The Pegasus Project report has once again brought forth the issue of surveillance in India, at a time when our leaders are under close examination during the monsoon session of the parliament.
The findings of the investigative project carried out by the Paris-based non-profit journalism group Forbidden Stories along with Amnesty International have created widespread panic and manic discussions since their release on July 18. The project, carried out by 80 journalists across 16 media organisations around the world, has highlighted frightening revelations of the Pegasus spyware licensed by Israel’s NSO Group.
The target list scrutinised mentions 50,000 numbers including those of prominent politicians, officials, and journalists mainly in India, Mexico, Morocco, Rwanda and the UAE. According to the most recent update, contacts of 14 heads of state – three sitting presidents including France’s Emannuel Macron, three prime ministers including Pakistan’s Imran Khan, seven former prime ministers included while in office and Morocco’s King Mohammed VI – are also a part of the target list. Although, without forensic access to any of the targeted numbers, it cannot be confirmed whether any of their phones experienced a data breach.
The list is indicative of the numbers of interest to various governments, as per updated reports. According to the NSO’s statement, its client base comprises only “law enforcement and intelligence agencies of vetted governments”, who use the technology for public and national security concerns, in order to counter terrorism and crime. Unfortunately, for India, the discussion over the current government’s hold on the freedom of the press has spiralled further into that of infringement of the fundamental rights of all citizens.
A Surveillance Democracy
According to a 2019 report by Comparitech, a tech review and cybersecurity research and comparison website, India ranks among the top three surveillance states out of the 49 developed countries analysed, third only to Russia and China. In the report’s privacy index, India has been categorised as a country witnessing “systemic failure to maintain safeguards”.
India has three centrally controlled tools for surveillance – the National Intelligence Grid (NATGRID), the Central Monitoring System (CMS) and the Network Traffic Analysis (NETRA). The NATGRID was established in the wake of the 26/11 Mumbai attacks in 2008 along with the National Counter Terrorism Centre and the CMS, under the then home minister P. Chidambaram’s leadership. As per Chidambaram, had a system like NATGRID already been in place, the 26/11 mastermind, David Headley’s movements would have already been tracked and the tragedy could have been avoided. The initiative gathered momentum again in 2016 with the current home minister Amit Shah at the helm. It will form a part of the Centre’s 360-degree database plan.
The CMS’s activities on the other hand move from targeted surveillance to “lawful interception” as per “threat perception”, which involves “real-time monitoring of the voice calls, Internet searches, and online activity of potentially anyone with a mobile phone, landline, and Internet connection”, without the need for a court approval. The NETRA system reportedly can automatically intercept internet voice calls red-flagged by certain keywords.
A 2014 report on India’s surveillance state highlights: “Multiple Indian legislations, including the Indian Telegraph Act and Rules, Information Technology Act and Rules and the Code of Criminal Procedure, contain explicit provisions that allow Central and State Governments to intercept and monitor the nation’s communication networks on several grounds. These grounds are often broadly worded, with generous helpings of terms such as ‘security of the state’ and ‘public safety’ that are never defined with any manner of precision. This effectively grants the Government unsubstantiated access to India’s telephone and Internet networks to retrieve their contents at will.”
The infrastructure and will to regulate seems to have only grown since former CIA analyst Edward Snowden, in 2013, exposed mass surveillance programs like PRISM and TEMPORA that came into existence after the 9/11 attacks in 2001. India’s highly anticipated Automated Facial Recognition System (AFRS), assigned a budget of ₹308 crores, will be able to identify anyone through facial biometrics for CCTV and other video sources. According to several reports analysed by an NLU research paper, facial recognition technology has already been deployed across the country, including a polling station in September 2020 by the Telangana State Election Commission. “In Chennai, it is used to identify “suspicious looking people”; in Delhi, to identify “habitual protestors” and “rowdy elements”; and in Punjab, to gather intelligence in real time,” claims the paper.
A HuffPost exclusive last year outlined the Centre’s plans to use Aadhar for a 360-degree database which will automatically track every Indian and their movements. This proposed National Social Registry or the Social Registry Information System, is being projected as means to ensure welfare to targeted groups, although the use of Aadhar and links to other databases it is used for will automatically integrate various aspects of information for every registered individual. “Multiple harmonised and integrated databases… to integrate religion, caste, income, property, education, marital status, employment, disability and family-tree data of every single citizen.” While it may be argued that government institutions might already have access to such information in terms of census and other sanctioned activities, the Social Registry Information System is unlike it. As per HuffPost, the registry, set to be implemented this year, will not be governed under the Indian Census Act of 1948 and hence, will not mandate confidentiality. There have also been amendments proposed for the Aadhar Act in this respect, to keep in line with the Supreme Court’s ruling on the right to privacy in 2017.
While the apex court has had its reservations about it, the Aadhar project has been described by critics as having the potential of building a police state. There is unchecked misuse of Aadhar by both government and private bodies, something which has also come to the forefront with the vaccine registrations on the Co-WIN portal. Apart from the duplication and fraud of IDs, denial of welfare due to the inability to verify details using the system is something that cannot be passed over in a poverty struck country like India. Adding to this the convenience offered by the Digi Locker app furthers the presence of a surveying entity in our personal space not to mention Aarogya Setu’s contribution in pandemic surveillance.
Lack Of Safeguards
Section 66A (a) under the Information Technology Act, 2000 states that it is punishable for any person to send “any information that is grossly offensive or has menacing character”. However, terms such as “grossly offensive” remain undefined. This makes compliance difficult and whimsical to the judgment of law enforcers. Apart from this, it is problematic given latest developments in cases under the Unlawful Activities (Prevention) Amendment Act, 2019 and the country’s deteriorating image in terms of the freedom of the press.
The new IT notification that came into effect earlier this year makes it mandatory for mediating platforms like WhatsApp, Twitter, and Telegram “to aid in identifying “originator” of “unlawful” messages, while also requiring social media networks to take down such messages within a specific time frame, set up grievance redressal mechanism as well as assist government agencies in investigation”. This overlooks any encryption and privacy safeguards promised by the apps.
The recently appointed IT minister, Ashwini Vaishnaw, denied all “Snoopgate” related claims today in the parliament. While a number of media channels ran that the NGO has turned on its accusations, Amnesty International has released a statement clarifying that it “categorically stands by” its findings in the Pegasus project. “The false rumours being pushed on social media are intended to distract from the widespread unlawful targeting of journalists, activists and others that the Pegasus Project has revealed,” reads the statement.
The IT ministry’s parliamentary committee head, Congress leader Shashi Tharoor has rejected the need for a joint parliamentary committee, stating that his committee would carry out the same procedures. Moreover, he has called for a judicial inquiry instead. “I think if you actually were to do this through a judicial inquiry, you will certainly have a judge with the authority to summon witnesses and documents, to get phones forensically analysed for example to see if there are traces of hacking, may be even to weigh the evidence in a judicial manner and come up with the conclusions,” said Tharoor. Since the request has been made in a personal capacity and not his position as the committee chairman, it is not clear if it will bear fruition. However, Tharoor distinctly outlined that since hacking is punishable under the IT Act, sections 43 and 66, appropriate action will be taken in case of any evidence. He went on to state that even in case of authorised surveillance the basis for it will have to be justified, and if a judicial probe were to be objected by the government, the Commissions of Inquiry Act, 1952 could be implemented. But Tharoor’s certainty in this regard seems misplaced as the appointment of any said commission, as per the definition of the act, shall be made by the “appropriate Government”. The definition does, quite ambiguously, state the appropriate government to be the central or a state government “unless the context otherwise requires”.
The General Data Protection Regulation in the European Union holds surveillance activities accountable, however, such a system does not exist in India yet. The Data (Privacy and Protection) Bill, 2017 and the Personal Data and Information Privacy Code Bill, 2019 are yet to take effect, although the latter does little to hold the government accountable. The onus, however, also falls on citizens and their ethical usage of technology, not to mention the overbearing need for all parties, especially private contractors, to keep the larger benefit of the nation in mind.
Regulatory ambiguity and inaction following instances of data breach are reprehensible but even more so, if we claim to be at par with the Western systems of surveillance in the interest of national security, we should also strive to maintain internationally acceptable standards of data protection and the fundamental right to privacy of citizens. An “Orwellian” state of affairs, while presenting a promising adventure for a literary mind, has no place in the free world.
The Horus Eye is a weekly column written by Divya Bhan analysing current affairs and policies. This column does not intend or aim to promote any ideology and does not reflect the official position of The Sparrow.