pick inferences from various jurisdictions and enact  more comprehensive surveillance legislation for the country.  

Query 4: What should be the grievance redressal mechanism for a  person whose data is subjected to targeted surveillance technologies  by the State  

Query 4(a) where no crime or security threat is established from  the data collection and processing exercise;  

There is no risk or liability associated with the agencies in the current system. This is due  to non-disclosure of data where non-guilty individuals never come to know that they are  victims of surveillance. Therefore, agencies must disclose data following the principle  suggested in Query 3. 

Besides, agencies must be held accountable by non-guilty individuals through a  grievance redressal mechanism. Below are two different scenarios under which non-guilty  individuals or groups of individuals (collective action) can seek compensation and justice. 

Scenario A: When the individual is established not guilty through the data collected and  processed through legal means, the individual (or a group) should reach out for redressal  if they consider it to be unnecessary surveillance. If the individual manages to prove that  their data is (a) misused, (b) compromised, (c) infringed privacy (of themselves and  others) etc.: 

1. The agencies must compensate them.
2. The chief and designated officer of investigation must be suspended, pending investigation.

iii. Individuals (or a group) must be able to appeal to the court for further investigation  and penalise the chief and designated officer after investigation that has  established gross negligence or malice.  

Scenario B: When the individual is established not guilty through the data collected and  processed through illegal means [Citing decisions in R.M. Malkani and Pooran Mal v. Director of Inspection, State v. Navjot Sandhu, in 2013  Supreme Court held that there is no bar on data procured by improper or illegal means if it is relevant and  its genuineness is proved.], the individual (or a group) should reach out for  redressal if they consider it to be unnecessary surveillance. If the individual manages to  prove that their data is (a) misused, (b) compromised, (c) infringed privacy (of themselves  and others) etc.:  

1. The agencies must compensate them.
2. The chief, designated officer of investigation, and competent approval authority must be suspended.
3. Strict actions against other officials of the agencies involved must be taken.
4. Individuals (or a group) must be able to appeal to the court for further investigation  and penalise the chief, designed officer of investigation and competent approval  authority.
5. In case of involvement of the review committee, the members of the committee must be subjected to investigation by the court.

Query 4(b) where involvement in a crime or threat to national security  is established from the data collection processing exercise? 

Suppose the individual is guilty of a crime or security threat through the data collected  and processed through both legal and illegal means. In that case, they will not get a  grievance redressal as the court trial would compensate for it.  

But, as fiduciaries, the agencies must immediately take the case to court if they establish  that the acts of the individual can be construed to be guilty through the data collected and  processed. In the case of delay in taking the matter to court, the chief and designated  officer of investigation/intelligence collection must be penalised, considering as an  accessory to the alleged crime.  

Query 4 (c) what should be the forum/fora for grievance redressal  in regard to any targeted surveillance by the State or its  instrumentalities 

There shall be three separate forums for individuals and service (communication and  internet) providers to get their grievances redressed. 

(i) Surveillance Tribunal: There shall be an independent surveillance tribunal in India to  take grievances from individuals (or groups of individuals) related to scenarios discussed  in queries 4 (a) and 4 (b). The tribunal must adopt a system that assures efficiency, quick  turnaround, and cost-effectiveness. A tribunal system is followed in the UK, where the Investigatory Powers Tribunal is established under the Regulation of Investigatory  Powers Act, 2000. The individuals can approach the tribunal in the UK if they believe their  right to privacy, property and communication is infringed. 

(ii) High Courts: There shall be provisions to approach the High Courts where citizens  as well as service (communication and internet) providers file petitions if they believe the  interception order is excessive. They shall also challenge the order and seek a  modification to the order. This approach was implemented in the US under Foreign  Intelligence Surveillance Act (FISA). Electronic communication service providers can  approach the Foreign Intelligence Surveillance Court to modify or challenge the  government interception orders [Section 702 of the Foreign Intelligence Surveillance Act]. While the FISA court is only for foreign intelligence  purposes, India must adopt this model for domestic surveillance by drawing inference  from FISA. 

(iii) Data Protection Authority: Since much of the data will come under proposed privacy  laws, the Data Protection Authority, as envisaged under the Data Protection Bill will be a  platform to deal with grievances under violation of privacy laws.  

Query 5: Should there be special safeguards for the State surveillance  of certain categories of persons? If so, what categories of persons  should these cover and what form should these take? 

No, there should not be any special safeguards for state surveillance of certain  categories of persons. Every individual should be treated equally in congruence with  Article 14 of the Indian Constitution, which states that government shall not deny to any  person equality before the law or the equal protection of the laws. The protections against  surveillance must apply to all Indian citizens equally.  

Query 6: In what contexts and to what extent should sovereign/State  immunity and State access be extended to acts of hacking of computer  systems, mobile devices, online accounts, telecommunication/digital  networks, unauthorised access, technology backdoors, decryption of  private records, and to legal mandates to share information under  intermediary or data processor’s obligations under intermediary rules  and data protection laws, respectively?  

This query has two parts: 

1. acts of hacking of computer systems, mobile devices, online accounts, telecommunication/digital networks, unauthorised  access, technology backdoors, decryption of private records
2. and to legal mandates to share information under intermediary or data processor’s obligations under intermediary rules and data protection laws, 

My response to Query 6(a) and 6(b): 

Any provision to acts of hacking of computer systems, mobile devices, online accounts,  telecommunication/digital networks, unauthorised access, technology backdoors,  decryption of private records will inevitably lead to mass surveillance. This is a very real  danger to citizens and their constitutional rights. No degree of safeguards can protect  them if such capabilities are allowed to the State. 

It is also important to understand the role that meta-data can play in aiding investigations  along with the data adequacy.  

Also, any backdoor to any system will inevitably lead to vulnerabilities in the code  that can be exploited by all bad actors. Such a move will not only cause irreparable  harm to citizens and their constitutional rights, it will also make them vulnerable to  attacks by foreign attackers, that can have serious consequences for India’s  national security.  

Deploying tools will render computer resources of several unsuspected individuals  vulnerable to access by government and hackers alike. Therefore, no such provisions should be allowed under any circumstances.  State immunity for domestic surveillance (or against Indian citizens) should be limited by  all the safeguards and purpose limitations presented by me in response to earlier queries.  

The Puttaswamy-I judgement has categorically held that the right to privacy stems from  article 21 and any restriction of the right to privacy must meet the test under Article 21 of  the Constitution, i.e. it must be just, fair and reasonable. The test laid down in  Puttaswamy [Puttaswamy I, (2017) 10 SCC 1] categorically state that the three-prong test of legality, proportionality and  legitimate purpose must be met for any infringement on the right to privacy. While legality  and legitimacy can be met in the case of interception, when it is carried out under legal  means, the proportionality of the infringement needs to be closely looked at.  

Modern technology has evolved at a rapid pace to a point where our devices are  constantly tracking every activity we involve ourselves in and our private moments.  Justice Sanjay Kishen Kaul held [Puttaswamy I, (2017) 10 SCC 1] that the proportionality test also encapsulates within  itself the principle of necessity, which requires that interception of communication should  take place only when it is the least restrictive way of achieving the legitimate purpose.  

My response to specific to part 6(b), “To what extent and context at which the data  protection law can have mandatory sharing of data” 

Section 69(3) imposes an additional obligation on intermediaries, subscribers and  persons in charge of the computer resource to “extend all facilities and technical  assistance” to the intercepting agency. Failure for compliance results in penalties for  intermediaries from whom information is sought.  

This provision could lead to arbitrary application of the law, in the absence of adequate  checks and balances. Further, Section 69B empowers the Central Government who may  authorise any agency of the Government to monitor and collect traffic data or information  generated, transmitted, received or stored in any computer resource for the purposes of  cyber security. Traffic data is defined to include metadata as well. Put together, the  intermediaries are obligated to collect information.  

I believe that sharing of data with law enforcement must occur in a transparent manner  and penalties for the non-co-operation need to be re-looked.  

Moreover, to comply with the requirement to share information and to ensure traceability  of communications, intermediaries will have to break end to end encryption. To facilitate  and cooperate in tracing the origin of certain communications, the net effect is the introduction of a vulnerability in the technical system. State and non-state, domestic and foreign bad actors will inevitably take advantage of these vulnerabilities.  

Query 7: Should the State be obliged to  

(a) record or disclose surveillance technology/access that is procured  by it, available with it or used by it for the purposes of national security  or defence of India? 

(b) To whom should such disclosure be made and in what form? 

(c) Should these records be accessible under the Right to Information  or otherwise made public once a certain amount of time has elapsed? 

Response to part 7(a): 

Yes, the State must be obliged to disclose surveillance, technology/access that it has  procured. In a democracy, anything procured from public funds should stand up to  scrutiny. A case in point is India’s routine procurement of weapon systems from abroad.  While these are not hidden, only their actual capabilities in combat and how they are  deployed is what is kept secret. Surveillance tools are invasive and their harms far  outweigh the gains. Therefore, it is pertinent that such technologies are not kept secret  from citizens.  

Response to part 7(b): 

These disclosures should be made available to the judicial and parliamentary oversight  committees. This will help the judiciary appreciate the quality of evidence gathered and  how it was collected, while it will also give fair insights to the parliamentary oversight  committee to examine how effective the tools are, while also assessing their invasiveness  and violation of fundamental rights.  

Response to part 7(c): 

The records must be made available for a number of reasons. 

First, all surveillance material must inevitably go to a court, since the idea is to use it as  a means of defending India, maintaining public order and investigation of offences. The  courts will be an integral part of this process and therefore must have access to all such  records at the appropriate time (which should not be more than a year from the date of  sanction of the surveillance). For example, Estonia follows a model where there are four  tiers. The State Secrets and Classified Information of Foreign States Act specifically lay  out the limits for which information collected through radar and surveillance systems can  be stored, and caps it at an upper limit of ten years. 

Second, it is important that the surveillance records be analysed on a continuous basis  to understand the efficacy of these tools as well as the harms that they can cause.  

Third, in this vein, section 4 of the Right to Information Act, 2005 is pertinent to note.  Multiple judicial developments in Bennett Coleman & Co. and Ors. v. Union of India &  Ors. [1973 AIR 106], State of U.P. v. Raj Narain [1975 AIR 865], etc., has contributed immensely to the inclusion of  the Right to Information under Article 19 (1)(a) of the Constitution of India. 

Fourth, some of the agencies that are empowered to undertake surveillance are not  established through parliamentary statutes. According to the government order (2018),  10 central agencies are empowered to conduct surveillance activities. The lack of their  creation by an Act of Parliament prevents various stakeholders from exercising oversight  over the functioning of these agencies. Disclosures that are made by LEAs and other  intelligence agencies must be a part of the intended surveillance reform. Governmental  transparency and openness are celebrated values under our Constitution [Anuradha Bhasin v. Union of India, (2020)3 SCC 637].  

Query 8: Would your suggestions be practical and feasible to  implement under the Indian federal constitutional framework, with  States having control over state law enforcement agencies? 

Yes, they are practical and feasible to implement under current Indian laws and there are  adequate provisions under the Indian Constitution for further implementation. In fact, the lack of such laws/due process/safeguards harms citizens and undermines India’s  democracy and national security.  

As regards to the fact that law and order fall under the State, it does not bar such reform.  Surveillance is mandated through communication laws (such as the Telegraph Act and  the Information Technology Act), which are central subjects and come under the Union  List.  

In this vein, I propose the following amendments to existing legislation: Enhance the existing procedures under existing law 

The following three principles have to be enhanced to make a meaningful improvement  to the existing procedures.  

1. Due process: The process for approving the warrant must be enhanced where judicial authorisation suggested in Query 3 must be adopted. The state agencies (both intelligence and law enforcement agencies) must take a prior warrant from  the court to intercept the information.  
2. Oversight & Liability: The parliamentary and judicial oversight mechanisms can we added to the existing rules and regulations of existing laws such as the Telegraph Act and the Information technology Act. The envisioned Data Protection  Authority (DPA) of India under India’s upcoming Data Protection law must be  empowered to oversee the legal enforcement agencies and intelligence agencies’  operations. The DPA must have oversight on the policies, administration and  operations of various agencies subjected to secrecy. But, for this to operationalise  Clause 35 of the draft Personal Data Protection Bill, 2019 must be amended as it  empowers the government to exempt its agencies from the purview of the Bill. The  approach taken in the Law Enforcement Directive (“LED”) in the EU deals with the  processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR. Although it is in the form of a  directive, it has been embedded in domestic legislation across Europe. The LED  regime only applies in cases where the data controller is a ‘competent authority’,  and the processing is done for ‘law enforcement purposes. In short, a combination  of specific legislation that speaks of the manner in which large scale data collection  and analysis for legitimate purposes of Law enforcement, along with an  empowered Data Protection Authority can serve as effective oversight  mechanisms.
3. Transparency and Accountability: The agencies must be liable to the public by  making the operations transparent through the use of section 4 of the Right to  Information Act. The exemption to agencies under Section 24 of RTI must be  amended to create gradations on the nature of the information to be disclosed after a period of secrecy.  

Query 9: What steps can be taken to (a) improve and increase the cyber  security of the Nation and its assets?  Is there a need for a separate authority or organisation to (i) investigate  cyber security vulnerabilities for threat assessment relating to cyber attacks and (ii) to ensure the cybersecurity of public and private digital  infrastructure?  

The availability of functionalities and integration of many services on mobile phones, while  adding ease of access, has also made citizens vulnerable to a number of State and Non State bad actors. Many of the functions carried out by citizens on their mobiles are also  recognised a “Critical Information Infrastructure” as defined by Section 70 of the  Information Technology Act (amended) 2008. This means, citizens are now frontline  targets for bad actors, and an attack on or through them can have “debilitating effect” on  India’s national security. The US Federal Information Security Management Act, (FISMA)  2002 offers a good example of how to manage our nation cybersecurity posture.  

Under such circumstances, the right and the need of citizens to protect themselves should  not be curtailed. Doing so would be like the classic adage, a case of penny-wise, pound foolish. Therefore, I suggest the following measures to improve our national cybersecurity  posture: 

1. Deploy end-to-end encryption (E2EE): As it stands right now encryption does not apply to most phone calls, making them vulnerable to interception. E2EE messaging tools and applications are now being used by at least 400 million users  in India, which is 25% of the population. These are the first and, in many cases,  the only line of defence.
2. Re-energizing the existing organisations and authorities: Existing structures such as the National Critical Information Infrastructure Protection Centre (NCIIPC) created under Section 70(A) of the Information Technology Act (amended) 2008  and Computer Emergency Response Team-INDIA (CERT-IN) created under  Section 70(A) of the Information Technology Act (amended) 2008 must be  energised and leveraged to monitor and aid in improving cyber security. Further,  modern intelligence and assessment frameworks such as a STIX framework for  threat intelligence and data sharing should be encouraged for adoption by all.  
3. Create a national responsible vulnerability disclosure programme: Except for one programme run by NCIIPC, there are no government-led vulnerability  disclosure programmes. The world over, there is recognition that cybersecurity is  a shared responsibility between the State, the public and private sectors and the  citizens. Such a programme will enable cybersecurity and information security  researchers to share key data responsibly and also ensure a national database of  all such threats that can be accessed by all key authorities.
4. Updating the cyber security policy: National standards and an updated cyber security policy that takes into consideration the swiftly changing landscape of cyber threats, and which can help in improving the response and improving the  landscape in India. This will also introduce software, hardware and firmware  standards that will vastly improve India’s cybersecurity posture. 
5. Building global alliance and databases: While there are alliances and databases already existing to share threat intelligence (a site like virustotal.com offers a comprehensive database of malicious code) 

Query 10: What laws and safeguards should be put in place by the State  to protect its citizens from targeted surveillance by non-State/private  entities and foreign agencies?

i. Update the Cyber Security policy to reflect the changes in the space of surveillance technology as detailed in my response to Query 9.

ii. Allow for uptake of end-to-end encryption technology to uphold the integrity of communications as detailed in my response to Query 9.

iii. Narrowly construe the exemptions to government agencies from the application of  the upcoming data protection bill and ensure there are no backdoors to any  technology that is deployed.

iv. Strengthen enforcement actions under Section 43 of the Information Technology Act as a deterrent for private parties in indulging in non-consensual tracking and add provisions to the proposed Data Protection law to ensure better enforcement and compliance of privacy laws/frameworks. 

Query 11: Do you have any other suggestions or comments relating to  the Terms of Reference? 

1. The Technical Committee should be expanded and its work should carry on beyond the Terms of Reference. The continuing work should look at building databases to study:
   a. Efficacy of surveillance in national security
   b. Audit ongoing surveillance and establish how much of it ends up in courts for prosecution
2. Those tasked with surveillance (institutions/personnel/individuals) during the period when Pegasus was allegedly deployed should be asked to provide sworn affidavits on its purchase, use and targets.  
3. The secret audit of some of the organisations empowered to carry out  surveillance by the Comptroller and Auditor General (CAG) of India should be  accessed for the same period and examined.