With the gap between public and private information narrowing, the line between what is legally permissible and what is not needs a relook. A smartphone can be a goldmine or a landmine depending on which side of the law you find yourself in. A perfectly bona fide action in the virtual world can be misconstrued as mala fide, jeopardising individual freedom and liberty.
Between these extremes, balancing the needs of society and the sacrosanct private space of an individual is the preserve of law enforcement. What we need, therefore, are mechanisms that ensure a balanced equilibrium between the privacy-liberty dimension and well-being of society besides the needs of law enforcement, public order, and national security.
Impediments to law enforcement
Despite some legal backing, gaps allow for almost unbridled use and abuse of discretion on the one hand and literally ‘cage’ the law enforcement efforts on the other. Law enforcement, security, and intelligence efforts may require the agencies to ‘collect’ data from individuals or companies. Numerous such data-identifiers exist ‘away’ from personal devices – the ‘meta-data’.
Meta-data exists with service providers and intermediaries through which we connect, or apps to which we give permissions. Such data can be useful for law enforcement purposes but also for targeted advertising and business. However, users don’t have the option to selectively accept the terms of the end-user license agreements.
Personal data that exists with service providers can be accessed by law enforcement and security agencies, almost exclusively. Individual users don’t have access to most such meta-data, even for crimes like stolen mobile phones where they are victims. Their options are limited to approaching law enforcement agencies who may not evince much interest in what they consider ‘petty’ cases.
In contrast, security and law enforcement agencies can not only seek the meta-data from ‘service providers’ but also seize users’ equipment for purposes of investigation.
Service providers have designated ‘nodal officers’ for coordination with law enforcement agencies. They follow stringent protocols before sharing data – being particularly hesitant unless the information sought pertains to a criminal case.
Law enforcement and legal procedures enable officials to seize equipment that may have evidentiary value. When electronic equipment is seized in bulk, the accused or the witnesses or even the victims are inconvenienced, often disproportionately.
Instances where investigative, security, and intelligence agencies need to consider pre-emptive measures traditionally involve ‘lawful’ or ‘authorised interception’ of telephonic communications. The procedures with checks and balances for such interception have generally worked well. However, this system has probably outlived its utility — a very small proportion of communication now occurs by traditional voice-telephony or ‘SMS’ messages; more taking place on OTT (over the top) applications.
Law-enforcement and security agencies are clearly disadvantaged, their hands are tied, and the scope of pre-emptive and preventive action has shrunk. They are left to adopt more circuitous and time-consuming paths. The chances of security being jeopardised has enhanced.
Five-Eyes capabilities, grey world, data misuse
The “Five-Eyes” consortium sits on ‘mass data’ collected globally by squatting on big-data pipelines. They grab all the data generated on the internet anywhere in the world but diving deep into this data is a humongous task, requiring specific inputs/queries from the ‘seeker-consumers’. Data extraction from the ‘storage dumps’ requires complicated and sophisticated algorithms, some of which were revealed by American whistleblower Edward Snowden.
Surveillance of internet traffic on a ‘real-time’ basis requires massive human, technical, and artificial intelligence capabilities. Multiple usages of terms/words/phrases, use of code words and encryption queer the pitch further for the law enforcement and security agencies.
Although there are defined legal procedures and procedural safeguards, the world of security and intelligence work is murkier and quirkier – only bordering on the unconventional. Most intelligence work is carried out in almost absolute secrecy. Even when there are legal limits imposed, the cloak of secrecy could enable almost anything to squeeze through.
Despite the piles of data available, the quality of the output depends on the quality and specificity of queries. But with bulk data analysis, where human memory fails, data would succeed.
When law enforcement or security agencies legally seize electronic equipment, there is a risk of the data from such devices being used or abused in the form of a virtual ‘witch-hunt’. This elucidates the importance of maintaining some degree of ‘exclusivity’ of data use so that privacy and liberty are not sacrificed at the altar of prosecution and persecution.
There is, thus, a crying need for a ‘specificity clause’ in the laws so that attempts at persecution can be minimised. International law and practice on extradition have accepted this paradigm — ‘Doctrine of Specificity’ — whereby a person extradited for one offence cannot be prosecuted for any other offence. India’s law enforcement needs an equivalent balance.
A framework that strikes a balance
Individual liberty and privacy ought to be balanced with the needs of society at large and the law enforcement agencies. Advances in cyber forensics have alleviated painful ‘equipment deprivation’ — device imaging for investigation.
Apart from the lawful interception of telephone communications on a real-time basis, Indian laws do not currently authorise any legal interference in the virtual world except by way of seizure of devices. Interference in the virtual world is neither enabled nor permissible legally.
Even under the Information Technology Act, there is no legal immunity, exemption or privilege bestowed upon the law enforcement and intelligence agencies. The IT Act is silent on the powers of the law enforcement officers and neither expands nor circumscribes the powers ordinarily available. Meanwhile, criminals have adeptly used technology to hatch conspiracies and fly under the radar.
There is a compelling need for devising and putting in place a mechanism that enables the law enforcement and security agencies to effectively intervene, legally, without having to adopt grey tactics. Intelligence and security agencies sometimes undertake operations to obtain information and data through extra-legal means, often bordering on illegal. Presently, most surveillance in the virtual space is without a supporting or enabling legal framework.
Existing laws do not provide any legal immunity either for the State or non-State actors involved in virtual space surveillance. The immunity being exercised borders on impunity rather than legality – executive or State protection rather than law. There is a strong case for ‘lawful protection and immunity’ for acts done by the State or under the authority of the State or in the aid of the State. This lawful protection can be dovetailed with ‘controlled operations’ for optimum results. The United Kingdom’s Investigatory Powers Act, 2016, which empowers law enforcement and security agencies while circumscribing their limits, is a good example to emulate.
Our intelligence and law enforcement agencies tread a thin line between lawful activities and illegal or extra-legal. Rather than working in an environment of ambiguity, flux and uncertainty, firm legal parameters need to be prescribed – both the enablers and the constraints.
With a better enabling environment, the law–enforcement and security-intelligence agencies, given their exemptions and immunities, would be able to deliver better results rather than the current environment that severely restrains them from walking the proverbial ‘extra mile’ in making lives secure.
The author is Director General of Police, Prisons, Homeguards and Civil Defence, Nagaland. He tweets @rupin1992. Views are personal.
(Edited by Prashant)