Last month, the Union government was forced to rescind an order requiring smartphone makers to preload a state-run cyber safety app on all devices after activists raised concerns about potential snooping. But last week, the same government reviewed a telecom industry proposal “to force smartphone firms to enable satellite location tracking that is always activated for better surveillance”.This decision reflects an appetite for surveillance that has surfaced recurrently in the policies of the governments headed by Narendra Modi in Gujarat as well as at the Centre, as evident from some of the information available via open sources.In Gujarat, the Modi government revealed its intention to resort to phone tapping soon after coming into power. In December 2001, three months after Narendra Modi was appointed chief minister, the Gujarat cabinet approved the draft of the Gujarat Control of Organised Crime (GujCOC) Ordinance and sent it for approval to the Government of India. The latter approved it – after some minor amendments in 2002 – but asked the state government to have it passed as a law in March 2003. It did so and in April sent the bill to the Union home ministry for presidential assent. The then BJP-led government of Atal Bihari Vajpayee returned the bill to the Gujarat assembly and asked the Modi government to remove two sections: the one which allowed phone tapping (in the original GujCOC bill, district collectors and police were permitted to intercept and record phone calls) and held that intercepted telephone conversations could be considered legitimate evidence, and also the section according to which a confession made before a police officer could also be considered as evidence. The original Bill was sent again to Pratibha Patil in 2008 – but once again, the Union government asked the Modi government to amend the text of the GujCOC, and once again Modi refused to oblige. After Narendra Modi became prime minister, his successor in Gujarat sent the same bill to Pranab Mukherjee in 2015, but he returned it too. In 2019, President Kovind finally gave his assent.In 2002, even though this practice had not been legalised, the Gujarat government asked Intelligence Bureau officers to tap phones of political opponents. On April 16, 2002, he instructed R.B. Sreekumar, the additional director general of police in charge of intelligence, to start tapping the telephone of Shankarsinh Vaghela who had just become the head of the Gujarat state Congress. This demand was reiterated on July 26, 2002.Subsequently, the Modi government was accused of having tapped the phones of other senior politicians, including Shaktisinh Gohil and Haren Pandya. The total budget for spying operations was no less than Rs 200 million in 2008, according to former BJP chief minister Suresh Mehta, who protested against what he regarded as a Big Brother-like state. In 2013, Gujarat police ‘obtained nearly 90,000 telephone-call data records (CDRs) of people and entities in three months’, something India’s intelligence agencies found intriguing.As is often the case in such political systems, politicians were not targeted alone. In 2013, the minister of state for home, Amit Shah, was ‘accused of misusing his powers and police machinery for illegal surveillance of a young woman in August 2009 ‘at the behest of his saheb’. These accusations resulted from the publication of a statement, before the CBI, of Gujarat IPS officer G.L. Singhal. He had handed over to the investigating agency 267 recorded telephonic conversations that revealed ‘how three key wings of the Gujarat Police – the State Intelligence Bureau, also known as CID Intelligence, the Crime Branch and the Anti-Terrorist Squad – misused their powers to stalk an unmarried young woman from Bangalore, who had her parents staying in Gujarat’.Illustration: Pariplab ChakrabortyFrom Pegasus to facial recognition and phone tappingThe Union government indulged in surveillance operations too after 2014. First, the accused in the Bhima Koregaon case were booked on the basis of evidence retrieved from their phones and computers after they had been infected by snooping software developed by an Israeli company – the NSO Group – which sells it only to government agencies. This software, called Pegasus, gives attackers control over the mobile device of the person targeted. WhatsApp – an application used by the attackers to break into phones – has sued the NSO Group, but the Indian government, which in the previous months and years had upgraded its collaboration with Israel in several technological domains, including artificial intelligence, has not commented on this affair.In fact, little investigations have been pursued in the Pegasus affair, which stands in stark contrast with what happened in many other countries where the number of infected devices was much smaller. In India, this spyware has been found in a record number of devices, including those of Rahul Gandhi, Prashant Kishor, Ashok Lavasa (former Election Commissioner), Alok Verma (former head of CBI), Siddharth Vadarajan (co-founder editor of The Wire), Umar Khalid (student activist) and close associates of the Dalai Lama. In parallel, the government of India had initiated a surveillance system by resorting increasingly to facial recognition. After the 2020 Delhi riots, Amit Shah, the new Home minister declared, “Police have identified 1,100 people through the facial recognition technology. Nearly 300 people came from Uttar Pradesh. It was a planned conspiracy.” How could the police know? It seems that “the footage procured from CCTV, media persons and the public was matched with photographs stored in the database of Election Commission and e-Vahan, a pan-India database of vehicle registration maintained by Ministry of Road Transport and Highways.” Gautam Bhatia points out that “such ‘dragnet’ screening is a blatant violation of privacy rights, as it essentially treats every individual like a potential suspect, subject to an endless continuing investigation.”Also read: Special | As AI Took Over Policing in Delhi, Who Bore the Brunt?This technique is more and more systematically resorted to by the government, as the Indian parliament has failed to enact a personal-data-protection law that would prevent the Indian government from using Aadhaar for facial recognition as well. The Supreme Court forced the Information and Broadcasting ministry to withdraw its proposal for social media monitoring in 2018, considering that if such a proposal were implemented, India would be “moving towards a surveillance state.” But in 2021, the government was still eager to develop a tool that would monitor social media users to identify their “sentiments,” track trends relevant to “government related activities” and which “may have adverse negative impact on [the] socio-economic fabric of society.” These words, which hark back to a truly authoritarian orthopraxy, come from the expression of interest that the I&B ministry has floated to empanel an entity to create such a tool. Even before such a tool has seen the light of the day, the authorities have already arrested a large number of social media users – including journalists – for messages or videos they had posted on Facebook or WhatsApp, including posts which were sometimes several years old.The limited interest in protecting privacy in India is evident from the Digital Personal Data Protection Act, that has been passed in 2023 after years of introspection resulting, finally, in the dilution of the initial bill. This DPDPA, in contrast to the EU’s GDPR is confined to digital personal data and is badly affected by two provisions: under Section 17(2) of the DPDPA, “the Central Government may exempt any instrumentality of the State from the application of the law on broad grounds such as sovereignty, security, integrity, public order, and preventing incitement. The Act does not provide for any independent oversight, necessity or proportionality tests, or judicial review of such exemptions”. In the same vein, the DPDPA’s Data Protection Board is not an independent regulatory authority: “under Section 19, the Central Government retains full control over the appointment of its members, as well as their service conditions and procedural rules”.The loopholes in the DPDPA explains that India failed the adequacy test that the EU systematically implements before allowing the transfer of personal data – a limitation which is likely to complicate the finalisation of some aspects of the India-EU FTA. But this is nothing compared to the implications for citizens of the current making of a surveillance state in India. Christophe Jaffrelot is Senior Research Fellow at CERI-Sciences Po/CNRS, Paris, Professor of Indian Politics and Sociology at King’s College London, Non resident Scholar at the Carnegie Endowment for International Peace and Chair of the British Association for South Asian Studies.Note: this article partly draws from two of Jaffrelot’s books:Modi’s India – Hindu Nationalism and the Rise of Ethnic Democracy, Princeton Nj., Princeton University Press and Chennai, Westland, 2021. Gujarat under Modi. Laboratory of today’s India, Hurst, London, New York, Oxford University Press and Bangalore, Context, 2024.