[First published in The Hoot in November 2013.]
On 23 August 2013, Milind Deora – the Minister of State in the Ministry of Communications and Information Technology – told the Rajya Sabha that the Central Monitoring System project (CMS), which is currently being rolled out across India in stages, is merely an attempt to automate existing mechanisms of intercepting and monitoring telephone communications. This innocuous conception of the CMS is at odds with public perceptions of the project, which see the CMS as an attempt to create an extensive and sophisticated apparatus of blanket surveillance by the Indian state. In the latter imagination, the CMS is a project that will eventually result in the ability to intercept, in real-time, and monitor voice and data communications throughout India.
The uncertainty surrounding the project appears to be deliberately constructed: public statements by the national leadership on the CMS can be counted on the fingers of one hand, and the project is being tested and put in place without the sanction of a specific Act of Parliament. Although not strictly illegal, the absence of stated law worries many analysts. Deora’s claim about the CMS was made in response to a question posed by Rajeev Chandrasekhar, MP, asking the Central Government to publicly identify the law upon which the CMS is being created. Instead, Deora told Parliament that existing Indian statutory law and some minimal guidelines issued by the Supreme Court of India in 1996 were sufficient.
Surveillance is a tool used by modern governments to detect behaviour that does not conform to law or to constructed national and social norms. Yet, surveillance pre-dates both modernity and the nation-state. As far back as the 4th century BCE, Kautilya’s Arthasastra recognised espionage as an institution in itself and, besides devoting a separate chapter to spies, enjoined good rulers to study and heed information collected by spies. The underlying connection between effective government and information collection is one that is often made in other texts and treatises as well. Technological advancements have enabled the widespread use of sophisticated surveillance devices to mould social control. However, the power to detect non-conformist behaviour can often extend to its punishment to silence individual expression and dissent. For this reason, liberal democracies regulate surveillance to protect individual freedoms.
Surveillance is diverse and manifold. From being physically followed by a local beat constable to having your electronic communications mined for patterns to being geospatially tracked by satellites, surveillance occurs everywhere and all the time. Of all the forms of surveillance, the interception of communications is unique because the law often places an evidentiary premium on the information it yields. Put otherwise, because verbal communications more easily admit to intent and complicity, even guilt, the privacy of communications is usually accorded enhanced protection in democratic countries. The legal threshold necessary to invade locational privacy by, say, police surveillance or radio frequency identification (RFID) queries, is lower than the threshold prescribed for communications made with an expectation of privacy, such as an email or phone call made using a private communication device or personal account from a private place.
Verbal communication is mostly of two types – written and oral. Around the world and in India, the law has evolved mechanisms to intercept these types of communications. The colonial state began by empowering itself to intercept postal and telegraph messages. Postal articles can be intercepted under section 26 of the Indian Post Office Act, 1898 “on the occurrence of any public emergency, or in the interest of the public safety or tranquillity.” The same section goes on to declare that the government shall be final judge of whether a public emergency exists or whether an interception carried out in the interest of public safety was valid. In 1986, Rajiv Gandhi’s government, which had an absolute majority in Parliament, proposed to amend the Post Office Act to permit more intrusive interceptions of letters and communications. However, President Zail Singh, whose nominal assent was necessary for the amendment to become operational law, effectively vetoed the amendment by refusing to acknowledge its existence and, in 1990 after a new government took over, the amendment was withdrawn.
Almost similar standards for interception exist under the Indian Telegraph Act, 1885 that governs the use of telegraphs – including telex and telegrams, the last of which was sent in July – and phone communications. Section 5 of the original Telegraph Act permitted the government to “take possession of” any telegraph on a threshold of public emergency and public safety quite identical to the regime under the Post Office Act. After an amendment in 1972, section 5(2) of the Telegraph Act lays down the current conditions for intercepting phone calls. The initial conditions – “on the occurrence of any public emergency, or in the interest of the public safety” – were required to be tied to one of these following additional considerations: the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, or for preventing incitement to the commission of an offence.
After independence, the Indian Telegraph Rules, 1951 were issued and rule 419 attempted to put in place a procedure to regulate interceptions of communications. Both section 5(2) of Telegraph Act and rule 419 of the Telegraph Rules were challenged and subsequently examined by the Supreme Court in 1996. In a landmark decision, the Supreme Court held that phone communications were protected by the right to privacy which flowed from the right to personal liberty. Following a seminal 1978 decision that required intrusions into personal liberty conform to a procedure that is just, fair and reasonable, the Supreme Court measured the interception provisions of the Telegraph Act against that standard and found it wanting. However, instead of striking down the provisions, it introduced basic procedures to accompany such phone-taps to meet the ‘just, fair and reasonable’ benchmark. Thereafter, in 1999, the government incorporated these procedures into a new rule 419-A of the Telegraph Rules. The new rule 419-A restricted the power to order phone-taps to only senior administrative officers, required them to exhaust other less intrusive means, created a review committee to verify all phone-taps, required the interception orders to be targeted and specified and mandated record-keeping to create a paper-trail. These rules were expanded in 2007.
Similarly, provisions exist under sections 69 and 69B of the Information Technology Act, 2000 to intercept and monitor electronic communications sent using a computer. These interception empowerments are conditioned upon the same grounds that exist in the Telegraph Act – the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, or for preventing incitement to the commission of an offence – but, significantly, they do away with the outer threshold requirements of public emergency and public safety that exist for phone-taps. In doing so, they lower the privacy standard for emails, chats, and so on. The two interceptions sections of the IT Act were introduced by way of an amendment in 2008 and were operationalized through two sets of rules issued in October 2009.
What all of this indicates is that communications surveillance can only take place when regulated by laws that safeguard the freedoms of Indians. Sanctioning law that is just, fair and reasonable and that is open to judicial review is what separates democratic governance from authoritarian actions. In India, the laws that allow communications interceptions are minimal, they do not conform to global best practices and they do not accord the protections afforded by the laws of many other liberal democracies. To make matters worse, there has been an increasing stream of reports of unlawful surveillance conducted outside the law without proper authority. As far back as 1987, the government, in response to a question by Faiz Mohammed Khan, MP, denied knowledge of illegal phone-taps. Almost three decades later, nothing has changed. Despite several news reports of widespread illegal phone-taps, the government denied knowledge of it in Parliament – in response to a question by Shadi Lal Batra, MP – and, this time, washed its hands off the matter by blaming the telecommunications service providers (TSP). TSPs are only allowed to function within the limits of a licence that is issued by the government; curiously, these licences mandate the use of equipment that easily enables government surveillance while at the same time placing the burden of ensuring privacy on the TSP.
Forcing TSPs to use equipment that enables surveillance and restricts privacy is not new. The United States’ (US) Communications Assistance for Law Enforcement Act, 1994 (CALEA) forced both manufacturers and TSPs to make, modify and use equipment with in-built surveillance-enabling technologies. Many have argued that CALEA directly facilitated the US National Security Agency’s (NSA) warrantless surveillance programme on US citizens from 2001 to 2007. Although the NSA’s warrantless surveillance was officially discontinued, its rump contained technologies and know-how that continue to be used by the NSA under warrants issued by a secret court established under the Foreign Intelligence Surveillance Act (FISA). Following the enactment of the stringent and privacy-intrusive PATRIOT Act, FISA was amended to ease and broaden the conditions upon which surveillance warrants could be issued in secrecy. The recent disclosures made by Edward Snowden about individual components of the NSA’s warranted surveillance programme, such as PRISM or Boundless Informant, are all a part of this rump programme.
The US is a mass surveillance state with entrenched, highly-capable and pervasive electronic surveillance. The US state commands an unparalleled ability to monitor the everyday lives and information, including communications, of its citizens and possibly many foreigners as well. The US is also a developed democracy with a long and rich jurisprudence of privacy protection and police procedure. For India, projects like the CMS offer the fantasy of operating the advanced technologies that are used in the world’s developed democracies; but, unlike those countries, the Indian state wishes to achieve this capability without thought for the rule of law or civil liberties. This asymmetry is disturbing, but is not new. The insistence on pushing through unreliable biometric identification cards and insidiously mandating their use for government services without the prior sanction of an Act of Parliament is being criticised by the Supreme Court as this article is being written. Hopefully, the government will heed this warning, come clean on the CMS, enact a supporting law and strengthen Indian democracy without compromising its national security.
If Deora’s reply to Parliament was true in its entirety, and the CMS will ultimately be no more than an automation of existing targeted interception abilities under the Telegraph Act and Information Technology Act, it will allow the state to bypass TSPs to access information. The government claims that such a measure will strengthen privacy by taking interceptions away from TSPs and thereby prevent a recurrence of a Niira Radia-like episode. Depending on how you look at it, this is either simplistic or false. Once completed, the CMS will indeed bypass TSPs but it will not divest them of their technical ability to intercept communications. As carriers of communications, TSPs will continue to be able to access private communications except that, outside the surveillance eye, it will take place unknown. Further, the Radia incident came to light only because the tapes containing the intercepted communications were leaked by the TSP; the fact of the surveillance and that it was ordered despite there not existing a public emergency or a threat to public safety would not have be known if not for the TSP leak. Hence, the CMS will only further seal unlawful and improper surveillance from public scrutiny while not preventing TSPs from indulging in malpractice either.
For ordinary Indians who want to protect themselves and their communications from state encroachment, the law currently offers little solace. The only solutions appear to be technological. Using public key cryptography to encrypt the text of email messages or moving away from US email providers to those based in jurisdictions that protect privacy are immediate solutions. Public-key encryption, using PGP or GPG keys, scrambles communications to military-level protection; however, these too are now reportedly vulnerable to new and powerful supercomputers dedicated to decrypting such messages. In many ways, these technological solutions compound the problem for they do not address or question the political appetite for surveillance nor its technocratic reflex.