## Friday, May 18, 2018

### India's communication surveillance through the Puttaswamy lens

by Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

"In an uncivilized society where there are no inhibitions, only physical restraints may detract from personal liberty, but as civilization advances the psychological restraints are more effective than physical ones. The scientific methods used to condition a man's mind are in a real sense physical restraints, for they engender physical fear channelling one's actions through anticipated and expected grove" --- Justice Subba Rao's minority view in Kharak Singh vs Union of India (1964).

### Introduction

Post the Snowden leaks in 2013, the international political community has been faced with complex debates around the state's need to conduct surveillance activities and its impact on the privacy of individuals. In India, this debate has gathered steam with concerns around the surveillance capabilities of the Aadhaar framework and the Supreme Court affirming privacy as a fundamental right in KS Puttaswamy v. Union of India. However, the Court in the Puttaswamy case also clarified that the right to privacy, like any other fundamental right, is not absolute and the state may have an interest in placing reasonable restrictions on this right in pursuance of legitimate aims such as protecting national security, preventing and investigating crime, encouraging innovation, and preventing the dissipation of social welfare benefits. Apart from indicating the broad parameters for restrictions to the right to privacy, a majority of the judges (Chandrachud J. speaking for 4 judges and Kaul J.) endorsed a European law-style proportionality framework to balance the right to privacy against competing interests.

In his dissent in the Kharak Singh case, Justice Subba Rao un-tethered the concept of privacy from the home and extended it to the idea of "psychological restraint", a precursor to the chilling effect argument. The majority in Puttaswamy too, acknowledged the chilling effect of surveillance on speech, movement, and activities of individuals. This becomes particularly important in the context of surveillance in the digital age -- ready availability and ease of access to information should not become a source for indiscriminate or mass surveillance.

While the need for lawful access by law enforcement agencies (LEAs) cannot be denied, what we need is a legal framework that lays down clearly defined parameters around who can gain access to personal information, under what circumstances and the legal process for the same. In this post we discuss the extent to which India's current communication surveillance practices are likely to withstand scrutiny under the tests identified by the judges in the Puttaswamy case.

### How the proportionality standard works

Among other things, the Puttaswamy verdict is significant for its extensive reliance on the rich privacy and surveillance jurisprudence from the United States, Canada, Europe and United Kingdom and its endorsement of the International Principles on the Application of Human Rights to Communication Surveillance (Necessary & Proportionate Principles, 2013). These principle require the government to demonstrate that surveillance was absolutely necessary and there was no other less-restrictive means of achieving the legitimate aim. The principles include requirements of judicial oversight, due process, user notification (under certain circumstances) and transparency. Drawing from this body of work, the judges in the Puttaswamy case identify the following four steps to assess the constitutional validity of a law that infringes upon the privacy and personal liberty of an individual:

1. Legality: The existence of a law.
2. Legitimate goal: The law should seek to achieve a legitimate state aim (Chandrachud J.).
3. Proportionality: There should be a rational nexus between the objects and the means adopted to achieve them (Chandrachud J.). The extent of such interference must be proportionate and "necessary" to achieve its stated aim (Kaul J.). Justice Kaul's opinion can be read to espouse the European standard of least restrictive means.
4. Procedural guarantees: To check against the abuse of state interference (Kaul J.)

We take the example of three kinds of communication surveillance tools being deployed in India -- interception of phone calls under the Telegraph Act; direct access to communication flows by government agencies under the Centralised Monitoring System (CMS); and restrictions on encryption of data -- to assess how they would fare under the Puttaswamy tests.

### Applying the Puttaswamy tests to communication surveillance in India

In India, basic powers to carry out surveillance-related activities flow from the provisions of the Indian Telegraph Act, 1885 (Telegraph Act), the Information Technology Act, 2000 (IT Act), the Code of Criminal Procedure, 1973 (CrPC) and the rules framed under those laws. These provisions empower the police as well as central agencies like the Intelligence Bureau, Narcotics Control Bureau, Directorate of Enforcement, National Investigation Agency, Research and Analysis Wing and others to gain access to a person's messages, calls and data transmissions for certain identified purposes. The processes laid down under the law are supplemented by "standard operating procedures" issued by the Ministry of Home Affairs and the Department of Telecommunications to LEAs and telecom service providers (TSPs), respectively.

As per a right to information (RTI) response sought by SFLC an average of 7500 - 9000 telephone-interception orders are issued by the central government each month. Add to this, the orders for data interception issued under the IT Act and orders issued by the state governments and the total figure is likely to be staggeringly high. Information revealed under Google's transparency report offers another indication of the volume of requests made by Indian authorities -- in 2017 Google received 8,351 user data disclosure requests from India, affecting about 14,932 user accounts.

The lack of a transparent mechanism to report the total volume of surveillance activities being undertaken by government agencies presents a major challenge. While some pieces of information can be sewn together from RTI requests, Parliament questions and initiatives like Google's transparency reports, this cannot substitute the need for direct information disclosures by the intelligence bodies themselves. The fact that many of these agencies and programmes have their basis in executive action, and do not have statutory legitimacy, only magnifies these concerns.

While the Government has recognised nine central LEAs and the state police authorities to conduct lawful interception activities, there is an absence of legal or institutional oversight over the exercise of these powers by the various agencies. An attempt to address this issue was made through a private members Bill, The Intelligence Services (Powers and Regulation) Bill, 2011, that sought to regulate the functioning and exercise of powers by Indian intelligence agencies, specifically the IB, RAW, and the NTRO. The Bill also provided for a Designated Authority for authorisation procedures and systems of warrants (for surveillance), a National Intelligence and Security Oversight Committee for oversight, and a National Intelligence Tribunal for investigating complaints against these three agencies. However, the Bill lapsed in October 2012, and these intelligence agencies continue to lack legislative backing, further raising questions about the proportionality of surveillance operations in India.

Lawful interception under the Telegraph Act

Section 5(2) of the Telegraph Act empowers the state to conduct lawful interception of phone calls and messages under certain specified circumstances. The constitutionality of this framework was upheld by a two-judge bench of the Supreme Court in PUCL v. Union of India (1997), subject to the adoption of appropriate procedural safeguards. This resulted in the subsequent amendment of the Telegraph Rules, 1951 to incorporate Rule 419A containing the procedure suggested by the Supreme Court. We examine below how the surveillance processes under this law are likely to be treated in case of a fresh challenge post the Puttaswamy verdict, specifically in light of the four tests identified by the judges.

Legality: The central and state governments clearly have the statutory authority to order lawful interception activities under the Telegraph Act and the rules under it. However, we argue that the principle of legality needs to be seen from a broader perspective -- it is not just about the existence of a law but also the context in which that legality was conferred. The Telegraph Act and rules were drafted in a context when bulk surveillance was not as easily possible and the discourse around privacy and surveillance was not as well defined. Since then, the capability of interception technologies at the disposal of government agencies and the volume of interceptions being carried out by them have increased exponentially. This merits a re-examination of the existing legal framework. The Necessary & Proportionate principles also state that given the pace of technological changes, legality vis-a-vis communication surveillance would entail laws that restrict the right to privacy to be subject to periodic review through a consultative legislative or regulatory process.

Legitimate aim: Section 5(2) of the Telegraph Act states that the central and state governments may, on the occurrence of any public emergency, or in the interest of the public safety, direct the interception of communications, in the interest of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. Therefore, an order of interception will satisfy the requirement of legitimate aim so long as it is issued upon the occurrence of public emergency or in the interest of public safety and in pursuance of any of the six legitimate objectives listed above.

Proportionality: The third test requires that the means adopted should be proportionate for achieving the identified legitimate aim. In the context of communication surveillance, this would require the authority ordering interception to weigh the degree of the proposed intrusion against its anticipated gain. In the next section, we discuss some of the limitations of the present legal process, which hinder the due application of mind required for such a scrutiny.

The proportionality test also encapsulates within itself the principle of "necessity", which means that interception of communication should take place only when it is the least intrusive way of achieving the legitimate purpose. Rule 419A(3) of the Telegraph Rules adopts this principle by stating that relevant officer should issue an interception order only when it is not possible to acquire the information by any other reasonable means. While targeted surveillance based on evidence of suspicion may be the least restrictive way of achieving a legitimate aim, the current wording of the rules allows each interception order to cover "messages or class of messages" involving a "person or class of persons" or "relating to a particular subject". In doing so, it creates possibilities of bulk access to communications, which will inevitably intrude upon the privacy rights of several unsuspecting individuals.

Procedural safeguards: Rule 419A of the Telegraph Rules sets out certain procedural safeguards to govern the interception of communications, which emanated from the Supreme Court's decision in the PUCL case. Significant time has lapsed since that verdict and both the scope and the volume of surveillance activities has increased. For instance, the government has launched surveillance programmes such as the CMS, NETRA, NATGRID and made corresponding changes to telecom licenses to provide real-time access to the traffic flowing through TSP networks. Even without taking into account these developments, we find that the current procedure in the law would fail to constitute a "fair, just and reasonable" process on the following counts:

1. Rule 419A authorises members of the executive -- the Secretary to the Ministry of Home Affairs in the case of central government and the Secretary of the Home Department in the case of a state government (or in unavoidable circumstances, a Joint Secretary) -- to sanction orders of interception. Taking into account the volume of orders being issued by the government on a regular basis it is hard to make a case that the officers in charge of this function can ensure due application of mind to each and every request placed before them given their many other responsibilities.
2. The Telegraph Rules set up a Review Committee to check if interception orders were issued in accordance with the law. This committee comprises only of members from the executive such as the Cabinet/Chief Secretary along with Secretaries in charge of legal affairs and telecommunications. There is a conflict of interest in this review mechanism, as both the interception order issuing authority and the oversight authority comprise of members only from the executive.
3. There is no pre- or post-judicial oversight over the decision to place an individual under surveillance.

In contrast, surveillance legislations across democratic jurisdictions require that interception orders should be issued by a judicial authority. Other oversight mechanisms include bodies such as the Privacy and Civil Liberties Oversight Board in the U.S -- an independent statutory agency within the executive branch, which, among other things, reviews executive actions relating to counter-terrorism. Given the volume of interception requests and the technical nature of proportionality enquiry, the legal framework in India also needs to evolve accordingly. Elements of this framework should include (i) prior judicial scrutiny or post facto scrutiny, in emergency cases, for authorisation of interception requests; (ii) transparency requirements, such as the obligation to submit periodic reports to the Parliament detailing the volume and nature of the interceptions being carried out.

### Centralised Monitoring System

Through a press release issued in 2009 the government announced its intention to set up "a centralized system to monitor communications on mobile phones, landlines and the internet in the country". This system would allow authorised LEAs to gain direct access to the traffic flows on the networks of TSPs. These plans were rolled out in 2013 when the telecom license agreement was amended to require TSPs to set up the prescribed infrastructure for their systems to be directly connected with regional monitoring centers (RMCs) of CMS through interception, store and forward servers. As per information placed before the Parliament in March, 2017, technology development and pilot trials of CMS had been completed and 18 of the 21 planned RMCs had been technically commissioned.

The CMS has been widely criticised for its all-encompassing nature, privacy threats and likely chilling effects (Litton, 2015). We question below how this system would fare under the specific tests under the Puttaswamy case.

Legality: The CMS project is not grounded in law (Datta, 2015). The only requirements relating to it emanate from the terms of the telecom license, which is in the nature of a contract between the government and TSPs. While a statutory requirement to ensure compliance with the licensing terms and conditions is contained under the Telecom Regulatory Authority of India Act, 1997, this is not a sufficient basis to attribute legality to CMS. Attempts to attribute legality to CMS may also be based on claims that it derives its powers from the existing provisions in the IT Act and the Telegraph Act. However, as we discuss below, the abilities of CMS extend far beyond the legislative intent of those laws which was to authorise interception of information only for certain specific purposes and after following a specified procedure.

Legitimate aim: Lawful interception by LEAs to meet the specific objectives identified under the IT Act and the Telegraph Act would constitute a legitimate aim. However, the manner in which CMS is designed does not provide for sufficient checks and balances to ensure that its use will in fact be confined to the satisfaction of those aims.

Proportionality: By its very design, a system that provides LEAs with direct access to all communications can not meet the requirement of proportionality. While the government may argue that the system is intended to be used only for lawful interceptions, the existence of a system where all information flows through the CMS and can be collected on tap by enforcement agencies vitiates the concept of targeted surveillance. Therefore, irrespective of whether such excesses are actually committed, the logical possibility of such an outcome reflects a lack of proportionality. As noted by the UN Special Rapporteur on human rights and countering terrorism, bulk access to communications is incompatible with the normative understanding of privacy as the "very essence of the right to the privacy of communication is that infringements must be exceptional, and justified on a case-by-case basis".

Procedural safeguards: The benefits of CMS, as articulated by the government, include having secure and instantaneous access to data by avoiding any manual intervention particularly from TSPs. However, by eliminating TSPs from the process, the system is also removing a layer of third party verification of interception requests. For instance, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (2009 Rules) provide that an intermediary that receives a request for interception is required to provide a written acknowledgment of the request; maintain proper records relating to the same; and submit a list of all requests received by it to the nodal officer of the authorised agency every fifteen days. By removing TSPs and other intermediaries from the interception process CMS will ensure that the complete control over the decision making and implementation of interception is vested wholly within different wings of the executive.

The lack of independent judicial oversight has already been pointed out to be an issue in the context of wiretapping under the Telegraph Act. This issue is further compounded in case of CMS due to the sheer scale of data that it allows LEAs to access without any accompanying safeguards. However, as noted above, the design of CMS does not even satisfy the minimum safeguards that are currently provided under the IT Act and the Telegraph Act. Any interception activities being conducted under it, even if for pilot tests, would therefore fall foul of present laws.

### Encryption restrictions and decryption on demand

The adoption of sophisticated encryption technologies is a clear path towards ensuring better privacy protections. However, encryption also makes it harder for LEAs to access this information, often leading government agencies to demand lower encryption standards or backdoor entries to encrypted software and devices. Section 69 of the IT Act, read with the 2009 rules, permits the central and the state governments to order the decryption of a computer resource upon satisfaction of certain specified conditions. Further, Section 84A of the IT Act states that central government can frame rules to prescribe encryption standards and methods to secure electronic communications. While the government has not yet prescribed any modes and methods of encryption under Section 84A, a draft national encryption policy was released by them in September 2015, which was retracted shortly afterwards. This draft policy had, among other things, proposed requirements that:

1. Users should be able to reproduce on demand plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text.
2. The information should be stored for 90 days from the date of transaction and made available to LEAs on request.

Restrictions on encryption also flow from telecom license agreements. For instance, the Internet Service Provider (ISP) License Agreement requires ISPs to obtain prior governmental approval to deploy encryption which is higher than 40 bits (Part 1, Clause 2.2(vii)). The Unified License agreement (Clause 37.1), the Unified Access Services License agreement (Clause 39.1), and the ISP license agreement (Part 1, Clause 2.2(vii)) all prohibit bulk encryption by TSPs. Therefore, in the context of encryption, state surveillance capacity is bolstered through both the banning of encryption or laying down low encryption standards, and by providing for decryption on demand. We examine below how both these stipulations fare under the four-pronged proportionality analysis:

Legality: While the authority to order decryption of computer resources flows from Section 69 of the IT Act and the 2009 rules, no comprehensive encryption policy or rules have been framed under Section 84A of the IT Act prescribing encryption restrictions. The encryption restrictions that flow from telecom license conditions do not have a statutory backing.

Legitimate aim: Section 69 of the IT Act empowers the state to order decryption of a computer resource if it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states, public order, for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. Therefore, any order of decryption will satisfy the legitimate aim test if it is in pursuance of the objectives listed under this provision. Given that there is no rule or statute laying down when and how the government can set out restrictions on encryption standards, it is unclear if banning encryption or prescribing unreasonably low standards of encryption, which can potentially jeopardise network security entirely, is likely to achieve even the general legitimate aim of national security.

Proportionality: A complete restriction on encryption or setting out unreasonably low encryption standards will not pass the necessity test because while it ensures access to communication by LEAs during emergency situations, it also makes the entire communication network vulnerable to attacks at all times and will not qualify as the least restrictive measure. Further, measures such as asking users to maintain a plain text copy of all encrypted material for 90 days would also vitiate the very purpose of encryption leading to the same issues as banning encryption and therefore not satisfy the necessity test under proportionality analysis.

In relation to the framework for decryption on demand, ordering decryption of a particular computer resource or resources based on evidence of suspicion, as was done in the Apple-FBI matter, qualifies as targeted interception and may be the least retrictive way of achieving a legitimate aim. However, requiring private companies to create backdoors within all systems to enable decryption when necessary, renders computer resources of several unsuspecting individuals vulnerable to interception by governments and hackers alike. Therefore, ordering private companies to create backdoors within all systems is not the least restrictive way of achieving a legitimate aim and does not satisfy the proportionality standard. Further, it is advisable for governments to build in-house capacity for decryption in order to provide LEAs with targeted access to encrypted systems during an emergent situation, rather than waiting for technological assistance from companies during such times or requiring them to weaken all systems by creating backdoors.

Procedural safeguards: The 2009 rules set out certain procedural safeguards and review mechanisms that are similar to the procedural framework under Rule 419A of the Telegraph Act. Therefore, the procedural inadequacies identified in the context of lawful interception framework under the Telegraph Act are applicable to the framework for decryption on demand as well. Further, given the absence of any legislative or regulatory framework prescribing encryption standards or methods of deploying encryption under Section 84A of the IT Act, no procedural safeguards are currently in place to check against arbitrary encryption restrictions issued by the executive.

### Surveillance by non-state actors

Although we have largely focused on the application of the Puttaswamy standard to the state's varied surveillance frameworks, this post would be incomplete without a mention of the rise in private actors such as Facebook and Google, and the prevalence of surveillance capitalism (Zuboff, 2015). In this model, tech companies serve as data harvesting giants that constantly collect, analyse, and share user data, without informed consent, with the aim to alter/shape behaviour and preferences.

As has been discussed previously on this blog (here and here), India lacks a data protection law. Currently, the actions of private actors are only regulated by the IT Act and the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011, which have also been acknowledged by the Srikrishna Committee White Paper as lacking "an effective enforcement machinery". In fact, it is these loopholes in the law that were exploited by Facebook and Cambridge Analytica to mine user data without their consent.

Acknowledging the challenges posed by big data to privacy, Chandrachud J. in Puttaswamy emphasised the importance of a data protection regime, that would also regulate the actions of private actors. Similarly, Kaul J. recognised the right of individuals to control the commercial use of their identity and to exclusively commercially exploit their identity and data. However, although the judges referred to the increased data collection and analysis capacity of non-state actors, the judgment in Puttaswamy did not grapple with the problems posed by commercial surveillance and private actors. This issue will have to be resolved in the new data protection law that is expected to be enacted after the Srikrishna Committee Report prepares a draft Bill.

### Conclusion

The proportionality test, as laid out in Puttaswamy, and the extensive reliance on global privacy and search/surveillance jurisprudence has laid the groundwork for a re-examination of India's surveillance architecture. However, this was just the first step. The Court in Puttaswamy was not directly concerned with a surveillance claim, and thus, did not have to grapple with the application of its proportionality standard to the facts on ground. The Supreme Court has now reserved judgment in the Aadhaar case (Puttaswamy II), where extensive arguments on surveillance and chilling effect were made in the context of the centralised collection and storage of data, and the linking/seeding of various databases with the Aadhaar number. It is thus expected that the Court's judgment will further clarify the standard of proportionality, and its application in surveillance cases. We have to wait and see how the Court will balance these competing concerns of privacy and liberty with national security.

At the same time, we are looking towards the Justice Srikrishna Committee for specific recommendations to the government on how to introduce due process while providing exceptions for national security or other legitimate aims under the proposed data protection law. This will also entail a relook at the lawful interception provisions under existing laws.

### References

Addison Litton, The State of Surveillance in India: The Central Monitoring System's Chilling Effect on Self Expression, 14 Wash. U. Global Stud. L. Rev. 799, 2015.

The International Principles on the Application of Human Rights to Communications Surveillance ("Necessary & Proportionate Principles), July 2013.

Software Freedom Law Centre, "India's Surveillance State: Communication Surveillance in India", 2014.

Saikat Datta, Surveillance and Democracy: Chilling tales from around the world, International Network of Civil Liberties Organizations, 2015.

Shoshana Zuboff, Big Other: Surveillance Capitalism and the Prospects of an Information Civilisation, 30 J. of Info. Tech. 75, 2015.

Vrinda Bhandari is a practicing advocate in Delhi. Smriti Parsheera and Faiza Rahman are researchers at the National Institute of Public Finance & Policy. We thank Saikat Datta for valuable discussions.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.