After 26/11 Mumbai Attacks, India Has Weaponised Economic Transactions for Mass Surveillance

The tragedy in India is that an external threat to security has seen the state weaponise all forms of governance systems against its own citizens. 

India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.

Fifteen years after the 26/11 Mumbai attacks, we remember the collective horror and loss that the nation suffered that day. But that day also marks the beginning of a chain of events that has pushed India towards a surveillance state. India’s war on terror has come at the cost of democratic institutions.

The Indian government is in a constant state of war, an economic war that it has waged against its own population, forcing them to forgo their democratic rights for national security. It is not very different from what the US did after 9/11, where it forced biometrics on the people and weaponised its hold on the global economy.

 The US forced the international banking industry to cooperate with its global surveillance measures in the fight against terrorism. This agenda was extended through multilateral bodies like the Financial Action Task Force.

The Prevention of Money Laundering Act (PMLA), which became active in 2005 and was amended later in 2009, brought a regime of anti-money laundering (AML) and counter-terrorist financing (CFT). The FATF’s Mutual Evaluation Report of India (MER) in 2010 details the emerging landscape of economic regulators and financial intelligence organisations set up to address issues of counter-terrorism.  

The PMLA and Unlawful Activities (Prevention) Act (UAPA) went through further amendments in 2012 to address the issues raised in the 2010 MER report. One direct consequence of this regime has been the usage of these laws against non-profit organisations, as a shadow report compiled by civil society groups and released ahead of the upcoming MER says. 

The AML/CFT regime forced the ‘Know Your Customer’ (KYC) procedures on citizens, powered by Aadhaar. It prompted them to link all bank accounts and a host of economic transactions regulated by the RBI, SEBI and insurance regulator Insurance Regulatory and Development Authority (IRDAI) under the PMLA. While the Supreme Court of India in Puttaswamy vs Union of India restricted Aadhaar linking only to bank accounts, it was virtually overturned through the PMLA rules and the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020. 

While KYC laws and regulations existed even before the 26/11 Mumbai attacks, what changed is the centralisation of this information through digitisation. Paper-based KYC was a decentralised form of information storage, where only the local branch office maintained the details. With digital KYC powered by Aadhaar, there is a centralisation of financial information at bodies like the Financial Intelligence Unit (FIU)

The FIU’s FINNet portal has details of KYC formats for economic transactions by banks, insurance companies, mutual funds, brokerage firms, exchange houses, money transfer services, casinos and a host of other institutions, including the postal department. All this information is shared with other law enforcement agencies. 

While it may seem like the centralisation of transactional information is not dangerous, it needs to be seen contextually of existing payment instruments like FASTag and upcoming ones like the National Common Mobility Card. FASTag allows vehicle drivers to pay road tolls through a cashless mechanism but also allows the government to track the individual’s movements. Choosing not to use FASTag and instead paying with cash will require the individual to pay twice the toll. A voluntary system that was meant to improve toll traffic has now been weaponised and forced on every vehicle.  

The National Common Mobility Card is a new unified and centralised payment system that can be used on any metro or bus service. Common mobility cards exist in other countries but what is different here is to get the card, one has to carry out a KYC process. This links identity to payments, allowing the state to monitor people’s travel movements. The private sector, which will issue these payment instruments, is happy to crawl when asked to bend for national security. 

If a KYC-linked payment instrument is made mandatory for travel, it will help create mass surveillance. A level of surveillance already exists with FASTag and Digi Yatra for road and air travel, while a similar system is planned for railways. The surveillance of travel patterns of the entire population of a billion people will require a huge amount of resources.

A KYC-enabled SBI RuPay National Common Mobility Card. Photo: By arrangement

A cashless society is seen as a utopian society where payment hurdles are removed through instruments like the UPI. But in reality, it is also creating a police state – with all monetary transactions recorded and shared with law enforcement agencies. These agencies are using their newly acquired powers to freeze the bank accounts of people for merely receiving payments from unknown people who may be involved in cybercrime offences. The US weaponised AML/CFT systems to block access to US banks for any bank or organisation that is financing terrorists. This model is being applied in India to cyber fraud. 

The UPI specification itself is being modified without being disclosed to allow sharing of phone numbers through transactions. UPI specifications track the geo-location of the payment transaction, revealing more information about the nature of payment and its location. This also allows the surveillance state to track an individual based on his economic transactions. 

Financial surveillance is not limited to counter-terrorism financing but extends to tax surveillance. As I write this, my PAN card has been blocked for not linking it to Aadhaar, for not caving in to the state’s carrot and stick strategies that have been forced on the population relentlessly for more than 15 years. The cancellation of 11.5 crore PAN cards is yet another weaponisation of this economic instrument. 

These provisions of AML/CFT KYC norms are visible in a host of payment instruments, banking instruments and infrastructures that have emerged post-2008, including Aadhaar Enabled Payment Systems, Direct Benefit Transfer, Aadhaar Payments Bridge, UPI, FASTag, National Common Mobility Card, Account Aggregators, Public Credit Registry and several other financial information systems. These infrastructures that have been built with close cooperation with the Indian software industry have helped the private sector reap profits and created surveillance instruments for the state. 

These economic instruments provide no privacy or anonymity. They pose a direct threat to civil liberties due to the increased ability of the surveillance state to track all forms of monetary spending. While the US similarly weaponised its control over the global economy, it did not weaponise these systems against its own citizens. As a foreigner, I can travel within the US without disclosing my identity to the transit agency. But in India, I might not be able to do that in the near future. The tragedy in India is that an external threat to security has seen the state weaponise all forms of governance systems against its own citizens. 

The US-India strategic cooperation after the Mumbai attacks pushed for a series of changes in how India surveils its own population. This cooperation is being further extended through the US-India digital development partnership, which will help export these models and surveillance solutions to other low and middle-income countries even as they continue to undermine our democratic systems.

Srinivas Kodali is a researcher on digitisation and a hacktivist.