Communications surveillance can only take place when regulated by laws that safeguard the freedoms of Indians. Sanctioning law that is just, fair and reasonable and that is open to judicial review is what separates democratic governance from authoritarian actions. In India, the laws that allow communications interceptions are minimal, they do not conform to global best practices and they do not accord the protections afforded by the laws of many other liberal democracies.
To make matters worse, there has been an increasing stream of reports of unlawful surveillance conducted outside the law without proper authority. As far back as 1987, the government, in response to a question by Faiz Mohammed Khan, MP, denied knowledge of illegal phone-taps. Almost three decades later, nothing has changed. Despite several news reports of widespread illegal phone-taps, the government denied knowledge of it in Parliament – in response to a question by Shadi Lal Batra, MP – and, this time, washed its hands off the matter by blaming the telecommunications service providers (TSP). TSPs are only allowed to function within the limits of a licence that is issued by the government; curiously, these licences mandate the use of equipment that easily enables government surveillance while at the same time placing the burden of ensuring privacy on the TSP.
Forcing TSPs to use equipment that enables surveillance and restricts privacy is not new. The United States’ (US) Communications Assistance for Law Enforcement Act, 1994 (CALEA) forced both manufacturers and TSPs to make, modify and use equipment with in-built surveillance-enabling technologies. Many have argued that CALEA directly facilitated the US National Security Agency’s (NSA) warrantless surveillance programme on US citizens from 2001 to 2007.
Although the NSA’s warrantless surveillance was officially discontinued, its rump contained technologies and know-how that continue to be used by the NSA under warrants issued by a secret court established under the Foreign Intelligence Surveillance Act (FISA). Following the enactment of the stringent and privacy-intrusive PATRIOT Act, FISA was amended to ease and broaden the conditions upon which surveillance warrants could be issued in secrecy. The recent disclosures made by Edward Snowden about individual components of the NSA’s warranted surveillance programme, such as PRISM or Boundless Informant, are all a part of this rump programme.
The US is a mass surveillance state with entrenched, highly-capable and pervasive electronic surveillance. The US state commands an unparalleled ability to monitor the everyday lives and information, including communications, of its citizens and possibly many foreigners as well. The US is also a developed democracy with a long and rich jurisprudence of privacy protection and police procedure.
For India, projects like the CMS offer the fantasy of operating the advanced technologies that are used in the world’s developed democracies; but, unlike those countries, the Indian state wishes to achieve this capability without thought for the rule of law or civil liberties. This asymmetry is disturbing, but is not new. The insistence on pushing through unreliable biometric identification cards and insidiously mandating their use for government services without the prior sanction of an Act of Parliament is being criticised by the Supreme Court as this article is being written.
Hopefully, the government will heed this warning, come clean on the CMS, enact a supporting law and strengthen Indian democracy without compromising its national security.
If Deora’s reply to Parliament was true in its entirety, and the CMS will ultimately be no more than an automation of existing targeted interception abilities under the Telegraph Act and Information Technology Act, it will allow the state to bypass TSPs to access information. The government claims that such a measure will strengthen privacy by taking interceptions away from TSPs and thereby prevent a recurrence of a NiiraRadia-like episode.
Depending on how you look at it, this is either simplistic or false. Once completed, the CMS will indeed bypass TSPs but it will not divest them of their technical ability to intercept communications. As carriers of communications, TSPs will continue to be able to access private communications except that, outside the surveillance eye, it will take place unknown.
Further, the Radia incident came to light only because the tapes containing the intercepted communications were leaked by the TSP; the fact of the surveillance and that it was ordered despite there not existing a public emergency or a threat to public safety would not have be known if not for the TSP leak. Hence, the CMS will only further seal unlawful and improper surveillance from public scrutiny while not preventing TSPs from indulging in malpractice either.
For ordinary Indians who want to protect themselves and their communications from state encroachment, the law currently offers little solace. The only solutions appear to be technological. Using public key cryptography to encrypt the text of email messages or moving away from US email providers to those based in jurisdictions that protect privacy are immediate solutions.
Public-key encryption, using PGP or GPG keys, scrambles communications to military-level protection; however, these too are now reportedly vulnerable to new and powerful supercomputers dedicated to decrypting such messages. In many ways, these technological solutions compound the problem for they do not address or question the political appetite for surveillance nor its technocratic reflex.
Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.
Also read: Turning India into a surveillance state – I
Such articles are only possible because of your support. Help the Hoot. The Hoot is an independent initiative of the Media Foundation and requires funds for independent media monitoring. Please support us. Every rupee helps.