Last week, the Supreme Court bench of justices Arun Mishra and Indira Banerjee raised an alarm over the lack of privacy of citizens in India in a case where the petitioner, an IPS officer, had alleged that his phone, as well as of his family and his friend, was being tapped at the behest of the Chhattisgarh government. While it is not known yet whether the same was done in compliance with the law, it raises questions about the extent to which the government can impede our right to privacy in certain circumstances and are these considered to be reasonable restrictions and how well equipped are surveillance laws in India to handle the growing influence and reach of information technology.
The right to privacy
The right to privacy was upheld once again by the Supreme Court in its landmark judgment in the Aadhar case in 2017. While it did uphold an individual’s right to privacy, it did not hold the Aadhar Act to be unconstitutional, but only made linking of Aadhar card details voluntary in all cases except for getting access to government’s social benefits schemes and for linking with PAN card to keep tax frauds in check. For now, that is the legal stand when it comes to Aadhar cards. However, what still remains a concern is the protection of data for which India has no legal provision. Although, the Aadhar Act provides for a Central Identities Data Repository and it has a Chapter on “Protection of Information” where the Aadhar Authority is to ensure the security of such information collected but there is no provision that holds the Repository or the Authority responsible or accountable in case of breach of data due to failure on their part to secure the sensitive personal information of the citizens. At this juncture one feels the need for data protection law in India.
Data protection and its importance for safeguarding right to privacy
In August 2017, the Central Government had set up the B N Srikrishna Committee to draft a bill on data protection. The Committee, among other things, highlighted that the Aadhar Act needs to be amended to bolster data protection and also recommended that a Data protection Authority be set up to regulate the collection and storage of data and it also imposed severe penalties for breach of data by third parties.
Nowadays, data is considered to the most valuable asset in the world. When the Cambridge Analytica case came up in the United States of America (USA), one realised how vulnerable is one’s data when it’s on social media and how private players do very little to protect the same. Personal data was used to manipulate minds of voters in order to get favourable election results. This shocking revelation had left the world stunned and the need for data protection has now become an extremely pressing issue. The delays by the parliament in passing a law for data protection is only exposing the data of its citizens to perilous threat, and the implications of the same need to be considered seriously by the government.
Breach of privacy, when necessary
Sometimes, the State is compelled to use certain measures to keep criminal activities in check, specially in cases of national or public emergency where there is an apprehension of threat to public law and order. The laws in India, however, provide for interception of communication by government vide 3 Acts. Section 26 of the Indian Post Office Act (for postal articles), section 5(2) of the Indian telegraph Act (for telephones), section 69 of the Information Technology Act for emails and chats. Each Act provides for different circumstances when the government can invoke interception.
-
Postal articles: public emergency or in the interest of public safety or tranquillity
-
Telephones and Emails/chats: interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, for preventing incitement to the commission of an offence relating to the aforementioned.
Is the government listening?
In 1996, People’s Union of Civil liberties (PUCL) had filed a Public Interest Litigation (PIL) against the rampant phone tapping that had become a practice under the Rajiv Gandhi regime of 1980s. The Supreme Court realised the arbitrary manner in which the aforementioned provisions of the Telegraph Act were misused by the government for surveillance of the opposition members as well as its own Cabinet Members. The guideline laid down in this case cast a lasting shadow on Indian surveillance law and curbed the arbitrary use of surveillance provisions. The guidelines limited the time frame for interception to two months at a time and maximum six months after renewals, and required the authorization of high offices of Home secretary of either the Central government or the concerned state government. The guidelines also asked for destruction of the data so collected once its retention is not necessary.
Nearly 23 years have passed since the guidelines were laid out and there is an urgent need that apart from these guidelines, governments exercise greater caution while formulating and amending surveillance laws. Provisions of the aforementioned Acts mention circumstances which are open to wide and vague interpretations and hence prone to misuse despite of the guidelines.
Although the Supreme Court had held that tapping of phones is a serious invasion of privacy and that it falls under Article 21 (right to life and personal liberty) of the Constitution, it held the provisions of the Telegraph Act to be constitutional at the same time, falling under reasonable restriction under Article 19(2) of the Constitution.
In 2014, a report was released by Software Freedom and Law Centre said that the Indian government gives about 9,000 orders to tap phones each month. Technology is making it easier for phones to be tapped and conversations to be intercepted and people are getting more susceptible to breach of their privacy, specially by private players. In the wake of this, there is a dire need for a stringent law to come in place for making surveillance by private parties, without legal sanction, a punishable offence and for regulation of surveillance carried by government law enforcement agencies by giving out contracts to private players.
In 2016, the Indian Express had reported that between 2001 and 2006, spanning one NDA na done UPA government, the Essar group allegedly tapped telephones of VVIPs including cabinet ministers and corporate heads like Ambani brothers.
Facial recognition on roads!
In the background of the Kashmir Issue, political crisis of Maharashtra, the Ayodhya verdict, one news that needs to be put on a pedestal but is drowning is of the government, through the NCRB (National Crime Records Bureau) inviting proposals for installing facial recognition software in CCTVs on public roads. They call it the Automated Facial Recognition System (AFRS) and it will compare the image captured by the CCTV with their existing database. It has also proposed integrating AFRS with other databases such as Crime and Criminal Tracking Network & Systems (CCTNS), Integrated Criminal Justice System, State-specific database systems and Khoya paya portal, which is a citizen based website to exchange information on missing and found children.
In its 172 page “Request for Proposal to procure National Automated Facial Recognition System” , the NCRB has comprehensively mentioned all aspects of the scope, architecture of the project and other contractual details for the bidder. In the running are software like Amazon Rekognition; Face Recognition and Face Detection by Lambda Labs, Microsoft Face API; Google Cloud Vision and IBM Watson Visual Recognition. The request document of the NCRB, states that AFRS can play a very vital role in improving outcomes in the area of Criminal identification and verification by facilitating easy recording, analysis, retrieval and sharing of Information between different organizations. Additionally, it says that AFRS is a great investigation enhancer for identification of: criminals, missing children/persons, unidentified dead bodies and unknown traced children/persons.
The document then goes on to define the technical requirements in the software and contractual terms with the bidder. While all this “surveillance for better protection” is supposed to make us feel like we are moving to a more secure and crime-free environment, the truth is surveillance, without accountability is a dangerous proposition. This system which is to be introduced and implemented soon does not have any legal backing so far.
The proposal document can be read here:
Why is facial recognition a problem?
What is the harm in having a surveillance system without a legal sanction, you ask? Imagine tomorrow this repository maintained by the NCRB is intercepted by a private player stealthily for its personal gain or even at the behest of a political leader and the same is tampered with. Who will be held accountable? How will the private player and the political leader be punished in absence of a specific penal provision for the same? This is just one of the many concerns that will arise once the AFRS will be implemented.
Concerns have been raised on grounds that the accuracy of such systems is currently low, thus severely increasing the risk of misidentification when used by law enforcement agencies. Secondly, since the technology will learn from existing databases (e.g. a criminal database), any bias reflected in such a database such as disproportionate representation of minorities will creep into the system. False-positives as result of a low accuracy rate, combined with potentially biased law enforcement and a lack of transparency, could make it a tool for harassment of citizens.
Such facial recognition systems have been installed in countries like China and Russia as always democratic countries like France, United Kingdom and USA. Although many cities in the USA have banned the usage of such surveillance systems, it prevails in many other cities.
Another concern is that of lack of informed or even implied consent. While the relationship between the citizen and the government is of a social contract, not everything can be included under implied consent, specially with respect to a system which invades one’s facial identity. How can the state assume that in the interest of our own safety and maintenance of law and order, we are allowing the government to click our pictures and keep it in a repository and classify it as it pleases, without our knowledge!
The way forward
To sum up, the arena of Indian surveillance law is lacking some stringent laws pertaining to data protection and regulation of surveillance. In both of these laws there needs to be an autonomous competent authority which can independently monitor the implementation and regulate the activities under the law, to ensure complete adherence. There are some major issues with the aforementioned Acts pertaining to postal articles and telephones and Information technology. The circumstances provided for in these laws, specially the ones pertaining to telephones and Information technology, are as easy as “prevention of incitement to commission of offence” albeit the offence is to be related to national and public interest. Such provisions are easily susceptible to misuse, especially if the approving authority is the state government itself, making it easier for political motives to be fulfilled.