Civil society groups aren’t happy about the Indian government’s astonishingly vast surveillance powers—and they’ve gone to the Delhi High Court to say why. There are two demands on the table. First, the government should stop its alleged “dragnet surveillance” of Indians and respect privacy rights. Second, an independent authority should be set up to review the government’s requests to surveil its citizens.
What did the government do now? The case is largely centred around three surveillance systems—the Centralised Monitoring System (CMS), the Network Traffic Analysis (NETRA) and the National Intelligence Grid (NATGRID). These databases have been around for years, and they collate all sorts of information on citizens to help law enforcement agencies track and prevent crimes.
Isn’t the government just doing its job? Well, yes. Protecting people from crime is important. The problem is the Indian government is allegedly collecting information willy-nilly to do that. At best, you’re being surveilled for a while or just in limited cases. At worst, you’re being surveilled non-stop. That’s what the petitioners are worried about.
The government is “conducting surveillance excessive of a legitimate state aim for reasons beyond what is prescribed by statutory law; without resorting to ‘lesser intrusive means’ (..); indulging in blanket monitoring of all communication systems without resorting to a specific choice of communication surveillance; and disproportionately without judicial oversight,” reads the public interest petition jointly filed by the Centre for Public Interest Litigation (CPIL) and Software Freedom Law Centre (SFLC) in 2020.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
Why does this matter? Alongside violating rights to free speech and equality, the petitioners argue that the government’s actions violate our fundamental right to privacy—which was upheld by India’s Supreme Court way back in 2017 in Puttaswamy v Union of India. As the Court noted back then, privacy matters because:
“Every individual is entitled to perform his actions in private. In other words, she is entitled to be in a state of repose and to work without being disturbed, or otherwise observed or spied upon. (..) Privacy must also mean the effective guarantee of a zone of internal freedom in which to think.”
While the Court was okay with the government surveilling people for legitimate interests, it said that that could only happen with a law in place to justify the privacy intrusion. The intrusion would also have to be in “pursuit of a legitimate state aim” to prevent arbitrary surveillance. Finally, the intrusion would have to be proportionate to that aim—only surveil as much as you have to.
And where’s that privacy law? “There is no law governing such profiling and the entire population is at the mercy of the Government,” said the petitioners in 2020. Two years later—and more than five years after Puttaswamy—not much has changed. India still doesn’t have a data protection law in force. Some argue that the latest draft released last year actually dilutes privacy for citizens. For example, it gives the government very broad powers to access any data it wants with little safeguards against misuse. In some cases, the draft also allows the government to process data citizens have provided for other tangential purposes!
In the interim, citizens are left legless against pervasive government snooping (think: Pegasus too)—which is why the petitioners want this “dragnet” government surveillance to stop in its tracks. “There exist no provisions of law whereby users are notified when their communications are subjected to surveillance, and no distinction is made between situations where such notification would defeat the purpose of surveillance and otherwise,” argue the petitioners. “By extension, users also lack the ability to appeal the decision to conduct surveillance of their communications. (..) Thus, it is entirely possible in the present scenario for the bulk of a user’s communications to be subjected to extensive surveillance leaving him/her completely unaware.”
Is all of this really happening without any pushback? To be fair, the Indian government does have some review committees in place to review requests to surveil citizens. But, these committees are often staffed by public servants—which the petitioners think compromises their ability to fairly review such orders. The result: orders might be blindly approved, violating the limited intrusions on privacy mentioned in Puttaswamy.
“When provisions of law stipulate systematic review of any activity capable of causing harm in the absence of oversight, it logically follows that fairness of review cannot be guaranteed in the presence of conflicting interests,” drily observe the petitioners. Hence, the demand to appoint an independent oversight authority—whether judicial or parliamentary—to “authorise and review interception and monitoring orders/warrants” issued under the Telegraph Act, 1885, and the IT Act, 2000.
What next? The case is currently being heard at the Delhi High Court—here‘s a round-up of everything that’s happened in court over the last two years. The last we heard, the Indian government is set to reply to the petitioners’ allegations soon.
Everything you need to know about these three “dragnet” surveillance systems
All ears: The Centralised Monitoring System
The down low: In late 2009, the government announced a proposal for a “Centralised Monitoring System” (CMS) that’ll monitor communications across mobiles, landlines, and the Internet in India. Why: because it’ll strengthen India’s “security environment”.
The fine print: More importantly, with CMS, law enforcement would “no longer need to approach telecom/Internet service providers on a case-by-case basis to retrieve intercepted information”, which was otherwise earlier mandated by the Supreme Court. The system allows law enforcement agencies to directly wiretap communications, increasing surveillance, added the petitioners.
To prove their point, they alleged that between 7,500 to 9,000 tapping orders were issued by the Indian government every month in 2014—indicating that orders were “mechanically issued” based on law enforcement requests.
To support these activities, CMS’ features included:
- Central and regional databases to help law enforcement agencies intercept and monitor communications;
- “Direct Electronic Provisioning” of desired numbers by the government without telco intervention;
- The ability to create filters and alerts for targeted numbers;
- Analysis and data mining of “Call Data Records” to continuously upgrade the “speculative profiles” CMS was building.
The fall-out: “While the interception process under the CMS is claimed to be governed by the procedure laid down by Section 5 of the Indian Telegraph Act, 1855 read with Rule 419A of the Indian Telegraph Rules, 1951, the fact that the CMS is capable of Direct Electronic Provisioning of target numbers runs foul of said procedures since it dispenses with the chain of command involving manual elements such as nodal officers meant to authorize interception requests,” allege the petitioners. “These mechanisms are prone to abuse and can be used to target non-threats to national security such as lawyers, human rights activists, social workers, journalists etc.”
All eyes: NETRA
The return of national security: Network Traffic Analysis (NETRA) was developed by the Defence Research and Development Organization. Its job: to monitor the Internet and flag when words like “attack”, “bomb”, “blast”, or “kill” were used. To do that, NETRA’s storage servers—called ‘nodes’—were installed with Internet Service Providers across 1,000 locations in India, with a total capacity of 300 TB.
And the rise of dragnet surveillance: “NETRA will essentially be a dragnet surveillance system designed specifically to monitor the nation’s Internet networks,” allege the petitioners.
Everything, Everywhere, All At Once: NATGRID
Bringing 21 databases together: The National Intelligence Grid NATGRID is a public-private counter-terrorism initiative—which aims to analyse 21 government databases to “detect terrorist activity, and pre-empt attacks or find the perpetrators”. Information up for grabs includes tax details, train itineraries, and immigration records. That information comes from airlines and telcos, among others, a 2011 RTI revealed.
It’s pretty clear why this is concerning: “The collection and aggregation of metadata of an individual’s various transactions including communication, financial and travel information will result in a real time profiling of the entire population,” argue the petitioners, while also having a chilling effect on their free speech. “The more metadata government collects and analyses, the greater the capacity for such metadata to reveal more private [and] previously unascertainable information about individuals.” Things that could be revealed: the charities a person supports, the kinds of relationships they’re in, and their political leanings.
To add insult to injury: Shortly after that 2011 RTI, NATGRID was placed outside of the RTI Act’s purview, say the petitioners. Now, it’s difficult to figure out key things about the system: such as what its procedural safeguards or interception standards are, and how it prevents the misuse or leak of collated data.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Pegasus Petition In SC By Journalists Rupesh Singh And Ipsa Shatakshi Calls For Judicial Oversight Mechanism
- How Pegasus Surveillance Changed Rupesh Kumar Singh And Ipsa Shatakshi’s Lives
- DPDP Bill, 2022: Government Once Again Given Broad Powers To Exempt Itself From Provisions Of Law
- Deep Dive: How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data
- MeitY’s Review Committee Hasn’t Revoked A Single Section 69A Order Since 2009, RTI Reveals
