Home

Icon

All Articles

Icon

Response to the Technical Committee appointed by the Hon’ble Supreme Court of India on issues of Surveillance

Response to the Technical Committee appointed by the Hon’ble Supreme Court of India on issues of Surveillance

Response from Saikat Datta to the Technical Committee

Saikat Datta

Tags

Icon

Cybersecurity

21 min read

Executive Summary

  1. At the outset, please accept my gratitude for giving me an opportunity to address a very important issue. I believe this issue and what is decided today will have a major bearing on the health and the future of our democracy.

  2. I would also like to place on record my appreciation for the Technical Committee for all its endeavours to address the issue of surveillance.

  3. The issue of surveillance, though complex, is not a difficult one to deal with. It is recognised that surveillance is largely a function of the State. It is a power given to the government by citizens to use wisely, proportionally, when absolutely necessary and only through strictly legal means in exceptional circumstances only.

  4. It is often cited that curtailing surveillance powers of the State will lead to a major weakness in defence of India. This is an absolutely false notion and in fact, there is no data available to substantiate this position. Also, upholding Constitutional freedoms, values and norms is a critical part of defending the Nation.

  5. It is also known that threats to the safety and security of the Nation are many. However, India’s intelligence and police have not been able to keep pace with the reforms and modernisation that are needed to meet these challenges. Surveillance offers an easy solution to such agencies, but come at a huge cost to India’s constitutional framework and democracy. Also, any legislation that is passed based on an exceptional situation always leads to bad law, and

  6. India is one of the few democracies in the world, where its intelligence agencies have not been created by an Act of Parliament. Any attempt at reforming India’s surveillance laws will not succeed until the agencies empowered to carry out surveillance are also brought under direct parliamentary statutes.

  7. There has to be a marked distinction between surveillance of Indian citizens and foreign nationals. Indian citizens have constitutional rights and protections that must be factored in while shaping surveillance laws/powers. All my responses are primarily in the context of domestic surveillance.

  8. Finally, surveillance is an enormous power given to the State. It can help a government manipulate the very citizens who have temporarily reposed this power in them. If it remains unchecked, it will only help governments perpetuate themselves and undermine the power of the citizens enormously. Therefore, surveillance powers must be governed by broadly using a three-tiered process: a. Due Process: This can be done by additions/changes to existing subordinate rules of the Indian Telegraph Act, The Information Technology Act and the Indian Postal Act – laws that have provisions for carrying out surveillance/legal interception of communications. Eventually, India should have a dedicated law for surveillance in the long-term. b. Oversight and Liability: This can be done by (i) Ensuring a strong Data Protection Act, as envisaged by the Hon’ble Supreme Court in its August 2017 nine-bench Puttaswamy-I judgement(ii) Ensuring all agencies empowered to carry out surveillance are mandated by Acts of Parliament, using existing provisions of the Constitution (iii) Ensuring Parliamentary, Judicial and Bureaucratic oversight mechanisms . c. Transparency and Accountability: This can be done through the (i) Right To Information Act and (ii) the proposed Data Protection Authority

Response to Specific Queries

  1. No, the terms that set the boundaries for surveillance are not well defined and understood for a number of reasons and are open to a wide interpretation and misuse. Nearly every action can misuse these terms to circumvent the necessity and proportionality threshold as laid down by the Hon’ble Supreme Court and thus, make the surveillance order legal.

  2. This is especially true for the term “National Security” (most used for targeted surveillance) “public order” and “investigation” of a crime. Besides, India lacks a national security strategy that could clarify the definition of national security and the government’s objective in ordering surveillance. I propose the following definition: “National Security is the ability of a State to cater for the protection and defence of its citizenry and the preservation of the norms, rules, institutions, national interests, objectives and constitutional values.”

  3. The lack of understanding and clear boundaries of “national security” allowed the State to refuse to file a detailed affidavit to the Supreme Court of India under this case (Manohar Lal Sharma v. Union of India and others [Writ Petition (Crl.) No. 314 of 2021]). In doing so, the State claimed that disclosure of specific facts might affect the national security and defence of the nation. [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 13)]

  1. The Hon’ble Supreme Court contested this claim [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 49)] and mentioned that the State must prove that the information sought risks national security [Manohar Lal Sharma v. Union of India and others, Writ Petition (Crl.) No. 314 of 2021 (Para 50) ]. But as long as critical terminologies like national security remain too broad and overarching, it is difficult and futile to make the State accountable and prove that the information is being kept secret for legitimate national security concerns.

  2. How terms such as national security, public order and investigations are defined/limited will leave room for expansive interpretations and thus, facilitate state surveillance of personal and private communications.

  1. No, there is no other purpose for which the State surveillance would be justifiable as it would violate the verdict of the Supreme Court in Puttaswamy Judgement-I [(2017) 10 SCC 1 ] in the following ways:

  2. It will not satisfy the proportionality test [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 636)] as any other purpose will not qualify as proportional and necessary interference with the right to privacy.

  3. Does not fall within the reasonable restrictions [Puttaswamy Judgment I, (2017) 10 SCC 1 (Para 87)] as per the right to privacy held by the Supreme Court.

  1. No, the procedures prescribed under the rules [In People’s Union for Civil Liberties vs Union of India & Ors, the supreme Court upheld the constitutionality of Section 5(2) of the Telegraph Act, 1885. Still, it provided procedural guidelines for wiretapping of phones to reserve privacy. These guidelines led to the amendment of Rule 419A of the Telegraph Rules, 1951. Subsequently, they formed the base for the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.] are flawed in the following ways and insufficient to prevent unwarranted orders, misuse, and abuse of State surveillance: a. Lack of capacity i. An RTI application that I had filed with the Union Ministry of Home Affairs revealed that about 100,000 phones are tapped annually by the central government (numbers could be more if I include state government requests). ii. Breaking down this annual figure, about 7000 to 9000 per month and 300 per day interception requests are made by the central government agencies. The union home secretary has to single handedly clear all of them. iii. In addition to this, the google transparency report indicates they had received about 24,799 data interception requests from the government in 2020. This volume of orders shows that: It nearly impossible for the Union Home Secretary and the review committee (single committee for both phone tapping and computer data interception [“Review Committee” in Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 is same as the one constituted under Rule 419A of Indian Telegraph Act.]) to perform their due diligence in approving and reviewing such a large volume of interception warrants in addition to their other daily activities. There is no capacity within the legal enforcement agencies and intelligence agencies to analyse this massive amount of data collected through surveillance.

i. While the existing procedures limit the duration of the interception, record keeping and usage of intercepted information, it doesn’t limit the amount of data that can be accessed through surveillance. Due to no limitations, the agencies can retrieve data for a lifetime, i.e., from the day one of an individual using a phone or internet service without any purpose for the same.

c. No oversight and accountability

i. The authorisation mechanism of interception within the executive wing16 without parliamentary or judiciary oversight is problematic because

  1. the maximum number of fundamental rights breaches are against the state. executive oversight over another executive authority does not bring any accountability. Besides, the Union Home Secretary (the Approver), the heads of law enforcement and intelligence agencies (the Proposer) and the members of the Monitoring Committee (the Checker) all belong to the All India Services. They also don’t hold any special qualifications or expertise to perform this function.

ii. Similar to the competent authority, the review committee is also extensively executive driven [The guidelines provided by the Supreme Court in the PUCL case mandated the need of forming a review committee for examining surveillance activities and to bring in accountability.# Adopting this suggestion, Rule 41A(16) provisioned for forming central and state-level review committee, which is now also used for data interception under Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.] comprising Cabinet/Chief Secretary and Secretaries in charge of legal affairs and telecommunications which is near to no oversight and accountability for reasons discussed above. In addition, the review committee doesn’t have parliamentary or judiciary representations, which makes oversight and accountability provided by the review committee more symbolic than substantive.

iii. The state utilises the taxpayers’ money to purchase surveillance tools to monitor the citizens (who may or may not be guilty) without any accountability on the expenditure as Public Accounts Committee (PAC) do not get to examine all the audit reports of the Controller and Auditor General (C&AG).

i. Some of the intelligence agencies notified as central (LEAs) under the rules, such as the Intelligence Bureau (IB), Research and Analysis Wing (R&AW) and the National Technical Research Organisation (NTRO), don’t have clear cut roles and limitations of powers. In fact, IB, R&AW, NTRO and CBDT are not law.

ii. The Parliament has exclusive power to make laws on matters in union list and the 7th Schedule of the Indian constitution (where Entry 8 has provision to create a Central Bureau of Intelligence). However, these powers have never been used. As a result, the IB, R&AW and NTRO are created through gazette notifications. In the United Kingdom, the Security Service (equivalent of the IB, popularly known as MI-5) was created using the Security Service Act, 1989 and their Secret Intelligence Services (equivalent to R&AW) was brought under the Intelligence Services Act.

iii. While the rules provide procedures for ordering surveillance, they don’t have any provisions that restrict the State from using tools and software that would infringe upon the right to privacy and threaten national security.

iv. Rules don’t have guidelines for the State to determine safe tools for surveillance purposes. For instance, when the state uses tools like Pegasus, domain name used by Command and Control (C&C) server resolve to cloud-based virtual private servers rented by the NSO Group, a registered private company in another country (Israel).

v. This increases the national security risks as the Indian government doesn’t have any visibility into the source code of the software and data storage policy of the cloud-based virtual private servers.

vi. While Rule 6 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 outlines procedure for ordering interception beyond the State jurisdiction, [Rule 419(A) doesn't outline the procedure for ordering interception beyond the State jurisdiction.] it does not distinguish between domestic and foreign surveillance. This lack of distinction provides room for the State to exercise discretion in determining terms of surveillance for both citizens and foreign nationals at the same levels.

a. Parliamentary Oversight:

i. A Multi-Party parliamentary standing committee should oversee the law enforcement agencies and intelligence agencies' operations. A mechanism followed by the UK should advise the model because India inherited and emulated the Westminster model of parliamentary government. The UK has the Intelligence and Security Committee of Parliament formed under the Intelligence Services Act 1994 (reinforced by Justice and Security Act, 2013 [Sections 2, 3, and Schedule I of the Justice and Security Act, 2013]) to oversee the policies, expenditure, administration and operations of various intelligence agencies subjected to secrecy. [Section 1(1)(b) of the Official Secrets Act 1989]

ii. It has been argued that Members of Parliament should not have access to such information. However, in advanced democracies such as the UK, the Prime Minister retains control over who will be part of the Committee, provided they are drawn from other parties besides his/her own.

iii. In addition to this, the parliamentarian must be granted access to information held by intelligence and law enforcement agencies without restricting any information under the ambit of preserving national security. A similar mechanism is followed by the United States, where US Congress monitors the law enforcement agencies and intelligence agencies, and there are no statutory restrictions on information access.[F Smist, Congress oversees the intelligence community, 2nd edition, University of Tennessee Press, Knoxville, 1994.]

  1. It would safeguard the right to privacy of the individuals from unwanted state surveillance as the Supreme Court recognised privacy as a negative content. [Puttaswamy Judgement I, (2017) 10 SCC 1 ]

  2. Judicial authorisation could be split into two areas. I. For prevention and investigation of criminal offences (warrant of interception from the concerned court, with expiring time duration and archiving of intercepted contents and submission to the court) and II. A special authority (to be created), and for intelligence purposes that can be on the lines of the UK Investigative Powers Commissioner.

  3. It would bring about a separation of powers to check and oversee the executive actions, which could at times hamper the democratic safeguards due to malicious motives.

  4. The State agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intrude into the private communications between individuals. Various jurisdictions follow this mechanism [Under the Canadian Security Intelligence Service Act, 1985, specially designated judges of the Federal Court provide the approval to the warrant of the intelligence agencies. In the United States, intelligence and law enforcement agencies must take warrants, court orders etc., for domestic surveillance activities under the Electronic Communication Privacy Act of 1986. In addition, in Riley v. California, the United States Supreme Court marked that search and seizure of digital data are considered to be unconstitutional.] and India must pick inferences from those to devise a more nuanced judicial authorisation system.

  5. The court warrant must access the constitutional validity of the request for surveillance through four prerequisites (as follows) for infringing upon an individual's privacy and personal liberty discussed in Puttaswamy Judgement I [Puttaswamy Judgement I, (2017) 10 SCC 1 [S.K. Kaul, J part] ] a. Legality: Existence of a law by Parliament (which was also emphasised by the Supreme Court in the Maneka Gandhi case of 1978 [1978 SCR (2) 621]) b. Legitimate goal: The intelligence and law enforcement agencies must prove the legitimate aim for conducting surveillance with proper justification. c. Proportionality: The request must show that surveillance is necessary to achieve the aim. In addition, the request must prove the rational nexus between the objects and the means adopted to achieve them – in terms of (a) the amount of data required to be tapped or retrieved (b) tools used for surveillance (for which it is important to equip judges with technical expertise). d. Procedural guarantees: The state abuse and misuse must be minimal by having concrete procedural safeguards followed by the state agencies, including the below discussed safeguards. e. Administrative Oversight: 1. In addition to the external oversight proposed that has been proposed above, I recommend revamping the existing review committee model [Review Committee formed under Rule 419A of Indian Telegraph Act.]. The constituted authority should be answerable to the parliamentary committee and the Parliament in general. 2. In addition, the authority must audit and review the practices and safeguards followed by the agencies. 3. Besides, the authority should be empowered to take complaints related to unauthorised disclosure of classified or sensitive national security information, illegal surveillance activity, administrative misconduct etc. For instance, in the United States, under the U.S. Code, the office of the Inspector General of the Intelligence Community is in place to oversee programs and activities within the purview of the Director of National Intelligence (DNI). f. Internal Oversight: 1. I propose that every law enforcement and intelligence agency must have an independent Inspector General who will scrutinise the surveillance request before it reaches the court for approval. 2. Many jurisdictions follow a similar kind of model. For instance, in the UK every law enforcement agency has independent officials to scrutinise surveillance requests. 3. Independent Inspector Generals must also audit and review the practices and safeguards followed by respective agencies and be answerable to the Parliamentary committee and the Parliament in general. g. Safeguards i. Technical safeguards: Various technical safeguards must be established to protect the privacy of individuals following some of the universal principles such as: 1. Data minimisation: The data collected through means of surveillance should not exceed the purpose for which it was collected and should not be held/stored post the completion of the purpose. 2. Proportionality: The data required through surveillance must have a rationale connection with the object of the investigation, such that data demanded is absolutely necessary. The UK also propagates this principle through its Investigatory Power Act, 2016 (previously Regulation of Investigatory Powers Act, 2000), which mandates that data demanded by the intelligence agencies must be necessary and proportionate. 3. Purpose limitation: The information received through surveillance must be processed only for the case/investigation it was accrued. The investigating agency must initiate a new request to use the same evidence in other cases/investigations. Besides, usage of evidence for anything other than law enforcement must be prohibited. 4. Privacy by design: The processing of evidence by law enforcement agencies and intelligence agencies should be privacy-friendly and doesn’t trade-off privacy at the cost of other State interests such as national security, public order etc. It should use Privacy Enhancing Technologies to ensure that unnecessary personal details are not exposed. The access control must be designed to be adequately granular, with audit trails, to enforce privacy and accountability. 5. Fair and lawful processing: The data acquired through surveillance must be processed fairly and lawfully such that unintended consequences like discrimination, historic disposition, oppression do not translate into the action. 6. Training: The personnel engaged in surveillance, including supervisory officials, must attend trainings on privacy and ethics annually, to ensure that the right culture is built and nurtured. 7. Data provenance: Law enforcement agencies and intelligence agencies must have legal and technical measures to differentiate citizens from foreign nationals within the bulk of data gathered through the surveillance. By identifying the provenance of the data it should be treated differently. 8. Data security: The data collected through surveillance should be encrypted at rest to ensure the safety of the information stored. 9. Data deletion: The data collected through surveillance must not be retained longer than necessary, which is followed by intelligence agencies in the UK under Investigatory Powers Act, 2016 [Sections 87 and 150 of the Investigatory Powers Act, 2016]. At the laps of data retention mandate by regulations, the information gathered through surveillance by law enforcement and intelligence agencies must be destroyed. 10. Data disclosure: When a crime or security threat is not established from the data collection and processing exercise, the agencies must inform the individuals about the surveillance and reveal the data collected (after a period of time) to them. h. Administrative safeguards

Every legal enforcement agency and intelligence agency must have privacy/ethics officers within their agencies to ensure day-to-day operations are not violating ethicality and privacy. The officer should also provide advice and guidance to the officials on matters related to privacy and ethicality. Many countries, including the US, UK and Germany, follow this system, for instance, in the US, the Office of Privacy and Civil Liberties is formed within the CIA, NSA etc.

  1. Due process: The process for approving the warrant has to be enhanced by adopting judicial authorisation suggested in Query 3.The state agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intercept communication.

  2. Oversight: The envisioned Data Protection Authority (DPA) of India under the upcoming Data Protection law must be empowered to oversee the legal enforcement agencies and intelligence agencies' operations. The DPA must have a sight over the policies, administration and operations of various agencies subjected to secrecy. But, for this to operationalise Clause 35 of the Draft Personal Data Protection Bill, 2019 must be amended as it empowers the government to exempt its agencies from the purview of the Bill.

  3. Liability: The agencies must be liable to the public by making the operations transparent through the Right to Information Act (RTI). The exemption to agencies under Section 24 of RTI must be amended to create gradations on the nature of the information to be disclosed after a period of secrecy.

  1. The Indian surveillance legal framework is archaic [Historically, in India, surveillance has been a right of the state to deploy intrusive measures against citizens with minimal checks and balances. A slew of colonial laws that were passed in the 19th century by the British allowed the Raj to monitor communications, be it postal or telegraph. These laws continued to exist with impunity until the Supreme Court intervened in December 1996 (PUCL case), passing specific guidelines as safeguards against illegal or excessive surveillance by the State.], since then the world has changed, technology has changed, and so have the techniques used for surveillance in India and the legal fabric (Puttaswamy judgement I ). This calls for the overhaul of the legal framework of surveillance to keep up with the pace.

  2. The Indian surveillance legal framework came into existence when bulk surveillance barely existed and discourse around privacy and surveillance was not well developed. Over time, surveillance technologies, data processing and analytics tools at the disposal of government has evolved massively, which has paved the way for extensive interceptions (intentionally and unintentionally). This development calls for revamping our existing legal framework for surveillance which would consider the evolving technological developments.

  3. Many jurisdictions have revamped/enacted surveillance legislation [For instance, in the UK, the government enacted the Investigatory Powers Acts, 2016, which applies to intelligence agencies to ensure powers and principles fit the digital age.] to cater to the recent technological developments. India must pick inferences from various jurisdictions and enact more comprehensive surveillance legislation for the country.

  1. The agencies must compensate them.

  2. The chief and designated officer of investigation must be suspended, pending investigation.

  1. The agencies must compensate them.

  2. The chief, designated officer of investigation, and competent approval authority must be suspended.

  3. Strict actions against other officials of the agencies involved must be taken.

  4. Individuals (or a group) must be able to appeal to the court for further investigation and penalise the chief, designed officer of investigation and competent approval authority.

  5. In case of involvement of the review committee, the members of the committee must be subjected to investigation by the court.

  1. acts of hacking of computer systems, mobile devices, online accounts, telecommunication/digital networks, unauthorised access, technology backdoors, decryption of private records

  2. and to legal mandates to share information under intermediary or data processor’s obligations under intermediary rules and data protection laws,

  1. Due process: The process for approving the warrant must be enhanced where judicial authorisation suggested in Query 3 must be adopted. The state agencies (both intelligence and law enforcement agencies) must take a prior warrant from the court to intercept the information.

  2. Oversight & Liability: The parliamentary and judicial oversight mechanisms can we added to the existing rules and regulations of existing laws such as the Telegraph Act and the Information technology Act. The envisioned Data Protection Authority (DPA) of India under India’s upcoming Data Protection law must be empowered to oversee the legal enforcement agencies and intelligence agencies' operations. The DPA must have oversight on the policies, administration and operations of various agencies subjected to secrecy. But, for this to operationalise Clause 35 of the draft Personal Data Protection Bill, 2019 must be amended as it empowers the government to exempt its agencies from the purview of the Bill. The approach taken in the Law Enforcement Directive (“LED”) in the EU deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR. Although it is in the form of a directive, it has been embedded in domestic legislation across Europe. The LED regime only applies in cases where the data controller is a ‘competent authority’, and the processing is done for ‘law enforcement purposes. In short, a combination of specific legislation that speaks of the manner in which large scale data collection and analysis for legitimate purposes of Law enforcement, along with an empowered Data Protection Authority can serve as effective oversight mechanisms.

  3. Transparency and Accountability: The agencies must be liable to the public by making the operations transparent through the use of section 4 of the Right to Information Act. The exemption to agencies under Section 24 of RTI must be amended to create gradations on the nature of the information to be disclosed after a period of secrecy.

  1. Deploy end-to-end encryption (E2EE): As it stands right now encryption does not apply to most phone calls, making them vulnerable to interception. E2EE messaging tools and applications are now being used by at least 400 million users in India, which is 25% of the population. These are the first and, in many cases, the only line of defence.

  2. Re-energizing the existing organisations and authorities: Existing structures such as the National Critical Information Infrastructure Protection Centre (NCIIPC) created under Section 70(A) of the Information Technology Act (amended) 2008 and Computer Emergency Response Team-INDIA (CERT-IN) created under Section 70(A) of the Information Technology Act (amended) 2008 must be energised and leveraged to monitor and aid in improving cyber security. Further, modern intelligence and assessment frameworks such as a STIX framework for threat intelligence and data sharing should be encouraged for adoption by all.

  3. Create a national responsible vulnerability disclosure programme: Except for one programme run by NCIIPC, there are no government-led vulnerability disclosure programmes. The world over, there is recognition that cybersecurity is a shared responsibility between the State, the public and private sectors and the citizens. Such a programme will enable cybersecurity and information security researchers to share key data responsibly and also ensure a national database of all such threats that can be accessed by all key authorities.

  4. Updating the cyber security policy: National standards and an updated cyber security policy that takes into consideration the swiftly changing landscape of cyber threats, and which can help in improving the response and improving the landscape in India. This will also introduce software, hardware and firmware standards that will vastly improve India’s cybersecurity posture.

  5. Building global alliance and databases: While there are alliances and databases already existing to share threat intelligence (a site like virustotal.com offers a comprehensive database of malicious code)

  1. The Technical Committee should be expanded and its work should carry on beyond the Terms of Reference. The continuing work should look at building databases to study: a. Efficacy of surveillance in national security b. Audit ongoing surveillance and establish how much of it ends up in courts for prosecution

  2. Those tasked with surveillance (institutions/personnel/individuals) during the period when Pegasus was allegedly deployed should be asked to provide sworn affidavits on its purchase, use and targets.

  3. The secret audit of some of the organisations empowered to carry out surveillance by the Comptroller and Auditor General (CAG) of India should be accessed for the same period and examined.

Next blog