India is well on its way to becoming a surveillance state, with the government tracking everything from the medicines you buy, and cameras watching you everywhere. Now, the government can also read everything that’s stored on your computer, which means that investigating agencies could seize your phones, PCs, and other devices and read all the data there, if they feel the need.
A new order by the Home Ministry, issued on Thursday, has authorised 10 different central agencies to intercept, monitor, and decrypt any information generated, transmitted, or stored in a computer. The agencies are the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation; National Investigation Agency, Cabinet Secretariat (R&AW), Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only) and Commissioner of Police, Delhi.
Worryingly, according to the order, the subscriber or service provider or any person in charge of the computer resource will be bound to extend all facilities and technical assistance to the agencies. Failing to do so will invite a seven-year imprisonment and fine. Various leaders of opposition parties have spoken out against this order.
“The government has done it by stealth and we collectively oppose it. This gives unlimited powers to all these agencies to monitor every information that interest them and complete surveillance which is unacceptable in democracy,” said Congress leader Anand Sharma.
“This government has only a few months left and it should not dig potholes for itself as a new government will be installed in the centre soon,” said Samajwadi Party’s Ram Gopal Yadav.
“Why is every Indian being treated like a criminal? This order by a govt wanting to snoop on every citizen is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement,” tweeted CPI(M) general secretary Sitaram Yechury.
What does this order mean?
“For the first time, powers of scanning data at rest have been given to various agencies. Earlier, only data in motion could be intercepted. But now data revived, stored and generated can also be intercepted as powers of seizure have been given,” a senior bureaucrat explained to NDTV.
“In order to trace two people who dumped potatoes outside the UP CM’s residence, the UP police wiretapped 10,000 phones”
Lawyers working with the Internet Freedom Foundation (IFF), a legal and activist collective for Internet and digital freedoms, said this order is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement. They noted that the problem is not restricted to the order, but extends to the principal source under Section 69(1) of the IT Act, which was cited in the order. The IFF also said, “No proposal by government to reform surveillance or put in place safeguards. This includes the Justice Srikrishna draft data protection bill.”
They also pointed out that the People’s Union for Civil Liberties (PUCL) v Union of India (1997), or wiretap case, provides safeguards requiring case to case orders by the Union Secretary to carry out taps, rather than a blanket delegation of powers to investigatory agencies.
UPDATE: The Home Ministry has reportedly clarified that if any interception is required it will be after approval of Union Home Secretary. As per rule 22 of the IT Rules 2009, all such cases of interception, monitoring or decryption are to be placed before the review committee headed by Cabinet Secretary, which shall meet at least once in two months to review such cases.
Despite these safeguards, large scale wiretaps have been deployed in India in the past, and continue to be deployed widely. At the start of this year, it was reported that in order to trace two people who dumped potatoes outside the UP CM’s residence, the UP police wiretapped 10,000 phones. And as the IFF pointed out, this order goes much beyond wiretapping, because “[The] content streams are much richer, pervasive and personal.”
The use of the word intercept could also be interpreted as allowing malware attacks to remotely steal your data, and decrypt might enable the government to order a service provider to break encryption. Although more analysis is needed, it’s possible that this order could also be used as a way to require WhatsApp to decrypt its messages if it wants to keep doing business in India, it’s largest market. That’s something that the government has been trying to do for a long time now, citing everything from lynchings to national security to pornography.
Unconstitutional, violation of the fundamental right to privacy
Lawyer Chitranshul Sinha, Advocate-on-Record at the Supreme Court, also tweeted that the MHA order “fails the test of section 69(1) of the Information Technology Act at the threshold.” Sinha noted: “Sec 69(1) provides that a ‘reasoned’ order enabling interception, monitoring and decryption can be allowed in the interest of sovereignty, integrity, defence, security, public order or relations with other nations. Considering how wide the powers are, they can be exercised only of ‘necessary and expedient’ in the interest of the reasons stated above. Therefore there is a statutory obligation u/s 69(1) to provide reasons why such an order is necessary and expedient right now.”
“The MHA order merely empowers the concerned agencies to intercept, monitor and decrypt information but does not provide any reasons for exercising this draconian power. So not only is it ultra vires the Act, it is also unconstitutional, because it violates our right to privacy which is a fundamental right which can be taken away only by due process of law. As the MHA order doesn’t comply with due process as provided under section 69(1) it is in violation of the fundamental right to privacy,” he wrote.