The story so far: On October 30, many publications reported that phones of several dozen Indian journalists, lawyers and human rights activists had been compromised using an invasive Israeli-developed malware called Pegasus. Messaging platform WhatsApp, through which the malware was disseminated, has reported that 121 individuals were targeted in India alone. A lawsuit was filed against Israeli cyberintelligence firm NSO by WhatsApp and its parent company Facebook in a U.S. court in California on October 29, accusing it of using their messaging platform to despatch Pegasus for surveillance to approximately 1,400 mobile phones and devices worldwide. The NSO claims that it only sells the software to governments but the Indian government has denied purchasing it and has asked WhatsApp to explain the security breach.
Is surveillance of this kind illegal in India?
Yes. First, it’s important to explain that there are legal routes to surveillance that can be conducted by the government. The laws governing this are the Indian Telegraph Act, 1885, which deals with interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data. Under both laws, only the government, under certain circumstances, is permitted to conduct surveillance, and not private actors. Moreover, hacking is expressly prohibited under the IT Act. Section 43 and Section 66 of the IT Act cover the civil and criminal offences of data theft and hacking respectively. Section 66B covers punishment for dishonestly receiving stolen computer resource or communication. The punishment includes imprisonment for a term which may extend to three years.
How broad are the laws regarding legal surveillance?
The framework for understanding the checks and balances built into these laws dates back to 1996. In 1996, the Supreme Court noted that there was a lack of procedural safeguards in the Indian Telegraph Act. It laid down some guidelines that were later codified into rules in 2007. This included a specific rule that orders on interceptions of communication should only be issued by the Secretary in the Ministry of Home Affairs.
These rules were partly reflected in the IT (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules framed in 2009 under the IT Act. The rules state that only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource (mobile phones would count). The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.
In December 2018, the Central government created a furore when it authorised 10 Central agencies to conduct surveillance — the Intelligence Bureau, the Central Bureau of Investigation, the National Investigation Agency, the Research & Analysis Wing, the Directorate of Signal Intelligence, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, the Directorate of Revenue Intelligence and the Delhi Police Commissioner. In the face of criticism that it was building a ‘surveillance state’, the government countered that it was building upon the rules laid down in 2009 and the agencies would still need approval from a competent authority, usually the Union Home Secretary. The 2018 action of the Union government has been challenged in the Supreme Court.
What about the Supreme Court verdict on privacy?
The Supreme Court in a landmark decision in August, 2017 ( Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Others ) unanimously upheld right to privacy as a fundamental right under Articles 14, 19 and 21 of the Constitution. It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance. But as yet a grey area remains between privacy and the state’s requirements for security.
In the same year, the government also constituted a Data Protection Committee under retired Justice B.N. Srikrishna. It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact. Experts have pointed out, however, that the draft law does not deal adequately with surveillance reform.
Do other countries have stricter laws against surveillance?
This continues to be a grey area around the world. Take the U.S. for example. Electronic surveillance is considered a search under the Fourth Amendment which protects individuals from unreasonable search and seizure. Thus the government has to obtain a warrant from a court in each case and crucially, establish probable cause to believe a search is justified. It also has to provide a specific time period under which the surveillance is to be conducted and to describe in particularity the conversation that is to be intercepted. There are very few exceptions, or exigent circumstances under which the government may proceed without a warrant.
After the 9/11 attacks in 2001, the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act was passed. Under certain provisions in this Act, the U.S. government used phone companies to collect information on millions of citizens and these were part of revelations made by the whistleblower Edward Snowden in 2013. Many aspects of the PATRIOT Act, particularly those involving surveillance, were to lapse after a certain time period but they were re-authorised by Congress. It’s an issue the U.S. still struggles with and several rights groups argue that the Act violates the Constitution.
In October 2019, the U.K.-based security firm Comparitech did a survey of 47 countries to see where governments are failing to protect privacy or are creating surveillance states. They found that only five countries had “adequate safeguards” and most are actively conducting surveillance on citizens and sharing information about them. China and Russia featured as the top two worst offenders on the list. Number three on the list? India, primarily the report says, because its data protection Bill is yet to take effect and there isn’t a data protection authority in place.