The Mumbai terror attack of 26 to 29 November 2008 (“26/11”) is etched in the minds of Indian citizens, who can never forget the loss of life and destruction they witnessed in those three days. However, it was only one of the numerous attacks that took place in 2008 throughout India, which saw a total of 2400 attacks during the period of 2001-07. They culminated in serious questions being posed about the complete failure of the Indian internal security apparatus to pre-empt the attacks.
Despite a steady increase in terrorist activities in India since the 1980s, India’s security apparatus was not robust. In the wake of these attacks, India resolved to strengthen it, which gave rise to various initiatives such as the National Intelligence Grid (NATGRID), the Centralised Monitoring System (CMS), the Crime and Criminal Tracking System (CCTNS), as well as the most recent National Automated Facial Recognition System (which is still being developed), with an aim to facilitate better coordination between the intelligence and law-enforcement agencies.
Even though India had seen a multitude of terror attacks in the 2000-08 period, 26/11 was the ultimate wake up call to radically overhaul the surveillance architecture. However, the manner in which these changes were put in place calls into question the separation of powers and accountability mechanisms for the Indian government. The Executive, through orders, has put into place invasive systems which do not have provisions for judicial review or oversight. This absence of oversight raises concerns about potential illegal mass surveillance, as well as the constitutionality of these systems itself.
Developments in India’s internal security in the aftermath of 26/11: Executive changes
In the aftermath of the 26/11 attacks in Mumbai, the then Minister of Home Affairs Mr. Chidambaram made a statement in the lower house of the Indian Parliament, stating, “there is a need to make intelligence gathering and intelligence sharing more effective and result oriented”. To fulfill this need, under Chidambaram, India started developing multiple surveillance technology projects post 2008, all of which suffer from the danger of “function creep”. “Function creep” occurs when information is processed for a purpose that is not the original specified purpose for which it was collected. This is because all these projects were authorised through executive action, with minimal transparency and without any legislative backing. In the absence of any legislation or parliamentary oversight mechanism, these mass surveillance systems could easily be misused to surveil Indian citizens illegally. Such misuse would then ultimately result in violations of the rights to life and liberty, freedom of speech and expression, freedom to assemble and to protest, as well as the right to privacy.
One of these systems is the National Intelligence Grid, better known as NATGRID, which was first conceptualized in 2009. NATGRID is an integrated intelligence grid that aims to leverage information technology to connect approved User Agencies (security/law enforcement) with designated Data Providers (Airlines, Banks, SEBI, Railway, Telecom etc.), to enhance the country’s counter-terrorism capability. NATGRID aims to use artificial intelligence and big data analysis to detect patterns from the massive amounts of data it will be collecting, and to provide real time and even predictive analysis to the User Agencies. Essentially, the project has the capability to carry out 360 degree surveillance of Indian citizens. Such sweeping surveillance is violative of the Supreme Court of India’s decision in K.S. Puttaswamy v. Union of India (2019, the “Aadhaar” judgment), which struck down the mandatory linking of the biometric ID (“Aadhaar”) with an individual’s bank account. The Court held that “there cannot be such a sweeping provision which targets every resident of the country as a suspicious person” without any evidence of wrongdoing on their part. The Crime and Criminal Tracking Network System (CCTNS), also conceptualized in 2009, which aims to connect police stations and intelligence agencies across the country to increase ease of access to police data, also suffers from a similar folly of allowing 360 degree surveillance, in the event that its data is shared with other systems such as NATGRID.
One of the most intrusive systems among these is the Network Traffic Analysis (NETRA) which is operated by India’s Defence Research and Development Organisation (DRDO). NETRA is a surveillance software capable of performing real time interception of internet traffic for certain predefined keywords such as ‘attack’, ‘bomb’, ‘blast’ or ‘kill’. Needless to say, these are words which are in common use and not just limited to use by potential terrorists. Therefore, such overly broad interception would clearly violate the right to freedom of expression.
The constitutionality of these 360 degree surveillance mechanisms has been challenged before the Delhi High Court for, inter alia, creating a mass illegal dragnet surveillance system and failing the proportionality standard under the Puttaswamy (Right to Privacy) decision of the Supreme Court. However, no substantive hearings have taken place and the surveillance challenge is still pending before the High Court. This is unfortunate, especially considering that the mass surveillance programs were notified by the government without passing any laws or statutory amendments.
Developments in India’s internal security in the aftermath of 26/11: Legislative changes
In addition to drastic changes made by the executive, there were also legislative changes. However, the cause of concern is that both the executive and legislative changes gave unrestricted power to the executive, and failed to put into place sufficient judicial oversight provisions.
The existing surveillance architecture in India majorly comprises of two legislations: the Information Technology Act, 2000 (“IT Act”) (in conjunction with the IT Rules) and the Indian Telegraph Act, 1885 (in conjunction with Rule 419A of the Indian Telegraph Rules, 1951). After the 26/11 attacks, India saw the introduction of new provisions related to surveillance, specifically, S. 69 of the IT Act, which was inserted in the IT Act through an amendment in 2009. Sec. 69 gave authorities the power to intercept, monitor, or decrypt any information online through any computer resource when it was “necessary or expedient” to do so in the interest of national security, public order etc. Notably, S. 69 departed from pre-existing surveillance provisions under the Telegraph Act, by removing the requirement of meeting the preconditions of “public emergency” or “public safety” before authorizing surveillance. It allows the Central or State Governments, or any officer authorized on their behalf to authorize the interception or monitoring or decryption of data under certain circumstances. Similarly, S.5 of the Indian Telegraph Act allows the Central or State Government, or any officer authorized on their behalf, to intercept or detain messages transmitted through a ‘telegraph’ (or phone calls) on the occurrence of a public emergency or in the interest of public safety. These provisions fail to put into place any effective oversight mechanism, which would allow for accountability of the executive issuing orders for surveillance, and to protect civil liberties.
These developments mirrored the developments post 9/11 in the US, which also carried out illegal surveillance of its citizens, through the President’s Surveillance Program (“PSP”) or ‘STELLARWIND’. Over time the consensus has solidified that these laws facilitated mass violations of civil liberties in the name of national security. STELLARWIND was ultimately uncovered through the actions of the whistleblower Edward Snowden, and led to some reforms in US surveillance architecture.
The oversight process established under both the Indian IT Act and the Telegraph Act eschews judicial oversight in favor of executive oversight by setting up a three member ‘Review Committee’ comprising three top bureaucrats – the Cabinet Secretary, the Law Secretary, and the Telecom Secretary. The Review Committee is tasked with periodically reviewing the interception orders passed by the competent authority and assessing their validity. Thus, the IT Act and the Telegraph Act do not provide for any judicial, parliamentary, or independent oversight mechanism over electronic surveillance, whether at the ex-ante, ex-post, or the review stage. In addition, India’s premier intelligence agencies – the Research & Analysis Wing (for external intelligence) and the Intelligence Bureau (for internal intelligence) – exist outside any statutory framework and are thus, exempt from any independent oversight.
This stands in stark contrast to other major democracies, such as Germany, UK, and South Africa, where some form of parliamentary or judicial oversight over surveillance action exists. The European Court of Human Rights has also stressed the importance of judicial oversight in cases of secret surveillance. Even in the United States, the intelligence agencies are held accountable through Congressional Committees, Permanent and Senate Select Committees on Intelligence. The US government has also put in place a judicial oversight mechanism for authorizing surveillance against foreign nationals under the Foreign Intelligence Surveillance Act (FISA) courts, although the secrecy embedded in the FISA system leaves a lot to be desired.
In the absence of any inter-branch oversight, unbridled and disproportionate power is vested in the Indian executive. This impacts the horizontal separation of power between the executive, legislature and judiciary as envisaged under the Constitution of India and opens the door to the possibility of overbroad and illegal surveillance being carried out. Since surveillance, by its very nature, is carried out in secret, remedies for persons placed under illegal surveillance are effectively curtailed. As the recent Pegasus allegations reveal, in most cases, such individuals will likely not be aware, and will not be able to prove that they are under surveillance in the first place. This violates the requirements of fairness and due process under Article 21 of the Constitution of India, as well as the broader requirements of natural justice. Thus, as one of us has argued before, an independent system of review within the surveillance framework is essential to protect the rights of the large number of people who will not be able to seek judicial redress against surveillance orders.
This becomes even more important given the lack of procedural guarantees within the existing surveillance framework. As per publicly available data, the central government issues approximately 7500-9000 telephone interception orders per month. This means that the Review Committee, which meets every two months, has an “unrealistic task” of reviewing 15,000-18,000 interception orders at every meeting. It is evident that it is almost impossible for the three member Review Committee to ensure due process or application of mind on each surveillance request.
Thus, even the functioning of the executive oversight mechanism undermines the procedural safeguards laid down by the Supreme Court in PUCL (1997), which had upheld the constitutional validity of interception under the Telegraph Act. In fact, the lack of judicial oversight and the demonstrable inadequacy of the procedural safeguards have led to fresh challenges to the surveillance framework in India. Building on the proportionality argument recognized by the Supreme Court in the famous privacy case, Puttaswamy v Union of India (2017), these petitions have argued for striking down Section 69 of the IT Act and Section 5(2) of the Telegraph Act. Although pleadings are complete, the matter is yet to be listed for final arguments.
The biggest limitation of the surveillance framework in India is the wide mandate and relatively unchecked power given to intelligence agencies, without adequate oversight and accountability mechanisms to protect civil liberties. These problems are compounded by the complete unwillingness of the government to improve transparency within the system. In recent years, the Ministry of Home Affairs of the Government of India has denied right to information requests (similar to FOIA requests in the US) seeking aggregate information about the total number of surveillance orders issued in a year, or has claimed that such records and information have been destroyed per extant rules. Another cause of concern is that India still does not have a data protection law in place, and thus citizens do not have any statutory rights to privacy of their personal data. However, the proposed Personal Data Protection Bill, 2019, which is currently before a Joint Parliamentary Committee, authorizes the government to completely exempt law enforcement agencies from the ambit of the Act, and in the process, misses the bus on surveillance reform.
It is unlikely that any changes in the surveillance framework will come through legislative reform, especially given the relative ‘normalization’ of surveillance action during the COVID-19 pandemic. Interestingly enough, in 2020, US Courts partially ruled against two programs, which targeted email repositories and phone call logs which grew out of STELLARWIND, declaring them to be illegal in their present state, and finding them to have committed “widespread violations”. One can only hope that the challenges to the statutory framework and surveillance infrastructure pending before the Supreme Court of India and the Delhi High Court respectively are decided soon and in a similar manner, and can usher in a new age of targeted, less-intrusive, and proportionate surveillance.