Until It Shines Light on Nature of Mass Surveillance, India's Data Protection Committee Will Fail To Do its Job

The job of the committee of experts should be to provide insight and evidence on what is otherwise not accessible to those of us outside the government.

There has been occasional media speculation that the existing mechanism to authorise surveillance is heavily abused in India, that illegal phone tapping takes place regularly and that the review committees are basically not functional. Credit: Reuters/Dylan Martinez

At the core of the privacy debate, is the ability of the state to conduct surveillance on the lives of its citizens. This is a debate that predates Aadhaar, as evidenced by the early line of Supreme Court judgments on privacy, starting with Kharak Singh and extending to PUCL vs Union of India, where the state’s right to conduct surveillance, either physically or electronically, was challenged.

The growing protests about Aadhaar and its ability to be used as a tool of surveillance, finally forced the government to setup the committee of experts headed by Justice Srikrishna to propose a new data protection law.

Given the above context, it is rather surprising that the white paper barely dips its toes in this very contentious issue. The white paper merely describes, in brief, the existing process for conducting surveillance under the Telegraph Act and the Aadhaar Act before concluding that any data protection should have an exemption for national security and criminal investigation and, that “any such exemption should be subject to strict safeguards, such as, a judicial mechanism to provide prior approval invoking such a clause…”.

There is no discussion in the whitepaper of the scale of surveillance, the controversies in the past or even the entire legal framework for surveillance. For example, after the infamous Gujarat snooping controversy, in 2014, the central government released a new “Standard Operating Procedures (SOP) for Lawful Interception and Monitoring of Telecom Service Providers”.

As per the Hindu, these SOPs, allow nine central agencies – “namely, the IB, the NCB, the DE, the CBDT, the DRI, the CBI, the NIA, RAW and the Defence Ministry — State Directors-General of Police and the Commissioner of Police in Delhi”, to order surveillance. These orders are then subject only to an “in-house” review mechanism consisting of more bureaucrats and never the subject of judicial review. One of the issues that apparently necessitated the creation of the SOP was the issue of federalism and whether a state police can tap the phone of persons not within its jurisdiction and travelling or resident in other states. This is a tough issue in the surveillance context and will hopefully be examined in more detail by the committee. There is no discussion on any of these issues in the whitepaper.

More importantly, we should remember that in India there is a huge gulf between what the law states and how it is actually interpreted by the bureaucracy. There has been occasional media speculation that the existing mechanism to authorise surveillance is heavily abused in India, that illegal phone tapping takes place regularly and that the review committees are basically not functional. Some facts do appear to back this speculation. One particularly startling revelation by Reliance Communications, before the Supreme Court, was that it had received orders for tapping over 1.51 lakh phones between 2006 and 2011. The Times of India speculated that if other telecom service providers were receiving similar orders then it was very likely that over 100,000 phones were being put under surveillance every year. Telecom operators have little room to manoeuvre because the telecom licences issued by the government required them to comply with such requests and threaten massive fines for non-compliance.

Also read: Should States Have the Power to Enact Their Own Data Protection Laws?

The other form of surveillance, which although not as intrusive as tapping a phone, is the use of metadata such as location data or IP addresses. For example, the police can determine the location of a person by asking the telecom service provider to triangulate the location of the mobile phone using cell phone towers or by securing details of the internet protocol of an email account. The Centre for Internet and Society, has extensively documented the manner in which IP addresses have been used by police forces in criminal investigations. While there is no doubt that these capabilities make it easier to investigate crime, such tools can be a double-edged sword that can be abused.

An interesting, and terrifying example of such surveillance is the manner in which the Hyderabad Police tracked down a former employee of GVK Bio who turned whistle blower. This whistle blower had used an anonymous email account from a cyber café to send out an email to international regulators and also GVK Bio. The company suspected that the whistle-blower was its former employee. To confirm its suspicion, it filed a complaint with the Hyderabad police, which then apparently got the IP address of the cyber café from Google and then co-related the location of the cyber café with the location of the whistle blower’s mobile phone at the time the email was sent, by procuring the required metadata from the telecom service provider. Once it had the required data, the whistle blower was arrested and criminal proceedings were initiated against him. This account of events is based on the disclosure in a report of the French drug regulator ANSM which had investigated GVK Bio – the final report is a publicly available document and has already been discussed earlier on The Wire.

There is little discussion in the whitepaper of these different modes of surveillance and the manner in which the state has been employing such surveillance tactics against the state.

The committee of experts needs to get its hands dirty

A whitepaper, by its very definition should provide an authoritative account of a particular issue. The whitepaper issued by the committee of experts fails in this respect because it provides us with little information on how the system has been working so far, especially in context of new agencies and surveillance programs like the National Technical Research Organization (NTRO) and the Central Monitoring System (CMS), both of which appear to be designed for mass surveillance.

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. Credit: Reuters/Dylan Martinez

The other form of surveillance, which although not as intrusive as tapping a phone, is the use of metadata such as location data or IP addresses.. Credit: Reuters/Dylan Martinez

Explaining the existing law on the position can be done by anybody – the job of a ‘committee of experts’ is to provide us an insight based on empirical evidence that is otherwise not accessible to those of us outside the government. Such evidence is absolutely necessary for us to understand the reality of how surveillance is being conducted in this country because it is the intelligence and police agencies which have been the biggest opponents of an earlier push by the government to enact a privacy law.

Some of the basic information that may have helped us understand the issue better, is the frequency of surveillance requests made to the home secretary at the Centre and various states, the number of request subject to rejections, the number of requests made for the purpose of national security, the number of requests made for ordinary criminal investigations, the number of requests by tax authorities, the workings of the review committees and the instances where unauthorised surveillance has been punished by the government.

The committee needs to put this data forward because we need to know how the existing system has been working before we design and debate a new policy. In all likelihood the biggest critics and opponents of the committee’s final recommendations are going to be bureaucrats from the vast internal security apparatus in this country who are going to resist any attempts to curb their powers. It will help to have facts in hand to rebut any potential pushback or criticism.

Also read: Does India Need Only One Data Protection Law and Regulator to Rule Them All?

Equivalence between virtual surveillance and read world surveillance

The other issue that the committee needs to take care of is the discord between its proposed model or prior judicial warrants for electronic surveillance and the existing mode of physical raids by the Income Tax Department and Enforcement Directorate (ED) without any judicial warrant.

As of now, the Income Tax Department and ED are not required to procure judicial warrants from judges in order to conduct a raid on any premises. Officers authorised by the government can grant permission for raids. On the other hand, the Central Bureau of Investigation (CBI) is bound by the Code of Criminal Procedure, 1973 and is required to procure search warrants to be issued by a judge (although there are exceptions). This is perhaps one of the reasons that central governments prefer using the Income Tax Department or ED to conduct raids against political enemies. In an ideal world we should not have a different system of rules for electronic surveillance and physical surveillance because if a bureaucrat is denied a warrant by a judge for electronic surveillance, chances are that he will use a legal framework like the Income Tax Act to raid the premises of a target and simply seize all the records and data on the premises and computers.

While I understand that the committee’s mandate does not extend to physical raids or physical surveillance, it should at the very least point out to the government the need to amend existing laws to maintain a balance with a future privacy law that will require judicial sanction prior to surveillance by the state.

Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).