There has been no public debate on the level of watch citizens can be put through, and on what the red lines should be while using intrusive mechanisms

The tussle between government agencies’ need for a better, faster and real-time interception, surveillance and monitoring mechanism through the Central Monitoring System (CMS), on the one hand, and demands by privacy, civil rights and free speech activists, for ensuring higher privacy for citizens in view of CMS, on the other, is gaining ground. India today has nearly 900 million mobile subscribers, 160 million Internet users and close to 85 million citizens on social media. Internet and social media users are expected to double by 2015.

The discussions have been coloured by the startling revelation relating to the PRISM project which, if true, may have meant that the privacy of millions of Indian Internet users could have been compromised, in varying degrees.

Meanwhile, closer home, the CMS project, aimed at improving the capability of security agencies to protect national security and fight crime, including terrorism, has also raised serious privacy issues.

Shrouded in secrecy

First, very little real information is available about the CMS working procedure, technical capabilities and privacy safeguards in the public domain. While governments worldwide remain reluctant to share information about their surveillance and monitoring systems, successive governments in India have fared no better.

Key unanswered issues include the uncontrolled use of technical capability and intrusive technologies, which are capable of “instant, real time and deep search” surveillance. There has been no debate in Parliament or outside about the level of surveillance citizens should be put through or whether there should be red lines when using intrusive surveillance mechanisms, even when technology presents an option.

Further, there is no information about whether there are additional safeguards against interception by political authorities, of potential “targets” carrying out sensitive assignments such as judges, opposition leaders, editors, regulators, advocates, vigilance officials, corporate CEOs, etc. Should there be? How far should the spy agencies take lethal technological capability against their own citizens? Can all technological prowesses be used against any category of citizen, regardless of the level of security clearance they are entitled to? Who decides the correctness and propriety of such authorisations, especially since these are approved by bureaucrats who, in turn, report to political authorities?

The U.N. Special Rapporteur on Promotion and Protection of Right to Freedom, in his report of April 17, 2013, has concluded that apart from increasing public awareness of threats to privacy, States must “regulate the commercialization of surveillance technology”.

Legal infirmities

Secondly, while the existing law primarily relates to interception of calls, CMS expands surveillance across Meta-Data which includes CDRs and SDRs. Access, transfer and retention of CDRs is weakly defined under the existing laws. Provisions for authorisation of interception are contained in Section 5(2) of the Indian Telegraph Act 1885, Rule 419(A) of the Indian Telegraph Rules 1951, as well as Section 69 of the Information Technology Act 2000, read with Information Technology (Directions for Interception or Monitoring or Decryption of Information) Rules 2009.

“The Right to Privacy,” on the other hand, is protected under Article 21—– Right to Life — and Article 19(1)(a) — Right to Freedom of Speech and Expression — under the Constitution of India, “unless it is permitted under procedure established by law.” While the Supreme Court has upheld the constitutional validity of interceptions, and monitoring under Section 5(2) of the Act through its order dated December 18, 1996, it subsequently laid down guidelines narrowing the scope of interception down to five instances — “national sovereignty and integrity, state security, friendly relations with foreign states, public order or for preventing incitement to the commission of an offence”.

With CMS, questions about the mismatch between the privacy legislation and the lethal forensic surveillance capabilities arise. These border on what is now recognised as a human rights issue. Are “public order” or “preventing incitement to the commission of an offence” sufficiently vague or broad for the security agencies to practically put through any authorisation request for interception, however weak, under these two heads? Can prevention of crime leave the door open to any agency, getting permission to monitor any citizen without adequate burden of proof? Since the authorities giving approval are not judges, will they have the judicial expertise to make legally valid decisions? Worse still — if the surveillance is extra-judicial, how will it be uncovered?

Further, interception under CMS can be done instantly and, since existing laws allow government agencies to intercept any phone conversation without the Home Secretary’s mandatory permission, for seven days, should this procedure be reviewed under CMS? Should a lower level officer’s approval be sufficient to begin surveillance? The law also says “the directions for interception shall remain in force, unless revoked earlier, for a period not exceeding 60 days, after issue, and may be renewed, but same shall not remain in force beyond a total period of 180 days”. In effect, monitoring can continue for half the year. Is this period too long, without a periodic review? If there is a review, is it sufficiently independent and robust?

Here again, the U.N. Rapporteur in the recent report on surveillance, recommended that surveillance must occur under, “the most exceptional circumstances and exclusively under the supervision of an independent judicial authority”. Further that “surveillance techniques and practices that are applied outside the rule of law must be brought under legislative control”.

Meanwhile, there is no consensus on the opposing views between DoPT, the Home Ministry and civil rights activists, two-and-a-half years after a ‘privacy’ group was set up under Secretary, DoPT, and seven months after the Justice A.P. Shah Committee submitted its Report on ‘Privacy,’ suggesting a privacy legislation which was “technologically neutral, inter-operable with international standards, protected multi-dimensional privacy, ensured horizontal applicability and conformity with privacy principles in a co-regulatory enforcement regime”. Ironically, the latest draft of the privacy legislation itself remains a mystery.

Lastly, bureaucrats authorise interception without any need to pass judicial muster by securing a prior valid court order. The surveillance is not subject to any ongoing bipartisan Parliamentary oversight either.

Before CMS, the mobile operator who gave access to the target’s phone calls for interception was required to ensure that the interception order received had been duly authorised by the persons identified under the Act. This is no longer the case. The government has justified CMS in Parliament, by arguing that CMS, to avoid the recordings from being leaked, circumvents manual intervention by mobile operators, and is therefore more secure, allowing instant access. However, this means that the checks-and-balance system provided by the nodal officers in mobile networks — which discovered the illegal request for BJP leader Arun Jaitley’s CDRs, leading to the arrest of three persons including a Delhi police constable — will no longer exist. Is there a new safeguard?

Potential misuse

Under CMS, one government official will authorise interception. This will be reviewed and executed by other fellow officers in different agencies — but all within the government. What is the guarantee that such permission will be subject to the rigorous due diligence that it deserves? Will every government officer follow the laid down procedure, especially if he knows that all authorisations are covered under absolute secrecy with no chance of public disclosure or scrutiny? What happens if the procedure is violated? Will violations, when discovered, be acted upon since everything remains secret within the government? The identity of targets or duration of monitoring cannot be revealed publicly, even under the RTI, as it falls under specific exemptions granted in Section 8 of the RTI Act. How will mistakes be corrected and misuse prevented?

There are other questions that remain unanswered in law. Who all within the government can have access to the Intercept Related Information (IRI), Call Content (CC) and CDRs? How long can intercept information be kept with the government and what is the procedure for its safe keeping — especially given a track record of leaked tapes — without a single official being found guilty in such instances? Are there any circumstances under which “targets”, especially when found innocent, will be informed that they were under surveillance?

The privacy issues are sufficiently serious — both outside India and within. Hopefully, the government can present the Privacy Bill early for Parliament to debate it. Equally it may be time for the Supreme Court to review its guidelines which were written at a time when there were less than a million mobile subscribers and no Internet users.