In December 2019, as protests against a controversial new citizenship law swept India, three incidents in different parts of the country revealed the state’s growing powers of surveillance. In Delhi, police officers used facial recognition devices to screen individuals entering a protest venue. In Chennai, surveillance drones circled above a protest march. And in Hyderabad, police stopped a pedestrian and fingerprinted him to check for “past criminal activity.”

While surveillance technology has proliferated in India over the last decade, institutional and legal safeguards have not kept pace. The Indian Parliament has yet to enact a data protection law, and the courts have failed to adequately grapple with the ethical and constitutional challenges posed by invasive new technologies. The Indian public, for its part, has largely shrugged off the steady creep of the surveillance state, which now collects huge amounts of data in a legal and judicial vacuum—and at times in open defiance of the law and judicial orders.

India’s neighbor to the north, China, looms large in international media as an Orwellian state, with its expanding use of facial recognition technology and invasive data collection practices. By contrast, India is often portrayed as a chaotic democracy, its government far weaker and less capable than the fine-tuned autocracy in Beijing. That image belies the changing reality in India, where the government’s embrace of powerful new surveillance technologies increasingly threatens the rights of its people.

THE DATABASE STATE

In recent years, police forces have begun to routinely fingerprint and use facial recognition devices on individuals deemed “suspicious”—invariably without any evidence of wrongdoing—in broad sweep-and-search actions that often target poor neighborhoods heavily populated by Muslims and migrants from north India. The CEO of an Indian facial recognition software company called FaceTagr made the pervasive character of such surveillance starkly clear when he proudly proclaimed that his company’s new technology would enable the police to photograph anyone who looked suspicious and check the image against a criminal database. Indeed, the police used FaceTagr in exactly this way to screen individuals at a popular festival. Such “dragnet” screening is a blatant violation of privacy rights, as it essentially treats every individual like a potential suspect, subject to an endless continuing investigation. The rot, however, starts from the top: the surveillance activities of India’s security agencies are exempt from legislative oversight.

Prime Minister Narendra Modi and his government have drawn criticism for instituting policies that threaten civil rights and undermine the constitutional order, including the expansion in 2019 of India’s antiterror laws that dangerously broaden the government’s scope of action in battling “terrorism.” But the trend toward intensified use of surveillance technologies predates the current government. Electronic databases of intercepted telecommunications, in particular, began to proliferate after the 2008 terrorist attacks in Mumbai that killed 165 people. Chief among these databases is the Central Monitoring System (CMS), a centralized telephone interception system that “automates” the wiretapping of criminal suspects, replacing old-fashioned manual interception.

The expansion and centralization of surveillance databases pose real dangers.

Since its inception, authorities have kept the workings of the CMS wrapped in secrecy. But coupled with the fact that existing law exerts minimal scrutiny over telephone interception requests, the centralization of the interception architecture under the CMS has concerned many legal observers and activists. The same is true of the plan to introduce a far more intrusive surveillance system called Netra, which would automatically intercept voice traffic over the Internet via Skype and other online platforms through the use of predefined filters that pick up words such as “attack,” “bomb,” “blast,” or “kill.” As with the CMS, the Indian government has disclosed little about Netra’s operation—it’s unclear to what extent the systems are in use. Though both the CMS and Netra are supposed to be standalone surveillance systems, the government has begun building a more centralized network of India’s intelligence operations, forging a national intelligence grid across several government agencies and a criminal tracking system that seeks to connect all of India’s police stations to a “national database of criminals.”

Supporters of such measures argue that intelligence agencies can perform their jobs much more efficiently if surveillance is centralized and automated rather than more distributed, federated, and manual. But the expansion of surveillance databases and the centralization of information pose real dangers. In particular, the distribution of information about individuals across different databases enables profiling, the kind of 360-degree view of people’s lives that creates the potential for vast abuse by both state and nonstate agencies. This is a particularly fraught issue in India, where in the past malign actors have used voter rolls and other sources of information about identity to target individuals and communities during periods of communal riots and violence.

THE PERILS OF AADHAAR

The most pervasive form of government surveillance in India comes not in the form of some secret database but as a card. A Congress party–run government launched the Aadhaar program in 2009 with the stated goal of giving every Indian a clear, stable form of identification—many Indians lack official documents such as birth certificates and therefore struggle to access banking services or welfare benefits. Over one billion people are now enrolled in Aadhaar, making it the largest biometric identification system in the world. Since its advent, subsequent governments, including Modi’s, have expanded its application. Though authorities pitched Aadhaar as a means to better provide public services, the system had other, more dangerous uses. Speaking a decade ago, the former intelligence officer (and current National Security Adviser) Ajit Doval revealed that Aadhaar “was intended to wash out aliens and unauthorized people.” The Modi government tried to make enrollment in Aadhaar mandatory for banking transactions and mobile phone connections, but the Supreme Court invalidated these requirements in 2018. Nevertheless, Aadhaar remains necessary to pay income tax and access welfare benefits.

Aadhaar’s creators chose a centralized database—as opposed to a more segmented, federated format that would have made broad surveillance and profiling more difficult—and they rolled out the entire program without accompanying legislation in order to circumvent challenges; in a 2013 interview with Forbes, Aadhaar’s founder, the entrepreneur turned politician Nandan Nilekani, suggested that if the government implemented Aadhaar quickly, opposition to the system would be unable to consolidate. Parliament eventually enacted a law sanctioning Aadhaar in 2016 (five years after enrollments had begun). A large team of lawyers—which I was a part of after 2016—challenged the constitutional validity of Aadhaar, but the Supreme Court upheld the program in 2018 on the basis that those who felt their data had been wrongly collected could always “opt out” of the system. (The court’s reasoning made little sense, because enrolling in Aadhaar had already become mandatory to access subsidies and make income tax payments.) The Supreme Court did strike down a provision in the 2016 law that allowed private companies to utilize the Aadhaar database, but a few months later Parliament reenacted that provision in almost exactly the same form (a leaked conversation in early 2019 between industry lobbyists and an official who worked on the Aadhaar program suggested that private companies sought to persuade the government to reconsider the court decision and allow the private sector access to the database).

The most pervasive form of surveillance in India comes in the form of a card.

The threats Aadhaar poses to individual rights are legion. Already, authorities have allegedly used information collected via Aadhaar to illegally purge voter rolls in certain states. Another threat springs from the controversial National Register of Citizens, a cataloging process intended to identify illegal immigrants in the border state of Assam that classified over four million people as allegedly living illegally in India. The government may sync the biographical information of these “noncitizens” with the Aadhaar database to ensure that these people cannot access welfare benefits anywhere in the country. Authorities could therefore use Aadhaar as a form of “blacklisting” and “whitelisting” individuals—a worrying possibility that lawyers raised before the Supreme Court in the 2018 hearings, but to no avail. Empowered to unilaterally deactivate any individual’s Aadhaar, the government has the authority to render that person “civilly dead,” or unable to function in society.

While digital databases of some kind or the other are in place in many societies, the wider context of its use makes Aadhaar particularly perilous. It builds a centralized and invasive database in a country with weak data protection legislation and a culture of state impunity when it comes to surveillance and the abuse of rights. Its current “function creep,” where Aadhaar becomes a drawbridge that can be pulled up to exclude individuals from accessing the basic necessities required to function in society, demonstrates the risks of this particular database.

TRANSPARENT CITIZENS, OPAQUE GOVERNMENT

There are several ways to check the overreach of Indian state surveillance. The first is to design databases so that information silos cannot be merged. Yes, such a change may have an adverse impact on collaboration between different agencies of government. That is, however, precisely the point: limiting the information that the state possesses at any given time about its citizens is a crucial part of protecting liberty and privacy. That safeguard also needs to be enshrined in law: India needs robust data protection legislation, modeled perhaps on a European Union law that holds member states to strict legal standards for data collection, storage, and use. These strictures include, for instance, “purpose limitation” (if data are collected by the state for a specific purpose, that information can be used only for that purpose), “data minimization” (no more data can be collected than strictly necessary to fulfill a legitimate state goal), and proportionality (government action targeting an individual must be commensurate with that individual’s actions).

At present, a committee of the Indian Parliament is considering a proposed data protection bill approved by the cabinet. The bill, however, falls well short of international standards, global best practices, and Indian constitutional principles. For example, it provides sweeping powers to the state: the government can exempt “any” government agency from the provisions of the bill if it is “necessary or expedient” to do so “in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, [and] public order.” It dispenses with the proportionality standard in favor of the much broader and vaguer “expediency,” thus allowing critics to warn of the government having a near “carte blanche” in its surveillance practices. Indeed, the present bill is a revised version of the legislation that was sent to the cabinet in mid-2019; the head of the committee that devised the earlier bill—retired Supreme Court Justice B. N. Srikrishna—himself remarked that in its new form it could turn India into an “Orwellian state.” In the meantime, a set of scholars and civil society activists drafted an alternative bill that they argue is more in line with both the Indian constitutional framework and global best practices (in the interest of full disclosure, I assisted in the drafting of this alternative “civil society bill”).

In a functioning democracy, concerns about large-scale civil rights violations caused by surveillance activities should be litigated in the courts. But the recent track record of India’s judicial branch on such issues does not inspire confidence. The Madras High Court, for instance, sanctioned the use of drones in surveilling protesters in December. The constitutional challenge to Aadhaar languished for six years and was heard by the Supreme Court only in 2018, when the program had become a fait accompli.

Perhaps the most effective way to challenge—and roll back—India’s surveillance apparatus is through public pressure; only when issues of privacy become political and a part of mainstream social movements does the state become more transparent to its citizens. For example, such a movement successfully persuaded Parliament in 2005 to enact legislation guaranteeing the right to information (the RTI Act requires government departments to provide information to all citizens at minimal cost). Until that time, Indians will continue to remain vulnerable to a rapidly expanding surveillance state.