Cyber-spying and surveillance

News:

Recent revelations about cyber-spying and surveillance have highlighted the multiple lacunae in India’s cyber-security regulatory regime for protecting data privacy.

Recent threats:

• It has been alleged that a Chinese firm, Zhenhua Data Information Technology, keeps tabs on 10,000-odd Indian citizens.
• There have also been revelations about Facebook misusing permission granted to the app of its subsidiary, Instagram, to track user activity.
• TV channels have also released and sensationalized what is claimed to be Whatsapp messages gathered by Indian security agencies investigating Bollywood celebrities.
• There are several different points worth noting from the above incidents. One is the lack of specific legislation governing the private data of Indian citizens. The Supreme Court in 2017 affirmed privacy was protected as a fundamental right. But the government has not passed laws to protect the right.

Is surveillance of this kind illegal in India?

• First, it’s important to explain that there are legal routes to surveillance that can be conducted by the government.
• The laws governing this are the Indian Telegraph Act, 1885, which deals with interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data.
• Under both laws, only the government, under certain circumstances, is permitted to conduct surveillance and not private actors.
• Moreover, hacking is expressly prohibited under the IT Act. Section 43 and Section 66 of the IT Act covers the civil and criminal offenses of data theft and hacking respectively.
• Section 66B covers punishment for dishonestly receiving stolen computer resource or communication. The punishment includes imprisonment for a term which may extend to three years.

What do the Rules say?

• The rules state that only the competent authority can issue an order for the interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource (mobile phones would count).
• The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.
• In December 2018, the Central government created a furor when it authorized 10 Central agencies to conduct surveillance.
• In the face of criticism that it was building a ‘surveillance state’, the government countered that it was building upon the rules laid down in 2009 and the agencies would still need approval from a competent authority, usually the Union Home Secretary.
• The 2018 action of the Union government has been challenged in the Supreme Court.

How broad are the laws regarding legal surveillance?

• The framework for understanding the checks and balances built into these laws dates back to 1996.
• In 1996, the Supreme Court noted that there was a lack of procedural safeguards in the Indian Telegraph Act. It laid down some guidelines that were later codified into rules in 2007. This included a specific rule that orders on interceptions of communication should only be issued by the Secretary in the Ministry of Home Affairs.
• These rules were partly reflected in the IT (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules framed in 2009 under the IT Act. 
• The rules state that only the competent authority can issue an order for the interception, monitoring, or decryption of any information generated, transmitted received, or stored in any computer resource (mobile phones would count). The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.

What about the Supreme Court's verdict on privacy?

• The Supreme Court in a landmark decision in August 2017 (Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Others) unanimously upheld the right to privacy as a fundamental right under Articles 14, 19, and 21 of the Constitution.
• It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance.
• But as yet a grey area remains between privacy and the state’s requirements for security.
• In the same year, the government also constituted a Data Protection Committee under retired Justice B.N. Srikrishna.
• It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact.
• Experts have pointed out, however, that the draft law does not deal adequately with surveillance reform.

Surveillance laws of other countries:

• In the US, the government has to obtain a warrant from a court in each case and crucially, establish probable cause to believe an electronic search is justified.
• After the 9/11 attacks in 2001, the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act was passed. Under this Act, the U.S. government used phone companies to collect information on millions of citizens and these were part of revelations made by the whistleblower Edward Snowden in 2013. 
• In October 2019, the U.K.-based security firm Comparitech did a survey of 47 countries to see where governments are failing to protect privacy or are creating surveillance states. They found that only five countries had “adequate safeguards” and most are actively conducting surveillance on citizens and sharing information about them.
• China and Russia featured as the top two worst offenders on the list.
• India is the number three worst offender because its data protection Bill is yet to take effect and there isn’t a data protection authority in place.

Individual privacy and Surveillance:

• The Supreme Court in a landmark decision in August 2017 (Justice K. S. Puttaswamy vs Union of India and Others) unanimously upheld the right to privacy as a fundamental right under Articles 14, 19, and 21 of the Constitution.
• It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance. But still, a grey area remains between privacy and the state’s requirements for security.
• In the same year, the government also constituted a Data Protection Committee under retired Justice B.N. Srikrishna.
• It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact.
• Experts have pointed out, however, that the draft law does not deal adequately with surveillance reform.

Citizen responsibility:

• Every 21st-century individual generates a lot of data. Much of this — such as Facebook posts, Twitter data, and location data — is public by default, unless the individual in question actively chooses to restrict access to that.
• In many instances, individuals who are not cyber-savvy are unaware of the quantity and type of data they generate. Most users give permission to apps and programs to gather data, and use cameras, record locations, and monitor phone calls without bothering to read end-user license agreements.
• This means a user may install an app while being unaware that the app is monitoring all activity on the device with legal permission. This is an area where citizens have to take personal responsibility.

Way forward:

• Until the legislative lacunae are addressed, and until citizens become more aware of the privacy implications of granting permission to various apps, the data (or cybersecurity) of Indian citizens will remain highly insecure, with no possible legal redress for misuse.
• The government should get the relevant laws passed as soon as possible as the rising use of technology will increase the vulnerability of Indian citizens every passing day.