Countering surveillance

Both legal and technical gaps need to be plugged

Over the past few years, the government has taken several steps that have led to apprehensions of India becoming a surveillance state with unchecked and growing powers to spy on citizens. The latest move is the home ministry’s step to create a centralised database of fingerprints, linking all police stations and state fingerprint databases across India. The new Crime and Criminal Tracking Network System (CCTNS) is a work in progress with ambitious plans to add face recognition capability and also link vehicle registrations. There are also reports of the ministry repeatedly asking for access to the Unique Identification Authority of India (UIDAI) biometric database, which contains the data for over one billion citizens. A panel set up by the Securities and Exchange Board of India (Sebi) has recently recommended powers for the market regulator to wiretap and record phone calls in order to enhance its ability to monitor insider trading. The Netra (Network Traffic Analysis) system for internet monitoring has been operational for several years but its exact capabilities are unknown since it is shielded from the Right to Information Act owing to security implications. The government had also mooted creating a social media monitoring hub in order to enable “360-degree monitoring” of the social media activity of netizens. This was put on hold only after the Supreme Court observed that it would be “like creating a surveillance state”.

All this effectively means that the Supreme Court’s historic judgment recognising the right to privacy as a fundamental right is being undermined in practice. That is why until there are specific laws limiting the surveillance powers of governments and protecting the right to privacy, the surveillance activities of the state will likely proliferate. In this regard, the draft legislation of the “Personal Data Protection Bill 2018”, as suggested by the Srikrishna Committee, gives wide latitude to the government to collect and process data in order “to exercise the functions of the state”, without taking the consent of citizens. As such, it does little to limit the powers of government agencies. What makes this legal vacuum even more glaring is the fact that already existing rules limiting the state’s powers to infringe on a citizen’s privacy are not followed in letter and spirit. For instance, although wiretaps are supposed to be authorised only by senior officials for specific purposes, they are done on a truly massive scale. Such can be leaked in the public domain with impunity. But the legal checks are even more important as the years roll by since technological advances make surveillance systems even more invasive and efficient.

To be sure, there may be technical solutions that limit the release of personal data to private operators. For example, the MIT Solid Project (where Solid stands for Social Linked Data) is working to develop a process where social media users can store their data on servers that they personally control. However, the mere existence of technology would not prevent the government from coercively collecting data. That is why there is an urgent need to frame an anti-surveillance law that provides for stringent checks and balances that prevent surveillance overreach. While the state needs to create such capabilities for legitimate reasons, each case of surveillance must be justified by logged requests, with standards set as high as those applied to granting a search warrant. Moreover, the right to forget regulations need to be strengthened so that citizens can ask for data to be deleted from government databases.