By Partha Pati, Associate and Nishith Pandit, Intern,
Abhay Nevagi and Associates
Surveillance means close observation of a person or group especially the one who are under suspicion or the act or observing or the condition of being observed. Being a developing country, India has brought several changes into its policies on Information Technology and still a lot more changes needs to be done. With the growing IT sector, surveillance technologies has also been introduced such as internet surveillance, CCTV surveillance, telephone and e-mail id surveillance etc. Although, it is just a start and in future, maybe in 2-3 year, new technologies will be introduced, which leaves us to the question whether current Indian legal framework has provisions as to surveillance and whether the privacy of individual in India is secured. The article talks about different provisions under different statutes which allow government to conduct surveillance, various governmental bodies doing surveillance and right to privacy of individual in India.
Till date, many new government agencies has been formed such as Central Monitoring System, National Intelligence Grid etc. and they have already started surveillance in cyberspace, telephones, email, personal messages etc. In October 2012, The Hindu has released an interesting report stating that over 10,000 phone calls and 1000 email id’s are under the scanner. Mr. Milind Deora, in August 2011, in Rajya Sabha informed that the government has now acquired technology to monitor or block contents on internet and has also started surveillance on facebook and twitter walls. In 2012, Blackberry finally agreed to allow government agencies to access personal messages on Blackberry Messenger (BBM) after many proposals made by Indian Government. Previously, BBM comes with an encryption key which allows users to access messages and only those who have the encryption key can have the access to read or send such messages.
Also, many private companies are also monitoring the contents on their sites or products, for research e.g. Microsoft is watching all the messages which are communicated on its product Skype. These messages are used for their so-called consumer research but they are also in violation of privacy of every individual who uses Skype.
Departments working under Indian government for surveillance
Recently, many departments and agencies have been established, under government of India, in order to do surveillance in cyberspace (where online communication takes place between computers or networks), on personal messages, emails, cell phones or on social medias. Being fastest developing country, India has to make strong policies and regulations in order to protect IT industry as well as to protect privacy of every citizen.
The governmental bodies such as National Intelligence Grid, Central Monitoring System etc. have been setup for surveillance on internet, cell phones, private messages, as well as social media sites. But at this point of time, the protection of bodies itself i.e. powers and functions of authorities, situations under which surveillance can be done etc. and security of data to be kept by them is unknown. Also the provisions under which they have established are a question. It is possible that the data kept by these bodies can be misused by any private entity for any political or terrorist purpose which can endanger public privacy and safety at large.
National Intelligence Grid
National Intelligence Grid aims at linking information saved on servers and networks of different departments and ministries of government so it can be accessible by any department and intelligence agency. National Intelligence Grid does not aim at storing any type of information in its own and will only provide a platform where communication between computers and networks of different departments can be taken place.
Crime and Criminal Tracking Network System (CCTNS)
Crime and Criminal Tracking Network System aims at collecting, storing, analyzing, transferring, sharing of data between various police stations and with State Headquarters and police organizations. By using CCTNS, any police station will get complete available information on any criminal or any suspect stored on the servers of other police stations or departments.
Central Monitoring System
Central Monitoring System aims at monitoring every byte of communication i.e. text messages, phone calls, online activities, social media conversations and contents etc. CMS was prepared by the Telecom Enforcement, Resource Monitoring (TERM) and by the Center for Development of Telematics (CDoT) and managed by Intelligence Bureau. Today government is doing surveillance on Facebook and Twitter walls by using Central Monitoring System.
Unique Identification Authority of India (UID Scheme)
Unique Identification Authority of India (UID scheme) aims at providing a special unique identity to every citizen of India in which figure print and basic information of a person will be available. UID scheme comes under AADHAAR Scheme of government of India, and at present, Unique Identification Authority of India has issued number of Unique Id’s to the citizens of India and till now it has covered 28.11% of the total population and still going on.
Indian Computer Emergency Response Team (CERT-In)
CERT, functional since January 2004, is a nodal agency of government in response of any computer security incident. CERT has been created under the provisions of Information Technology Amendment Act, 2008 and since then working as government agency. CERT is not exactly surveillance agency of government but it is response team of government in order deal with any cyber security incident all over India.
National Counter Terrorism Center (NCTC)
After the attacks on Mumbai in 2008 aka 26/11 attacks on Mumbai, there was a need of agency to fight against terrorism as there was a failure on the part of intelligence agencies in India. So the proposal of NCTC was made. NCTC will derive its powers from Unlawful Activities Prevention Act, 1967 and it will be part of Intelligence Bureau headed by the director.
As seen above, different governmental departments are working or will soon be in effect for different purposes but the question that frequently asked is that how far the data collected by them is secured and what mechanism does government provide to stop misuse of this information by any third party or any internal governmental body for political purpose. Do people of India have right to privacy and freedom of speech and communication as enshrined in Constitution of India? India despite being many rules and regulations passed for surveillance and protection of privacy but it still needs more strong policies on governance of IT sector and for protection of privacy of individual.
Laws governing surveillance
IT sector in India is growing at very high rate and the biggest problem is that there are no specific laws that governing surveillance in India. Although there are many acts and rules passed by legislature which governs surveillance indirectly, there is a need of specific laws as to working of governmental bodies, their powers, protection of individual privacy and freedom of speech. Section 69 Information Technology Amendment Act, 2008 gives power to government to intercept, monitor or decrypt any data or information stored on any computer resources for the reason of public safety, public order etc. but who shall be authorized to intercept this information is unknown. Although, CERT-In has been made by the virtue of Information Technology Act, 2008 but CERT-In will only come into play when there is any attack on Indian computers or resources or when any of Indian servers being hacked or crashed by any foreign body or any individual within or outside India.
The Indian Telegraph Act, 1885 had also given power to central or state government to intercept any message if it is against public safety and since then, as various laws came into force, the government has got power.
The governmental bodies which are working have got indirect powers from many different rules passed by the legislation. But there is no such legal framework passed by parliament in relation to surveillance and authorities who has power to monitor and block information for any computer recourse. The data collected by Central Monitoring System will only be accessed by governmental bodies like Intelligence Bureau, Research and Analysis Wing (RAW), Central Bureau of Investigation (CBI), National Investigation Agency (NIA), Central Bureau of Direct Taxes (CBDT), and Narcotics Control Bureau (NCB). But who has given this authority or when shall such surveillance will be done is a question. Indian legal framework has provisions relating to electronic surveillance but they are inefficient.
Also, Right to Privacy bill, 2011 has been presented in the parliament and an attempt has been made by government as to define privacy and under which circumstances the government has power to conduct surveillance and what shall be penalties as to misuse of such information obtained by the way of surveillance. Under this bill, the surveillance can only be granted by permission of Home Secretary, Ministry of Home Affairs, Government of India.
On October 27, 2009, the central government has passed Information Technology (Procedure and Safeguard for interception, monitoring and decryption of information) Rules, 2009 in which it was laid down that no person shall intercept, monitor or decrypt any information available on any computer resources except an order from Home Secretary or Joint Secretary, Ministry of Home Affairs has been obtained to do so. According to Rules, under Rule 4, it has been laid down that the central government has power to delegate such authority to intercept, monitor or decrypt any information on any computer resource to any agency.
Also, Information Technology (Procedures and Safeguards for blocking for access of Information by Public) Rules, 2009 has been passed by parliament in order to block access of any information on any computer resource by public. According to Rules, the government has power to block any information whether generated, transmitted, stored or received or hosted by any computer resource for any reasons mentioned in section 69A of the Information Technology Act, 2000 i.e. sovereignty and integrity of India, defense of India, friendly relation with foreign state, security of state etc.
Surveillance laws in UK, US and Europe
United States of America
United States has very strict policy on surveillance. In United States of America, the President has the power to grant electronic surveillance on any foreign power or any person who is agent of foreign powers. The President has the authority to grant such surveillance, without court orders, through Attorney General to acquire foreign intelligence information for a period up to 1 year (USC § 1802). Attorney General shall report to the House of Permanent Select Committee on Intelligence and Senate Select Committee.
Electronic Surveillance may also be granted by the court order. The Chief Justice will appoint seven judges from seven different circuit courts and this panel of seven judges will entertain such application of electronic surveillance and grant, modify or deny such application except in a case where such application has already been denied previously, the panel shall not entertain such application (USC § 1803). Any federal officer shall file such application for electronic surveillance.
In United Kingdom, Regulation of Investigatory Powers Act, 2000 governs the provisions for surveillance and investigation by governmental bodies. Regulation of Investigatory Powers Act gives guidelines to public authorities such as Police or governmental departments who want to obtain any private information. Under Regulation of Investigatory Powers Act guidelines, the surveillance and investigation can be done in case of terrorism, crime, public safety or emergency services. Surveillance includes full electronic surveillance such as intercepting communication on cell phones or emails or letters, GPS locations of target and access to electronic data encrypted or password protected.
In Europe, generally there are no direct laws provided to govern surveillance and EU members uses guidelines of UK’s Regulation of Investigatory Powers Act as in Europe, right to privacy of individuals is highly developed area of Europe. Recently, in Europe, draft European General Data Protection Regulation has been introduced by the Council in Europe on seeing the development of Information Technology sector all over the world and flow of personal data within Europe. Also Data Protection Directive, regulates the processing of personal data within European Union. But till now there is not specific laws governing surveillance laws in European Union except UK’s Regulation of Investigatory Powers Act, 2000.
Indian’s growing legislative framework and surveillance policies are not adequate to deal with future threats and there is an urgent need to amend existing legal framework as well as to introduce strong and effective policies in order to protect IT industry as well as to protect privacy of individuals in the country. As referred above, UK and US have very effective policies and the workings of agencies as well as the laws relating to surveillance and privacy of its citizens. Similarly, in India, legislature should pass such acts and rules in relation to working of agencies, powers and authorities under whom surveillance will be done, protection and destruction of such data collected during surveillance and how far the privacy of individual is secured.
Also, the laws governing surveillance done by governmental departments and agencies which are currently working should be passed. There is also a need of defining the word privacy again in modern age as the development in IT sector and surveillance industry has changed the concept of privacy and laws governing it. The existing framework is not enough to deal with future threats and in future, there is a probability of increasing threats of cyber crimes and cyber terrorism. Although according to rules, the government has got power to intercept, monitor, decrypt or block any information on any computer resource and also the central government has got power to authorize any agency or any person to perform such activity as it thinks fit, but the working of such agency and who shall be employed in such agency has not been mentioned anywhere in the rules and also the provisions as to penalties for misuse of such information by any governmental body or person has not been given. It is possible that the information obtained can be used for political purposes.
 The Hindu Report 10000 phones and 1000 email Ids under scanner, October 12, 2012 http://www.thehindu.com/news/national/10000-phones-1000-email-ids-under-the-scanner/article3992185.ece
 Elonnai Kickok, 2012: Privacy Highlights in India, February 12, 2013 http://cis-india.org/internet-governance/privacy-highlights-in-india
 Quick heal blogs, Soumya Patnaik, Are your messages on Skype are private? May 23, 2013 http://blogs.quickheal.com/wp/are-your-messages-on-skype-private/
 B. S. Dalal, Indian Center for Communication Security Research and Monitoring (CCSRM), May 17, 2011 http://ictps.blogspot.in/2011/05/indian-centre-for-communication.html
 Maria Xynou, India’s Big Brother: Central Monitoring System, April 8, 2013 http://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system
 Sudhi Ranjan Sen, 10 big facts on Center v. State on NCTC, new anti-terror agency, May 6, 2012 NDTV http://www.ndtv.com/article/india/10-big-facts-on-centre-vs-state-over-nctc-new-anti-terror-agency-206533
 Ibid 7
 Righ to Privacy bill available on http://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf
 Act available on http://www.cyberlawdb.com/docs/india/legislation/rules/69rules.pdf
 Act available on http://www.cyberlawdb.com/docs/india/legislation/rules/69Arules.pdf