An MHA order authorises 10 central agencies to intercept, monitor, and decrypt information.
Both the BJP and the Congress have placed the responsibility on the other for the recent Ministry of Home Affairs’ surveillance order. Both are somewhat right, which means that both have a great deal to answer for. The order authorises 10 central agencies to intercept, monitor, and decrypt information without explaining the extent of such powers.
The expected criticism of this order has been the state’s vast and potentially unbridled power over private communications. In response, the government has defended the measure on grounds of transparency. As per the government’s logic, the order gives us details of which agencies are involved rather than this matter remaining in the dark. It has also clarified that other safeguards, namely those present in the Information Technology (IT) Act, 2000 read with the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, would continue to apply.
Although the political debate has focused on who is responsible for this order – whether the BJP or the Congress – this is beside the point. The real question is how, in an age of big data, legislation authorising the interception of communications should be framed so as to safeguard individual rights. The original sin is doubtlessly an existing provision in Section 69 of the IT Act. This provision, although problematic even in its initial form in the 2000 Act, was substantially enlarged during a 2008 amendment.
Although the provision has never been constitutionally challenged, it is hard to see how it could survive such a challenge. The provision overreaches constitutional exceptions, such as security of the state and public order, to cover interception as necessary for preventing incitement to the committing of any cognizable offence and for the investigation of any offence. These broad justifications raise the possibility that this provision could become a vehicle for mass surveillance, going beyond case-by-case assessment and targeted action. This apprehension must be gauged alongside the reality of India’s Central Monitoring System, already in place in respect of telecom data, which processes huge amounts of metadata and offers immense surveillance possibilities.
Moreover, the provision gives a carte blanche to the Union to prescribe procedures and safeguards that determine its discretion. The Union, as one might expect, came up with few limitations on its own power while drafting the 2009 Interception Rules, by and large following the directives of the Supreme Court in PUCL (1996) – a case against personalised telephone tapping that was never meant to guarantee effective protection against big data surveillance.
The Interception Rules formalised an ad hoc bureaucratic review committee that evaluated interception requests after the act of interception had already taken place. Rule 9 was particularly problematic, expanding the scope of interception to cover computer resources likely to be used for the generation, transmission, receipt, or storage of information, including that relating to any subject, from or to any set of premises. Thus, no realistic geographic or subject-matter boundaries existed to provide checks on the exercise of power. Under the Interception Rules, intermediaries that fail to assist with interception requests would attract penal liability of up to seven years of imprisonment. This ensured that intermediaries would accede to most interception requests without second-guessing the rationale.
This problematic structure that gives wide powers to the state, that provides for no independent review, and that incentivises over-compliance on the part of intermediaries, is made notably worse by the new order. In vesting authorities such as the Narcotics Control Bureau, Enforcement Directorate, Department of Revenue Intelligence and the Central Board of Direct Taxes with the power to intercept, monitor, and decrypt, the union government reveals its intent to enlist actors that wield extensive powers on a more daily basis, and in respect of more routine matters, and make them surveillance foot soldiers on the pretext of investigating an offence or preventing incitement to its commission.
Considering online intermediaries are already vulnerable to over-compliance, the privacy threat is amplified when the request comes from agencies that impact their daily business. Moreover, the nature of agency surveillance is such that each agency builds on the data already in its hands. The taxman may have some suspicion of tax fraud and based on this subjective knowledge could request for information that has no real connection with the probe, as no safeguards exist to weed out such requests before they are made. The real effect of this order, therefore, is to enhance intermediary compliance with interception requests that are otherwise unlawful, and at a scale that would qualify as mass, rather than targeted, surveillance due to the wide variety of agencies enlisted for the task.
Both Section 69 and the new order raise serious constitutional challenges. This is especially so after the Supreme Court’s decisions on privacy and Aadhaar. In the latter, the court insisted on judicial oversight when Aadhaar data is sought – and in that case, the grounds are much more tightly confined to national security interests.
Digital surveillance under the IT Act needs a similar re-examination, both in the light of these judicial developments and because of the new concerns raised in the big data age. By blaming one another, both the BJP and the Congress are shifting the entire responsibility on the other for Section 69 and the new order. In reality, both sides are complicit in an extraordinary aggrandisement of state power that has little legal basis.
Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148