Attacks like 9/11 and 26/11 shock the conscience of our societies and states—it is in the background of such attacks, that governments tend to ramp up their surveillance regimes. For example, the American government hastily passed the Patriot Act within 45 days of 9/11—it needed more intelligence to protect the US, was its claim. In these cases, government action in the form of heightened surveillance appears necessary to tackle extremism, and is supported by public sentiments—and so, such laws get legislated.
Such state surveillance laws come in handy especially in the digital age—they provide the government with access to vast varieties of coordinated digital information, that make solving legal issues easier. Beyond extremism, surveillance regimes help tackle the proliferation of child sexual abuse material, online drug trade, hate speech, and fake news spewing across online platforms.
To this end, states—including India—have also demanded on multiple occasions that the companies ensure that conversations over encrypted platforms can be intercepted and decrypted for law enforcement purposes.
Encryption converts our personal information generated online into gibberish, so even if the information is intercepted, it cannot be interpreted by the perpetrator. As we dealt with in our previous article, for users of the Internet, encryption is our first line of defence against any cyber threat. It is crucial to ensure privacy, free speech, and to ensure that our goods and services are competitive and secure in the global market.
Furthermore, breaking encryption protocols renders surveillance more difficult. Once tech-savvy criminals get a whiff that a platform is compromised, they often simply download a secure encrypted platform, which is freely available on the Internet. And so, Law Enforcement Agencies (LEAs) will lose crucial information which platforms earlier shared with them. All they will have in their hand is tons of haystack, in the form of data, to sift through in order to find a needle (actionable information).
So, there’s a Catch 22 here: should the privacy of all the citizen’s of a country be rendered susceptible to cyberattacks, in order to catch a not-so-smart criminal? This is not to say that the LEA’s demands are unjustified. There exists a legitimate State interest, whether in India or otherwise, to protect the nation-state from internal and external threats. But, is there a privacy-enabling method of achieving this end of national security? Is India anywhere close to adopting one?
To understand this trajectory, it is crucial to declutter how the three wings of the State approach the State’s surveillance requirements, and interact with the encryption debate at large. Even though privacy has been declared a fundamental right by the Supreme Court, when it comes to the actions of the legislature and executive, the road to ensuring privacy is a long one.
The Legislature: The Role of the Lawmakers in Shaping Surveillance Regimes
Though we do not have a specific Act on surveillance in India, legislators such as Baijayant Panda of the Bharatiya Janata Party have recommended a Chapter on Surveillance in their Private Member Bills on data privacy and protection.
In the absence of specific laws, the surveillance regime in India is primarily governed by Section 5 of the Indian Telegraph Act, 1885—which empowers the State to intercept calls—and the Information Technology Act, 2000 (IT Act)—which gives the State the power to access or intercept data. Under the said acts, the Central government has the power to make rules with regard to specific provisions.
Utilizing this power, the IT (Intermediary Guidelines) Rules 2011 were introduced which empowered the Government to regulate Internet platforms. However, in order to seek wider control over platforms like Twitter, Google, and WhatsApp, the Draft IT (Intermediary Guidelines) Rules 2018 were formulated to mandate a traceability requirement—this entails that online platforms will be bound to share the contents of user’s personal messages with LEAs.
Child Pornography Racket Case: CBI probe revealed that the Whats app group had 119 members from 40 countries. Maximum members were from India, followed by Pakistan and then USA. Forensic examination of electronic gadgets is being done by C-DAC Thiruvananthapuram
— ANI (@ANI) March 13, 2018
The government seeks to bring in these Rules with the intention of curbing the proliferation of child pornography and ensuring online safety. After two rounds of comments via public consultation, the government has gone back to the drawing board, and might come up with a new set of regulations post-enactment of a data protection law
However, research by The Dialogue has evidenced that similar legislation in the US leads to unreasonable restrictions on the human rights of American citizens. Even UNICEF in a recent report discussed why encryption is ironically crucial to ensure ‘child safety’ in the digital ecosystem.
More importantly, the main challenge to this law is that traceability, by its very nature, cannot be introduced in end-to-end encrypted platforms. The only way to achieve this is to introduce a vulnerability in the security architecture of the platform which would render all its users vulnerable and violate their right to privacy. Moreover, if an Indian citizen chats on an encrypted platform with a German citizen, then such a law would also violate the privacy of the German citizen—not to mention international human rights law as well.
On a similar note, the Government vide Clause 35 of the Draft Personal Data Protection Bill, 2019 (Draft PDP Bill) retains sweeping powers to restrict the right to privacy of all citizens. This is despite Clause 24 of the PDP Bill reiterating the importance of encryption technology to secure user privacy and data integrity.
This unchecked power again creates challenges in meeting the adequacy standards envisaged under the American CLOUD Act and the EU GDPR. Aligning with these standards is crucial for seamless cross border data flow and the growth of our IT and IT-enabled services sector.
The Executive: The Increasing Role of Bureaucrats in State Surveillance
Laws are enforced by the executive, via a pool of expert bureaucrats. In 2009, under the IT (Procedures and safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, only a competent authority could issue an order for surveillance. This competent authority was the Union Home Ministry or the State Secretaries in charge of Home Departments.
However, in 2018, the central government extended these powers to 10 more Central agencies, including the Central Bureau of Investigation, the Enforcement Directorate, the National Investigative Agency, the Research and Analytics Wing, and the Narcotics Control Bureau. This decentralises the power of conducting surveillance and might lead to superfluous orders from various agencies.
To curb this, both the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 envisage executive oversight over these surveillance orders, along with a review mechanism. However, RTI disclosures reveal a staggering amount of interception requests from different LEAs, approximately 250 on a daily basis before a single authority within the MHA. This entails that there is no time for the ‘application of mind’ by the executive in sanctioning these snooping orders, which eventually restricts the fundamental right to privacy of the citizens.
In the first part of IFF’s new series on surveillance technology in India, we take a closer look at the proposed National Intelligence Grid which is scheduled to go live on December 31, 2020. #WatchtheWatchmen
— Internet Freedom Foundation (IFF) (@internetfreedom) September 2, 2020
However, this administrative burden has not stopped plans of expanding surveillance structures—installing CCTVs with inbuilt automated facial recognition software across the country is the next big plan. The National Crimes Record Bureau had issued the tenders for the same in 2019 which have subsequently been pushed with the latest invitation for bid earlier this year amidst backlash from civil society and privacy professionals owing to the previously discussed legal lacunae when it comes to surveillance.
That this is happening is even more concerning, given that studies suggest that empowering the executive with over-arching surveillance power creates more challenges than it seeks to resolve.
A 2016 report from the US’ Minnesota noted how local police officials used the State’s surveillance tools to snoop on their wives and ex-partners. Similarly, when offering a justification in 2013 as to why tracking millions of American’s phone calls to protect national security was necessary, the US’ National Security Agency stated that it helped the agency track a suspicious wire transfer to Somalia—of a relatively tiny $8,500 (USD). While there exists a legitimate State interest in surveillance, ensuring transparency and accountability in the functioning of the LEAs is equally important.
Judiciary: the Imperium In Imperio
The Judiciary has played a critical role in maintaining a privacy-respecting surveillance regime.
For example, in P.U.C.L. v. Union of India (1996), the Supreme Court for the first time noted that there was a lack of procedural safeguards in the Telegraph Act, 1885. The court observed that “the right to hold a telephone conversation in the privacy of one’s home or office without interference can certainly be claimed as ‘right to privacy’…telephone conversation is an important facet of a man’s private life.” The court held that telephone tapping would violate Article 21 (right to life and liberty) and Article 19(1)(a) (right to freedom of speech and expression) of the Indian Constitution, and called for procedural safeguards.
Much later on, the Supreme Court in Justice Puttaswamy v. Union of India (2017) recognised that informational and communicational privacy is an integral part of the overall privacy of a person. This judgement also proposed a four-fold test for restricting an individual’s privacy, i.e., (a) the action must be sanctioned by law; (b) the proposed action must be necessary for a democratic society for a (c) legitimate aim, and (d) the extent of such interference must be proportionate to the need for such interference. Since then, this test has been the backbone of the privacy debate in India.
— NDTV (@ndtv) July 14, 2018
Lastly, on the anvil of the Puttaswamy judgement, the Bombay High Court in the case of Vineet Kumar v. CBI (2019) ruled that unconstitutionally obtained evidence is inadmissible in a trial and must be destroyed. Thus, the illegal wiretaps which did not comply with the Indian Telegraph Act were ordered to be destroyed granting the citizen a right to erasure.
Interestingly, in Jnani Krishnamurthy v. Union of India, which has been transferred to the Supreme Court, the enforceability of the traceability requirement is being deliberated upon. If this issue of breaking encryption protocols is tested against the Puttaswamy judgement, it appears that it would most likely fail.
Weakening encryption would entail the creation of vulnerabilities in platforms which can be used not just by the government, but also by non-state actors and foreign adversaries alike, compromising the privacy of individuals altogether. Secondly, there are other less privacy-invasive means to obtain the necessary information required by LEAs, such as by accessing meta-data rather than content data, which means such laws fail the necessity test as well.
A blanket ban on encryption, by introducing vulnerabilities to ensure traceability would entail major threats of mass surveillance and instances of curbing dissent. Thus the traceability requirement renders the entire citizenry vulnerable and fails the ‘proportionate’ test too.
When the State’s current surveillance plans are held up against the Supreme Court’s benchmarks for privacy, they fail on multiple counts. By lacing the executive with sweeping surveillance powers we are fuelling a broken system which actuality needs to be overhauled.
There exist other means of surveillance, which when complemented with procedural guidelines and judicial oversight, can lead a forward-looking targeted surveillance regime.
As the 2020 Draft Resolution by the Council of EU on Encryption notes, the privacy-enabling surveillance capabilities of the State can be developed by consistent engagement with and the technical assistance of academia and industries. However, this is a joint responsibility, and requires direct efforts and a will to build holistic surveillance practices. To that end, such steps must be taken ensuring that they align with key principles envisaged under the Personal Data Protection Bill, 2019, and the four-fold test laid out in the Puttaswamy judgement.
It is time that we develop our capabilities and learn how to attack the enemy without taking off the titanium armour that encryption provides us.
The Bastion is happy to announce a new Technology vertical, where we’ll be covering how the future intersections of tech, policy, and society will affect India’s development journey. To read more of our technology coverage, click here. Interested in writing for us? Click here to read our submissions guidelines.