“Even though there is some equivocation in our judgements, I am going to take the maximalist position and say that the ‘necessity’ has been defined as necessary in a democratic society, one that respects the privacy of communications,” said Prasanna S, an advocate, on whether the demand for traceability meets the Puttaswamy proportionality test. “In this case, the question would be whether in such a society, the state can effectively order and establish a regime where corporations and non-state entities aid and abet state surveillance.” If traceability is challenged, the issue will be whether it’s a vision compatible with a democratic society, he added.
Prasanna S was speaking at MediaNama’s discussion on Intermediary Liability in Delhi on October 23. The discussion was conducted in partnership with Centre for Communications Governance at NLU Delhi, and with support from Google, Facebook, and Friedrich Naumann Foundation.
There’s an argument to be made that the demand for traceability will not pass the Puttaswamy proportionality test, and there’s an equally strong argument that it will, according to Sarvjeet Singh from CCG-NLU Delhi. After the Puttaswamy test of legitimate aim and suitability are passed, the necessity test determines if there’s a means to achieve the goal that is less restrictive on the right. In the case of traceability, the question would be if there is a way for the government to get the data, without breaking end-to-end encryption, Singh said. “Some people are saying that because there’s no other way to get the information about who the originator was, it [traceability] may just meet the proportionality test,” he said.
Even so, Prasanna S said that “the justification and proof that the demand for traceability demand is indeed the least restrictive means available has to come from the state”. “Where is the justification that this is the only way to achieve the objective, whatever it is?” he asked.
The Puttaswamy four-fold proportionality test:
- Legitimate aim stage: A court would simply see if there’s a legitimate aim to demand traceability as per restrictions placed on fundamental rights.
- Suitability or rationale connection stage: This will examine if there is a rational connection between the infringement on the right and the purpose of the restriction. “I assume that the government’s argument for this [demanding traceability] is that they want to trace criminals,” Singh said.
- Necessity stage: This will test if there is a less restrictive means, or equally effective alternative, of achieving the goal in terms of restrictions on the right. In a challenge to traceability, the question would be if there is a way for the government to get the data, without breaking end-to-end encryption, he explained.
- Balancing stage: Here, the benefit the state gains by restricting the right will have to be balanced with the impact of loss of the right. In this case, the balance will have to be struck between the government’s argument of national security and protecting the right to privacy of an individual, he argued.
“We’re in a regime where all other rights vanish once somebody mentions national security. If this passes Constitution, then we may as well not have a Constitution,” said Prasanna S. Shreya Singhal very clearly said that all the restrictions have to be based on Article 19(2), but the argument of national security has come up over the past year, and we don’t even know what national security means. “It’s not a legitimate ground under the constitution, at least I think, to restrict the rights,” Singh said.
Need for procedural safeguards
As of 2015, the Home Secretary was approving 5,000 interception orders from law enforcement agencies every month. In such a case, applicability of mind to every order is not possible, making the process arbitrary. In this situation, procedural safeguards become especially important “to maintain the sanctity of the constitution,” according to Shashank Mohan from SFLC.in.
Shreya Singhal had also challenged the constitutionality of Section 69A, which is a blocking provision, but the court had held that because it has procedural safeguards — even though the process isn’t very strong — we are not striking that down, Mohan explained.
Even in the Aadhaar judgement, the court recognised that there needs to be judicial review when information is to be shared in national security interest, Mohan said. “Court judgements have repeatedly recognised that you need procedural safeguards to infringe on fundamental rights. Even the Bombay High Court order on wire-tapping approves the jurisprudence in Puttaswamy,” he added.
What sort of procedural safeguards should exist?
1. An overhaul to bring in judicial oversight
“We need an institutional design safeguard, and bring in court oversight for every interception,” according to Suhaan Mukherji from PLR Chambers. “We have to look at a redesign with a court process in between. You could actually look at the probable cause standard in the U.S, where you need a warrant [for interception].”
Bringing in such a system will require an amendment of the Telegraph Act and corresponding amendments of the IT Act, he said, and this can not be done via Section 79 or any other rules. “You will need judicial oversight, with a dedicated independent judge in every district, because for systemic change you you have to put the right people and the right technology in place,” Mukherji said.
“The Bombay High Court’s judgement said interception can only happen in either public safety and public emergency, which is a very liberal interpretation of Section 5 of the Telegraph Act. Hopefully this will spur a relook at the system … Currently, the approval for interception at the federal level comes from a committee of the Home Secretary, Telecom Secretary, IT Secretary and the Law Secretary.” — Suhaan Mukherji
“We have an institutional anomaly as most of this procedure is administrative within the same institution, and the oversight of certain agencies always stops with the home secretary level,” Mukherji said. But the judicial oversight argument isn’t that you just change the current committee or add a judicial member, but that you change the entire system, said Sarvjeet Singh. “Maybe as other countries have, we can have a panel or a dedicated body just to look at the interception or surveillance requests,” he said.
2. An interface and audit mechanism for interception orders
Apart from judicial oversight, another step could be to create an interfacing mechanism where all interception or wire-tapping requests go through a single space to be audited, said Mukherji. “In the US, every interception request — unless the NSA is doing it — has an audit trail, even within the intermediary who is giving data,” he explained. “That’s why we had to come up with the Section 91 framework back in 2005, so they can show that we are meeting the quasi-judicial standard under the domestic act,” he explained.
“So this [change] would require a technology platform, a complete human resource shift, but it also requires resilience from intermediaries. If you’re buckling under because you don’t want to face the harassment of necessarily going through a lengthy trial, then I think the system breaks. So it will require users, intermediaries and everybody else to say that ‘we want the law applied’.” — Suhaan Mukherji, PLR Chambers
But we may be focusing on the wrong problem here. “When the Supreme Court laid down in PUCL that a Home Secretary or a Cabinet Secretary level officer has to approve interception requests,” explained Prasanna S, “the contemplation in the judgement was that the requests will be few and far between, such that a regime in which a Home Secretary clears it is a reasonable one,” he said.
“9,000 requests* a month is not contemplated under the regime, which means it’s prima facie unconstitutional. We need to be asking those questions as to why is there that there are 9,000 requests. It is not as to what is the regime that we will develop to service these 9,000 requests.” — Prasanna S, Advocate
*The Home Secretary was actually approving an average of 5,000 requests — and not 9,000 requests — per month, MEITY had revealed in Parliament in March 2015. The ministry revealed this in response to a question about whether it was approving 9,000 phone tapping orders per month. Hence, the confusion.
Is there any protection for anonymous speech in India under the Constitution?
Even though the right to anonymity in speech has not come to a court, it doesn’t mean that those protections don’t exist, according to Prasanna S. “We have a constitution even outside the court,” he said. The ICCPR (International Covenant on Civil and Political Rights) regime that specifically calls out privacy in communications has been upheld in Puttaswamy. Whether there’s a right to anonymity in published speech is a different issue. But when it comes to private communication, we have an unequivocal anonymous speech protection,” he said.
Law enforcement can procure information via Section 91 requests and other CrPC provisions wherein they get information from the people themselves, the accused, the people related to accuse, the people who co-habit with the accused, etc., wherein there’s still some autonomy preserved. “But when we ask intermediaries to keep collecting information and pass it to the state, it crosses the threshold of chilling effect.”
“When word got around that WhatsApp had the vulnerability where the Israeli intelligence group was able to exploit it, people switched to Signal. We recognised that speech is important, protected, and we want people to be able to freely communicate, and freely communicate over the internet. The Kerala High Court judgment has ruled that the internet is a fundamental right. To then have these traceability rules being passed, that chilling effect is manifestly unconstitutional.” — Prasanna S, Advocate
But intermediaries need to decide, and create an industry standard for anonymity, according to Mukherji. “If information [about users] is actually taken [from them], then it is very difficult under the CrPC for you [the intermediary] to not part with that information.” Therefore, we need to see if intermediary service providers will have to take all that information from the users, such as via KYC, as an industry standard.
Another issue to consider is if we want traceability to a particular action or conduct in the online space. “We need to be able to think whether the KYC is also something you need to look at from an industry standard. If you don’t have that then traceability will necessarily fall away or it will be far more difficult or it will end up being a device ID or something like that.”
Does traceability mean guilty until proven innocent?
“The Government yesterday made a claim in the Supreme Court that we need traceability because terrorists can’t have rights,” said Saikat Datta from Asia Times. This highlights that the jurisprudence is very strange in India, especially in cases of terrorism, where a lot of it is intelligence-led rather than investigation-led. A confession in front of a police officer, except in very exceptional laws, is not admissible in court, but interrogations are routine within the intelligence framework, he said.
“I have gone through hundreds of interrogation reports where the passwords, including who all are within that email, contacts, what kind of messages, everything is already there in the interrogation report, but all this is never going to show up in a court of law, or even be sighted as evidence. But it will be part of an investigation to frame or target others, etc.”
“But more importantly, you are also turning the jurisprudence on its head by getting ready to cast a bigger net, and sort of saying that people will be guilty until proven innocent. The government is using that as an excuse to net everybody in, in the hope that it will find the needle in the proverbial haystack.” — Saikat Datta, Asia Times