Privacy in Peril

[This piece was first published as a Frontline cover story in July 2013.]

At the concluding scene of his latest movie, Superman disdainfully flings a surveillance drone down to earth in front a horrified general. “You can’t control me,” he tells his military minder, “You can’t find out where I hang up my cape”. This exchange goes to the crux of surveillance: control. Surveillance is the means by which nation-states exercise control over people. If the logical basis of the nation-state is the establishment and maintenance of homogeneity, it is necessary to detect and interdict dissent before it threatens the boundedness and continuity of the national imagination. This imagination often cannot encompass diversity, so it constructs categories of others that include dissenters and outsiders. Admittedly, this happens less in India because the foundation of the Indian nation-state imagined a diverse society expressing a plurality of ideas in a variety of languages secured by a democratic government that protected individual freedoms. Unfortunately, this vision is still to be realised and the foundational idea of India continues to be challenged by poor governance, poverty, insurgencies and rebellion. Consequently, surveillance is, for the modern nation-state, a condicio sine qua non – an essential element without which the nation-state would eventually cease to exist. The challenge for democratic nation-states, which is also the principal concern of this article, is to find the optimal balance between surveillance and the duty to protect the freedoms of citizens.

Some countries, such as the United States, have assembled a vast apparatus of surveillance to monitor the activities of their citizens and foreigners. Let us review the recent controversy revealed by the whistle-blower Edward Snowden. In 1967, the US Supreme Court ruled in Katz v. United States that wiretaps had to be warranted, judicially sanctioned and supported by probable cause. This resulted in the passage of the Wiretap Act of 1968 that regulated domestic surveillance. Following revelations in the context of the Vietnam War and anti-war protests that Washington was engaging in unrestricted foreign surveillance, the US Congress enacted the Foreign Intelligence Surveillance Act in 1978 (FISA). FISA gave the US government the power to conduct, without judicial sanction, surveillance for foreign intelligence information; and, with judicial sanction from a secret FISA court, surveillance of anybody if the ultimate target was a foreign power. Paradoxically, even a US citizen can be a foreign power in certain circumstances. Domestically, FISA enabled secret warrants for specific items of information such as library book borrowers, car rentals and so on.

Following the World Trade Centre attacks, the US Congress enacted the Patriot Act of 2001, section 215 of which dramatically expanded the scope of FISA to allow secret warrants to conduct surveillance in respect of “any tangible thing” that was relevant to a national security investigation. In exercise of this power, a secret FISA court issued secret warrants ordering a number of US companies to share, in real time, voice and data traffic with the US National Security Agency (NSA). We may never know the full scope of the NSA’s surveillance, but we know this: (a) Verizon Communications, a telecommunications major, was ordered to provide metadata for all telephone calls within and outside the US; (b) the NSA runs a clandestine programme called PRISM that accesses internet traffic, such as emails, web searches, forum comments and blogs, in real time; and (c) the NSA manages a comprehensive data analysis system called Boundless Informant that intercepts and analyses voice and data traffic around the world and subjects them to automated pattern recognition. The documents leaked by Snowden allege that several companies including Google, Facebook, Apple, Dropbox, Microsoft and Yahoo! participate in PRISM, but all of these companies have denied their involvement.

How does this affect India? The Snowden documents reveal that India is the NSA’s fifth-most monitored country following Iran, Pakistan, Jordan and Egypt. Interestingly, China is monitored less than India. Several billion pieces of data from India, such as emails and telephone metadata, were intercepted and monitored by the NSA. For Indians, it not inconceivable that our emails, should they be sent using Gmail, Yahoo! Mail or Hotmail, or our documents, should we be subscribing to Dropbox, or our Facebook posts, are being accessed and read by the NSA. Incredibly, most Indian governmental communications, including that of ministers and senior civil servants, use private US-based email services. We no longer enjoy privacy online. The question of suspicious activity, irrespective of the rubric under which suspicion is measured, is moot. Any use of US service providers is potentially compromised since US law permits intrusive dragnet surveillance against foreigners. This clearly reveals a dichotomy in US constitutional law: the Fourth Amendment guarantees of privacy, which have been repeatedly upheld by US courts, protect US citizens to a far greater extent than they do foreigners. It is natural for a nation-state to privilege the rights of its citizens over others. As Indians, therefore, we must clearly look out for ourselves.

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Judicial vagueness has been compounded by legislative silence. India does not have a law to operationalise a right to privacy. Consequently, a multitude of laws permit daily infractions of privacy. These infractions have survived because they are diverse, dissipated and quite disorganised. However, the technocratic impulse to centralise and consolidate surveillance and data collection has, in recent years, alarmed many citizens. The state hopes to, through enterprises such as the Central Monitoring System (CMS), the Crime and Criminals Tracking Network and System (CCTNS), the National Intelligence Grid (NATGRID), the Telephone Call Interception System (TCIS) and the Unique Identification Number (UID), replicate US successes in monitoring, surveilling and profiling all its citizens. However, unlike the US, India proposes to achieve this without enabling law. Let us consider the CMS. No documents have been made available that indicate the scope and size of the CMS. From a variety police tenders for private equipment, it appears that the Central Government hopes to put in a place a system that will intercept, in real time, all voice and data traffic originating or terminating in India or being carried by Indian service providers. This data will be subject to pattern recognition and other automated tests to detect emotional markers, such as hate, compassion or intent. The sheer scale of this enterprise is intimidating; all communications in India’s many languages will be subject to interception and testing designed to detect different forms of dissent. This mammoth exercise in monitoring is taking place – it is understood that some components of the CMS are already operational – without statutory sanction. No credible authorities exist to supervise this exercise, no avenues for redress have been identified and no consequences have been laid down for abuse.

In a recent interview, Milind Deora, the Minister of State for Communications and Information Technology, dismissed public scepticism of the CMS saying that direct state access to private communications was better for privacy since it reduced dependence on the interception abilities of private service providers. This circular argument is both disingenuous and incorrect. No doubt, trusting private persons with intercepting and storing the private data of citizens is flawed. The leaking of the Nira Radia tapes, containing the private communications of Radia taped on the orders of the Income Tax Department, testify to this flaw. However, bypassing private players to enable direct state access to private communications will preclude leaks and thereby remove from public knowledge the fact of surveillance. This messy situation may be obviated by a regime of statutory regulation of warranted surveillance by an independent and impartial authority. This system is favoured by liberal democracies around the world but, conspicuously, is resisted by the Indian government.

The question of privacy legislation was recently considered by a committee chaired by Justice Ajit Prakash Shah, a former Judge of the Delhi High Court who sat on the Bench that delivered the Naz Foundation judgment. The Shah Committee was constituted by the Planning Commission for a different reason: the need to protect personal data that is outsourced to India for processing. The lack of credible privacy law, it is foreseen, will result in European and other foreign personal data being sent to other attractive processing destinations, such as Vietnam, Israel or the Philippines, resulting in the decline of India’s outsourcing industry. However, the Shah Committee also noted the absence of law sufficient to protect against surveillance abuses. Most importantly, the Shah Committee formulated nine national privacy principles to inform any future privacy legislation. In 2011, the Department of Personnel and Training (DoPT) of the Ministry of Personnel and Public Grievances, the same ministry entrusted with implementing the Right to Information Act, 2005, leaked a draft privacy bill, marked ‘Secret’, on the internet. This 2011 DoPT Bill received substantive criticism from the Attorney General and other Department Secretaries for clumsy drafting. A new version of the DoPT Bill was drafted and, it was reported a few days ago, sent to the Ministry of Law for consideration. This revised DoPT Bill, which presumably contains chapters to regulate surveillance including the interception of communications, has not been made public.

The need for privacy legislation cannot be overstated. The Snowden affair lucidly reveals the extent of possible state surveillance of private communications. For Indians who must now explore last resorts to protect their privacy against the juggernaut of state and private surveillance, the absence of regulatory law is damning. Permitting, through public inaction, unwarranted and non-targeted dragnet surveillance by the Indian state without reasonable cause would be an act of surrender of far-reaching implications. Information, they say, is power. Allowing governments to exercise this power over us without thought for the rule of law constitutes the ultimate submission possible in a democratic nation-state. And, since none of us are superheroes able to defy surveillance, without the prospect of good laws we would all be subordinate to a new national imagination of control and monitoring, surveillance and profiling. If allowed to come to pass, this would be a betrayal of the foundational idea of India: of a free and democratic state tolerant of dissent.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s