Ranjeet Rane, Research Assistant with Takshashila Institution’s Cyber Security Team, argues for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System.
While Mr. Edward Joseph Snowden gets to spend a year in Russia thanks to political asylum granted to him by the Russian president, the world is still recovering from the aftermath of the diplomatic quagmire his revelations of the U.S. Mass Surveillance Project brought in its wake. To some, Mr. Snowden is a hero who exposed the machinations of Big Brother. Regardless, the irony in Mr. Snowden’s choice of Russia as the staging ground for his apparent war against clandestine surveillance should not be lost on us.
If one looks beyond the news articles on clandestine surveillance, it would be fair to say that the Snowden incident has now made it necessary to initiate a debate on balancing the concerns of privacy and security in India. Indeed, the need for such is debate is even more pressing given the recent announcement of the Government of India to implement a Centralized Monitoring System (CMS) for the “lawful interception and monitoring” of electronic communication channels in the country comes at a time when the contours of a Privacy law are ill-defined in the country.
In the absence of laws that provide for the safeguarding of privacy and regulating data retention, ordinary citizens lack clarity on how their personal information is collected, stored, used and shared. Such practices are contradictory to the various interpretations of Article 19 & Article 21 of the Indian Constitution by the Supreme Court that indirectly uphold the Right to Privacy.
At present, lawful interception is vaguely defined within various Sections of the colonial-era Telegraph Act 1885. Among the more recent laws, Sections 69 & 69B of the Information Technology Act 2008 further expand the mandate for lawful interception, which may be exercised “when [the authorized officers] are satisfied that it is necessary or expedient” to do so in the interest of:
The sovereignty or integrity of India;
defense of India;
security of the State;
friendly relations with foreign States;
preventing incitement to the commission of any cognizable offence relating to above; or
for investigation of any offence.
The directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. The analogous wording in the section coupled with the lack of exact definitions makes the nature of the powers of the Intercepting Officers synonymous with “discretionary.”
As for Data Retention, Section 67C of the Information Technology Act requires ‘intermediaries’ to maintain and preserve information. The nature of this information and the duration for the same was to be specified in a separate set of Rules to be issued by the Central Government. Apart from the Cyber Café Rules 2011 no such rules have been framed. These Rules have led to a vast database of photo-copies of “ID proof” documents getting collected with cyber cafes across the country. Incidents of such documents been used for acquiring mobile SIM cards have also been highlighted by news reports.
It is clear from the examples above that there is complete lack of accountability and responsibility when it comes to the government controlling private data of the citizens. If the Government of India plans to implement the CMS or is already using Lawful Intercept and Monitoring (LIM) systems, then there is an urgent need for public discourse on this issue.
While current controls and accountability around lawful interception of personal data are not assuring, the ‘voluntary’ collection of citizen data through UID programs require further security provisions and clarity on how such data collected will be stored, which agencies will have access to it and with whom it will be shared. While a one-size-fits-all rule cannot be applied for data collected through interception systems or data voluntarily provided by citizens to avail various government benefits, it doesn’t take away the need to address the issues of privacy associated with both the categories.
Indeed, concerns of privacy cannot be wished away merely by citing vague threats to national security. National security, can of course, trump concerns of privacy in extraordinary circumstances, but these ought to be the exception rather than the rule. The status quo will only add to the rapidly escalating trust-deficit between the Government and its citizens. While the draft of the Right to Privacy Bill has been making the rounds for quite some time, it hasn’t yet been opened for public consultation.
Policies on privacy cannot be formulated only in the privacy of the corridors of power. Ultimately, it is imperative that the Government involve and consider the views of a much wider spectrum of stakeholders while formulating legislation on the basic rights of 1.2 billion people to own, control and share information about themselves.