There's nothing personal if you are connected to the Internet. A November 26 report by Google's Threat Analysis Group revealed that about 500 users in India were targeted by government-backed attackers who tried to steal account passwords through phishing e-mails.
This came less than a month after WhatsApp sued Israeli company NSO Group for using the messaging platform for conducting surveillance. According to WhatsApp's lawsuit, NSO's Pegasus malware was used for breaking into mobile phones of 121 Indian journalists, lawyers and human rights activists, among others.
The NSO has claimed that it provided technology solutions to governments, and government-authorised agencies, for surveillance aimed at combating terror and crime. New Delhi has denied buying Pegasus, and has asked WhatsApp to explain the security breach.
Irrespective of the fact whether the government or its intelligence agencies have bought the technology or not, the truth is some Indians may be under electronic surveillance -- as indicated in a lawsuit filed by WhatsApp and Google’s threat report -- and they probably do not know anything about it.
The bitter truth is, surveillance by the State is legal under certain circumstances. On November 19, Union Minister of State for Home G Krishan Reddy, in a written reply to Parliament, said that the government (Centre and state governments) are "empowered" by the law to authorise agencies to intercept, monitor or decrypt “any information generated, transmitted, received or stored in any computer resource”. However, it is "subject to safeguards as provided in the rules".
Even if the government is empowered to do so, there is no specific law that regulates surveillance by a government or its empowered agencies. Citizens also have no recourse if the state or any of its actors misuse the law.
Let's look at the existing legal frameworks that allows a government or a government agency to conduct surveillance.
The Indian Telegraph Act, 1885 allows interception of calls and Information Technology (IT) Act, 2000 permits interception of data by the government under certain circumstances. Hacking, however, is a criminal offence. There’s more. The IT (Procedures and Safeguard for Interception, Monitoring and Decryption of Information) Rules that were framed in 2009 under the IT Act notes that only a competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received and stored in any computer resource which includes mobile phones. The competent authority is the Union Home Secretary or secretaries in charge of the state home departments.
So, all it takes is one Secretary to say yes!
In December 2018, the Centre authorised 10 agencies -- the Intelligence Bureau, the Central Bureau of Investigation, the National Investigation Agency, the Research & Analysis Wing, the Directorate of Signal Intelligence, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, the Directorate of Revenue Intelligence and the Delhi Police Commissioner -- to conduct surveillance. This authorisation came under huge criticism that the government was building a “surveillance state”. The government countered it with an argument that it was doing everything under existing legal frameworks. However, this has been challenged in the Supreme Court by four separate public interest litigations. In January, the court had sought a reply from the government on the surveillance order.
On the other hand, the Constitution of India recognises "privacy" as a fundamental right (Article 14, 19 and 21). The Supreme Court has, in August 2017, unanimously upheld the right to privacy as a fundamental right in a landmark judgment in the Justice KS Puttaswamy (Retd) vs Union of India case.
The question may be which should be given preference -- privacy for an individual, or the State's need for surveillance to ensure its citizens are safe? Individual privacy can never be an absolute right if there is the slightest chance that it might put the country's security at risk. That’s true for any nation in the world. What needs to be done is to ensure that the State’s power to conduct surveillance is not misused.
Under the current legal frameworks, all it takes to conduct surveillance on any individual is to get the permission of a secretary, as mentioned above. This is where the breach is likely to take place. A solution for this could be to bring this under judicial purview, supported by evidence to back up the need for a surveillance on any individual. Something similar, probably a more stringent system is followed in the United States.
Following the above-cited Google and WhatsApp security breaches, there is a need for a separate law to regulate surveillance by the government. Justice BN Srikrishna, who headed the committee that drafted the proposed Personal Data Protection Bill, 2018, (originally submitted on July 27, 2018), has also said in an interview to The Economic Times that a “special law” should be framed to regulate how government and its agencies monitor its citizens using technology tools.
Truth is there are a lot of grey areas and legal loopholes between the concept of ‘right to privacy’ and the government’s requirements for security when it comes to protecting the State. These loopholes need to go.