The Government of India’s recent notification allowing all central security and investigative agencies to intercept, monitor and decrypt “any information on any computer” resulted in protests of a surveillance state. The government was quick to clarify that these “investigative” powers had been previously provided to agencies under the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, which flowed under Section 69 of the Information Technology Act.
Rule 4 of the 2009 guidelines allowed an agency of the government to “intercept, monitor or decrypt information generated, transmitted, received or stored in any computer resource”. The government proceeded to assuage that, only select agencies, such as the Intelligence Bureau, Enforcement Directorate, Narcotics Control Bureau, will have a right to exercise such powers in matters of “interest of sovereignty or integrity of India, defence of India, security of the State”.
That said, there are primarily four concerns that arise from this unbridled powers given to State agencies.
First, “computer” as defined under the IT Act, and subsequent guidelines includes computers, laptops, smartphones and essentially any digitally connected device. Further, given that the Act does not have any geographical constraints, we are looking a surveillance system which is the very manifestation of Orwell’s ‘Big Brother’. Previous attempts to “monitor” mass communication by the government include, empowering the Research & Analysis Wing (R&AW) with phone tapping powers, an attempt to create a Social Media Monitoring Hub, and, the NETRA system designed for Internet surveillance. Such persistent fervour in the pursuit of surveillance, throws up cause for concern.
Second, in the absence of a codified data privacy law, we have sole recourse to the IT Act, which is close to two decades old. Isn’t it fair time, that Section 69 be scrutinised for constitutional validity much in the manner that Section 66A was under the now famous Shreya Singhal judgment?
In the subsequent ‘privacy’ judgment, the Supreme Court considered cases such as R vs Plant, under which a Canadian court, while considering a matter of warrantless search had decreed that in order to be constitutionally protected, the information should be “personal and confidential” in nature. It also referred to the famous Huckle vs Money judgment which stated that “To enter a man’s house by virtue of a nameless warrant, in order to procure evidence is worse than the Spanish Inquisition, a law under which no Englishman would wish to live an hour”.
In the recent Aadhaar judgment, the apex court held that Section 33(2) of the Aadhaar Act, allowing the government to disclose a person’s Aadhaar-related information in the interest of national security on the direction of an officer not below the rank of joint secretary working under Government of India; was arbitrary and required a judicial warrant. It is pertinent to note that the current notification offers no such caveat.
Third, neither the current legislation nor the proposed privacy Bill provide recourse to a citizen in the event of the State breaching her personal data. The proposed privacy Bill makes it discretionary upon the authority to notify the data subject in event of a breach. What recourse awaits any citizen in the event of a misuse of an investigating agency’s powers, is anyone’s guess.
The efficacy of a committee, which is required to meet once in two months to review violations of investigative power as provided for under Rule 22 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, 2009) is also questionable.
Fourth, towards illustrating my concerns, I refer to recent furore over the leakage of the ‘Gangs Violence Matrix’. The Gangs Matrix, a database, set up by the Metropolitan Police in 2012 with the aim of reducing gang-related crime in London was leaked on the Internet recently. In a report, the UK Information Commissioner admitted multiple breaches in data profiling, data retention and racial bias in the database. It was also feared that gang members whose names were leaked were in danger of physical harm by other criminals.
This incident best highlights problems that arise when there is unrestrained usage of an investigative agency’s powers. “Quis custodiet ipsos custodes?” remarked 2nd Century Roman poet Juvenal.
It’s time we also asked this question: ‘Who will watch the watchmen?’