New Dehi: The Narendra Modi government’s quiet notification on Thursday night, authorising ten central agencies to snoop and decrypt “any information generated, transmitted, received or stored in any computer”, has raised a storm over a debate that has never really taken place in India.
A debate over the nature of targeted government surveillance.
In India, major intelligence agencies like the Intelligence Bureau (IB) and the Research Analysis Wing (RAW) operate without legislative or parliamentary oversight. The system as a whole churns out tens of thousands of tapping orders every month, and in states like Uttar Pradesh, local police resort to thumbing through thousands of call data records to track minor crimes.
The lack of a data protection framework only worsens the delicate balance between fundamental rights and the need for government surveillance.
What questions should India be asking about the Modi government’s notification and the larger system of surveillance? The Wire breaks it down.
1) Are the new snooping orders something the NDA-II government has conjured up out of thin air?
The order from the Ministry of Home Affairs gives force to a piece of regulation that was passed by the UPA government in 2008 and 2009.
Responding to the notification, Congress leader P. Chidambaram said that the authorisation of electronic snooping would destroy the “structure of a free society”.
Communist Party of India (Marxist) leader Sitaram Yechury called it a “blatant violation” of the Supreme Court’s recent judgement granting the constitutional right to privacy to all Indians.
But the fact is that the underlying legislation – amendments made to the Information Technology Act, 2000 – was passed 10 years ago by a Congress-led government that was supported by the Communist Party of India (Marxist).
These amendments were passed in parliament without debate, or any major protest from opposition parties like the BJP.
2) If the underlying legislation was passed over 10 years ago, what does the new order do?
In India, the Central and state governments can snoop on citizens in a targeted manner and intercept information using two different legal mechanisms.
The first is through the Indian Telegraph Act – specifically Section 5(2) and Rule 419A of the Indian Telegraph (Amendment) Rules, 2007.
The second is through amendments made to the Information Technology Act in 2008 and 2009. The two relevant parts are Section 69 and Rule 4 of the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules.
Each legislation allows different types of information to be intercepted, collected, monitored, or decrypted – and enables snooping in different manners in different conditions.
Broadly speaking, the Telegraph Act deals with traditional phone calls and associated communication, while the IT Act deals with electronic information. With recent leaps in technology, however, the points of difference between both sets of regulation are quite fuzzy.
Importantly, both sets of rules have a list of authorised agencies that can carry out the snooping or receive the ‘product of surveillance’ (the information). The Telegraph Act’s list of ten authorised law enforcement agencies can be viewed here.
On Thursday night, the Modi government released a very similar list of agencies that could be authorised under the amended parts of the Information Technology Act.
3) Does the new order increase the surveillance or snooping ability of a handful of law enforcement agencies?
This is less clear, and there are a few differing opinions.
Under the Telegraph Act, even authorised agencies like the Intelligence Bureau or the Enforcement Directorate need approval or an order from the home affairs secretary, or in the case of a state, the secretary in charge of the home department. All tapping orders are examined by a review committee after the fact, although the efficacy of this process has been criticised.
The Modi government insists that the same process applies to electronic snooping under the IT Act, and therefore applies to the agencies that were notified in the circular on Thursday night.
Legal experts like Pranesh Prakash, an affiliated fellow at the Yale Law School’s Information Society Project, broadly agree and believe that the new order “doesn’t expand the powers of those agencies to snoop without authorisation” from the home secretary.
Other legal and tech policy analysts disagree. Raman Jit Singh Chima, Asia Policy Director at Access Now, says that Rule 4 of the Information Technology Rules allows this process to be circumvented.
Also Read: India Gears Up to Defend Internet Rights Regime as it Operationalises Mass Surveillance Project
“Actually, the current notification and the Section 69 rules do not require Home Secretary pre-approval. Rule 4 allows it [interception and decryption powers] to be delegated and once delegated it would not come back to them unless they [the home affairs ministry] review and withdraw,” Chima told The Wire.
In a blog post on Friday, however, finance minister Arun Jaitley wrote, “An interception or monitoring is only authorised under an [sic] specific approval of the Home Secretary. It can only be in cases which deal with the purposes mentioned in Section 69 of the Act. These are restrictions on which free speech can be curtailed under Article 19(2) of the constitution.”
This is a crucial debate, as it dictates how agencies can legally engage in targeted surveillance of electronic information. It will also be revealing of how the current BJP government views the privacy of its citizens vis a vis their right to privacy.
4) Why did the Modi government choose now, the end of 2018, to authorise a list of agencies for electronic snooping under the IT Act?
The notification is a puzzling development, four years after this government came to power, and nearly 10 years after the underlying regulation (Section 69) was put into the broader IT Act.
As Prakash noted, the fact that this list of authorised agencies was notified on Thursday implies that any “usage of interception and monitoring devices under S 69” by these agencies until today would have been “invalid” and “without legal authority”.
On television debates, the BJP’s spokespersons have insisted that the rules were notified in order to streamline the process and in fact, to make it more supportive of personal rights and liberties.
A government press release issued on Friday evening also underlines this point. It says that the new order prevents “unauthorised use of these [surveillance] powers by any agency, individual or intermediary”. If this is the correct legal interpretation, then it raises the question of what has been happening over the last ten years.
Also Read: Yogi Government Trawled 10,000 Phone Records to Catch ‘Potato Dumping’ Protestors
5) Should the debate stop here? What reform should India’s targeted government surveillance undergo?
The political quibbling in the Rajya Sabha on Friday only shows that both the BJP and the Congress need to step up. As multiple legal experts noted, Section 69 of the IT Act should never have been passed without debate. More than likely, it is unconstitutional.
Beyond this, more light needs to be shed on how the Centre and state governments engage in targeted snooping. There is plenty evidence to show that the review committee process is often overlooked or else downright impossible to properly implement with the number of tapping orders that are issued on a monthly basis.
Also Read: Mastering the Art of Keeping Indians Under Surveillance
In February 2014, the minister of state for home affairs R.P.N Singh admitted in the Lok Sabha that “incidents of physical/electronic surveillance in the States of Gujarat and Himachal Pradesh, and the National Capital Territory of Delhi, allegedly without authorisation, have been reported”.
In response to a question, Singh noted that the Cabinet had approved a proposal to set up a “commission of inquiry” to look into these incidents. It’s not clear what happened to this inquiry.
Finally, legal experts say that following the recent right to privacy and Aadhaar judgements, and comments made by the Srikrishna data protection committee, India’s surveillance practices are quite possibly unconstitutional. Legal and parliamentary oversight is the way forward.