In December 2018, the government notified 10 security agencies and authorities that would be allowed to carry out surveillance of all electronic communications, internet-based activity and computers. The agencies were notified to do so under Information Technology Act, 2000. When it faced criticism from some quarters, the Union government responded to say that it was merely ensuring that specifically-listed agencies get to use the long-standing surveillance powers under the IT Act, which were operationalized by subordinate rules formulated in 2009.
In January 2019, several individuals and institutions went to the Supreme Court contending that the regulations, as well as the specific provision 69(1) of the IT Act, provided wide-ranging powers with less-than-adequate safeguards for the agencies to snoop on the citizens. The section empowers a government to “issue directions for interception or monitoring or decryption of any information through any computer resource”. They contended that the regulations did not provide adequate safeguard against misuse of surveillance by the state and violated the Constitution. They said the regulations and provisions of the IT law do not meet the high benchmarks set by the Supreme Court judgments (K S Puttaswamy versus Union of India, 2017 and 2018) and last year’s Srikrishna Committee report to safeguard Indian citizens’ right to privacy against the disproportionate use of surveillance and abuse of snooping powers by the state. The petitioners included two organizations — Internet Freedom Foundation and People’s Union for Civil Liberties — and four individuals — M L Sharma, Amit Sahni, Mahua Mitra and Shreya Singhal.
The Union government has now responded to the clutch of petitions, revealing in the court the Standard Operating Procedure (SOP) for collection, maintenance and destruction of the electronic surveillance data. These were first set in place in 2011 as a secret protocol. Presenting them the government has claimed the existing safeguards under the law are adequate, lawful, towards a legitimate purpose and provide for a “proportionate interference” in citizens’ right to privacy.
In fact, the SOP and the regulations, reviewed by Business Standard, follow roughly the same template required for tapping telephones under the Telegraph Act. It gives the top bureaucracy a role in supervising and reviewing whether laid down safeguards are followed by the intelligence and policing agencies while carrying out electronic surveillance. This bureaucratic arrangement remains secret and closed to any kind of parliamentary or judicial, ex-ante or post-facto, oversight — which several advanced economies and democratic countries now require.
The SOP revealed by the government suggests that electronic surveillance being carried out under these regulations may not be merely targeted towards identified individual or groups but could be roving in nature too. The proforma application used by security agencies to request permission for snooping allows designated officials to request electronic surveillance on specified keywords and not just targeted telephone numbers, email or internet addresses. Such keyword-based generic searches to trawl the entire electronic communication pipeline, privacy advocates across the world have often warned, are most prone to abuse and disproportionate breach of citizens’ right to privacy. A similar wide-angled monitoring plan by the Union government to trawl and analyse the entire social media scape for “negative” comments and criticism by citizens was partly withdrawn after it was challenged in the Supreme Court and faced public criticism.
The covert electronic snooping by intelligence and policing agencies is based on a legacy legal substratum that the current government has continued. This kind of deep electronic surveillance can be justified by the bureaucracy and the snooping agencies on a range of specified triggers, some of which are hold-all phrases undefined in the law and open to wide interpretation. For instance, the regulations and law say authorities have to be satisfied that the surveillance can be permitted if it is necessary or expedient in the “interest and of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence or for investigating any offence”.
The Union government has correctly stated that these powers and provisions were put in place during the United Progressive Alliance era. The current National Democratic Alliance government has merely followed through on them. But in revealing the SOP the government has also admitted that whatever safeguards the law and regulations provided predate the Puttaswamy judgments on privacy and Aadhaar.
In India, those judgments and the Srikrishna committee were the first attempts in the internet era by both the judiciary and the political executive to limit the state and private sector’s power to breach citizens’ privacy. But the government contends that the legacy regulations from nearly a decade ago are adequate.
The judicial challenge presents the first opportunity to put the bureaucratic frame regulating the surveillance agencies to test against the Puttaswamy judgements and the Srikrishna committee report findings. The first unanimous judgment by a nine-judge bench affirmed the right to privacy as a fundamental right under the Constitution. It consequently raised the bar that the state would have to scale to breach citizens’ privacy. The Srikrishna report assessed the checks and balances that other democratic countries imposed on states collecting data on citizens in the electronic era.
The petitioners have not challenged the state’s need to snoop and the Union government has, unlike in the Aadhaar case, not denied citizens’ right to privacy. But how the two countervailing essentials for a democratic state in the electronic era will be balanced in practice will emerge from the current case the Supreme Court is hearing.
The Snooping Protocol
- In 2011, Centre establishes a secret Standard Operating Procedure for “Interception, Handling, Use, Sharing, Copying, Storage and Destruction of Message/Telephones/E-mails etc and Certification”.
- It reveals the protocol in response to a challenge before the SC of the electronic snooping powers under the IT Act, 2000 and subordinate regulations.
- The procedure provides an elaborate but purely bureaucratic mechanism of supervision over e-surveillance.
- Petitioners before SC ask for new standards for electronic and digital surveillance.
- They note that in 2017, enforcement authorities ordered Facebook, Google and Twitter for data of more than 200,000 accounts under various laws.
- Justice Srikrishna Committee said review authorities meet once in two months and have the task of reviewing more than 15,000-18,000 surveillance orders―Business Standard