The hype around the Pegasus case (of allegations that the ‘personal communication devices of a range of people in India, including journalists, civil society activists and politicians were targeted illegally using the Israeli-made spyware’) and the misplaced hope in the Supreme Court of India (which had appointed a committee to probe the allegations) that the probe outcome would be decisive have now been deflated. There is something terribly amiss which will unfold over time, to reveal that the Centre and the States operate like a police state when it comes to surveillance. Corporations have and carry out the same level of surveillance, completely unfettered by the law. We perhaps placed too much hope in the central government and the Supreme Court. The Court did not have the courage to force the Government to disclose its intrusive activities. “None of your business” was the message sent out by the Union government. Perhaps setting up the committee itself was an exercise in futility.
As far back as 1986, in the Wiretap Act in the United States, the law prohibited private agencies from engaging in surveillance. When government seeks permission to do surveillance it must apply to a Federal Court, and only when there is “no other option”. Thirty-six years later, in India, corporate houses snoop on activists and competitors at will and collect huge dossiers on “persons of interest”.
In 1997, in Ireland, the Report on Privacy was released with its focus on private parties and it recommended the recognition of a new statutory tort. The report complained of the legal vacuum created by new technology outpacing laws and said that this was a classic case for law reform. Spying by governments was the new threat on the horizon.
The Patriot Act 2001 (or Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) enacted to counter international terrorism also required court approval. Much before this, the 11-member United States Foreign Intelligence Surveillance Court was established in 1978 when Congress enacted the Foreign Intelligence Surveillance Act (FISA). The court was a reaction to political spying. In the U.S. Office of the Director of National Intelligence, a civil liberties protection officer was appointed to report to Congress.
Checks and balances
Here are some other examples.
The New South Wales Law Reform Commission, 2005 established the office of the privacy commissioner with inspectors to investigate complaints.
The United Nations contributed to the development of a legal framework evolving the “no secret” rules. For a government to say that it needed to do surveillance in “national interest” was not good enough at all. As the European Court of Human Rights held, “a secret surveillance system can undermine or even destroy democracy under the cloak of defending it”. Court warrants were required to obtain information, the intrusion was to be supervised by independent bodies, records of all surveillance were to be meticulously kept, and notices were to be given to those under surveillance. The principle of maximum disclosure would govern surveillance law. Journalists were recognised as being particularly vulnerable.
The Venice Commission Report, 2015 categorically stated that the right to privacy framework was not good enough in the evolving context of long-term societal harm. Independent control and oversight was necessary which included control over the executive, parliamentary oversight, judicial review and oversight of expert bodies. These reforms that took place in Europe seven years ago have yet to reach Indian shores.
Practice 6 of the UN Good Practices on Oversight Institutions includes the setting up of a civilian independent institution. Practice 7 empowers this institution to carry out an investigation and have unhindered access to information. Practice 9 empowers individuals to complain to a court.
The Indian scene is murky
In India, authorities authorise 9,000 interception orders every month, and these orders are not issued by courts but by police officers. Facial recognition technology that is found to be violative of human rights in several countries is routinely resorted to in India, with hardly any protest. Both the European Union and the United States stopped facial recognition sometime ago. The Citizen Lab, a digital surveillance research agency based in Canada, published a report (“Planet Blue Coat: Mapping Global Censorship and Surveillance Tools”) saying “Blue Coat devices are being used around the world ... we found these appliances in India”. The report talks about a software “PacketShaper” — “we discovered PacketShaper installations in India”.
According to another report by Citizen Lab, a surveillance software called “FinFisher” has been found on servers in India. The report says “FinFisher is a line of remote intrusion software whose products are marketed exclusively to law enforcement and intelligence agencies. FinFisher has gained notoriety because it has been used in targeted attacks against human rights campaigners in countries with questionable human rights records. We have found command and control servers for FinSpy in India”. The UN General Assembly “Report of the Special Rapporteur” 2013 has said, “[The] Government of India is proposing to install a centralised monitoring system that will route all communications to the central government allowing security agencies to bypass the service provider [,] thus taking surveillance out of the realm of judicial authorisation and eliminating accountability on the part of the State”. In 2013, The Guardian published a news article placing India at fifth position among countries where the largest amount of intelligence was gathered.
In 2014, the Delhi police issued a tender inviting technology companies to supply Internet monitoring equipment; 26 Indian and foreign companies expressed interest. In 2014, the Centre for Internet and Society, India, published a report titled “The Surveillance Industry in India”, which describes the activities of ClearTrail technologies (an Indian company) and the company’s “mass monitoring, Deep Packet inspection”.
There is more.
In 2015, a leading private television channel published an article titled “UPA was client of controversial Italian Spyware firm”. In the same year, a leading business daily published an article, “Why Indian Intelligence uses small companies for spying technology”. In 2016, another leading English daily published an article that described the setting up of the National Cyber Coordination Centre (NCCC). In 2018, the Justice B.N. Srikrishna Committee submitted a report to the Government which stated that “much intelligence gathering does not happen under the remit of the law, there is little meaningful oversight and there is a vacuum in checks and balances to prevent the untrammelled rise of a surveillance society”. In 2019, a news and opinion website quoted a former Home Secretary as saying that he was aware that the Israeli tech firm, NSO, had sold spy software to private firms and individuals in the country.
Instead of wasting time inspecting mobile phones and coming up with hardly any conclusion, the Supreme Court of India could do well to follow the extensive precedents developed abroad and enable binding orders that severely curtail the unlawful surveillance going on in India by the Government and private parties alike.
Colin Gonsalves is a senior advocate practising in the Supreme Court of India. The views expressed are personal