THE LEGALITY OF CYBER SURVEILLANCE

Submitted to:
Submitted by :
Subject: Cyber Law
Semester: VIII

National Law University

Delhi (India)
2019
 TABLE OF CONTENTS

INTRODUCTION ..................................................................................................................... 4

STATUTORY PROVISIONS ............................................................................................... 4

THE PRESENT SCENARIO ................................................................................................ 5

RIGHT TO PRIVACY .............................................................................................................. 7

RECCOMENDATIONS AND THE WAY FORWARD .......................................................... 8
 INTRODUCTION

Over the years, the impact of cyber surveillance has steadily increased over the last few years.
Even in a semi-skewed economy as ours with a large population of poverty ridden persons,
hundreds of millions are being spent on infrastructure to create a network of surveillance. While
the justifications ay be numerous, such as law and order, the bigger question that comes forth
is whether the ends justify the means. The debate regarding privacy is also complicated by the
fact that there exists an asymmetry of power between the citizen and the state.
The issue becomes even more grave when we consider the potential for misuse. With the ever-
increasing network of surveillance laid down behind the veil of protection against hidden
enemies, it is the citizens on whom the majority of surveillance is being conducted. This paper
shall attempt to look at the various statutory provisions regarding privacy and cyber
surveillance and interplay between the two. An attempt will be made to determine whether the
present privacy regime is prone to violating privacy rights of individuals.

STATUTORY PROVISIONS

Mass surveillance as such is not covered under any provisions in India. The Telegraph Act,
1885 has provisions dealing with interception and surveillance of telephonic conversations.
The Information Technology Act, 2000 also has provisions relating to surveillance and data
interception. Limits are imposed on the legal use of such powers. Furthermore, approvals must
be sought from wither the Secretary of the Dept. of Information Technology or the Home
Secretary.

Under the Telegraph Act, public surveillance and interception of data must be done only to
ensure public safety or in an emergency. Section 5(2) of the Indian Telegraph Act reads as
follows;
“(2) On the occurrence of any public emergency, or in the interest of the public
safety, the Central Government or a State Government or any officer specially
authorised in this behalf by the Central Government or a State Government may, if
satisfied that it is necessary or expedient so to do in the interests of the sovereignty
and integrity of India, the security of the State, friendly relations with foreign states
or public order or for preventing incitement to the commission of an offence, for
reasons to be recorded in writing, by order, direct that any message or class of
messages to or from any person or class of persons, or relating to any particular
subject, brought for transmission by or transmitted or received by any telegraph,
 shall not be transmitted, or shall be intercepted or detained, or shall be disclosed
to the Government making the order or an officer thereof mentioned in the order”1

It is interesting to note that under the Telegraph Act, the severity of punishment for failure to
assist in government surveillance and interception is much greater than the punishment
prescribed for unauthorize or unlawful interception of data.

The various cyber cafes littered across the country offering internet services are required to
keep detailed records of their customers which may include certain sensitive information. Such
information is provided to agencies deigned by the government in pursuance of certain
offences.2 Intermediaries are also not exempt from sharing data which may be of personal
nature.

THE PRESENT SCENARIO

As has been previously mentioned, our two primarly legislations dealing with surveillance are
the Indian Telegraph Act, 1885 anf the Information Technology Act, 2000. However the laws
in general are dated and government agencies tend to put an opaque barrier behind questions
of privacy in surveillance.
India, having unfortunately have faced with terrorist attacks of large magnitudes within home
soil, has had to build up a network of surveillance systems in order to gather intelligence with
respect to such attacks. The Centralized Monitoring System, or CMS, was set up in 2009 as a
telephone interception system by the Centre for Development of Telematics.3 It permits
government agencies to directly access all data that passes through service providers. While
previously, this had to be done through approvals, service providers must now provide direct
access to agencies. The issue here is the uncontrolled access to sensitive information that can
be demanded without any backing of a court order or any such approval.
There exist two limitations that affect the Indian surveillance framework; First, the wide
mandate of law enforcement agencies and Secondly, the lack of oversight over such agencies.
The nature of surveillance of masses is by itself highly discretionary and therefore can turn to

1
Section 5(2), Indian Telegraph Act, 1885
2
Pranesh Prakash, How surveillance works in India, The New York Times, July 2013
https://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0
3
https://www.medianama.com/2016/05/223-india-central-monitoring-system-live-in-delhi-mumbai/
discriminatory.4 RTI inquiries have shown that the government issues around 8000 monthly
interception orders and taps over 1 lakh phone calls every year. The scale of surveillance
conducted is truly staggering and highly cloaked.5
In December 2018, the government via notification formalized the amendment which was
brought in into the Information Technology Act in order to allow various agencies like the
Intelligence Bureau or the CBI to intercept, monitor and decrypt6 any data from any computer.7
This is presently under challenge in the Supreme Court as it is considered violative of the
constitution, particularly Article 21.

4
Protecting Citizens from the State Post Puttaswamy: Analysing the Privacy Implications of the Justice Srikrishna
Committee Report and the Data Protection Bill, 2018
Bhandari, Vrinda; Sane, Renuka at 151
5
Software freedom law centre, India’s surveillance state: other provisions of law that enable collection of user
information (2015)
6
https://scroll.in/article/906579/home-ministry-order-on-computer-surveillance-is-not-new-upa-introduced-
provisions-in-2008
7
https://www.epw.in/engage/article/indias-surveillance-laws-then-and-
now?0=ip_login_no_cache%3D64aa78fabcae9e57996aa425146107d1
 RIGHT TO PRIVACY

In 2017, the Supreme Court in Puttaswamy v. Union of India8 concretized the Right to privacy
by claiming it to be an intrinsic part of Article 21. It was held that “Privacy is a constitutionally
protected right which emerges primarily from the guarantee of life and personal liberty in
Article 21 of the Constitution.”9
It was further held that, “Fundamental rights are the only constitutional firewall to prevent
interferenct with those core freedoms constituting liberty of a human being.”10
The issue is the dichotomy between privacy rights and penal provisions enabling violation of
such privacy in accordance with law. The threshold is extremely low with courts admitting data
obtained even from illegal surveillance or searches.11 Unlike the U.S. where such a violation
would be flagged as a violation of the Fourth Amendment, in India agencies are not discouraged
from unnecessary surveillance and are rewarded for it.
Presently there is no mention as to the use and storage of data collected through surveillance.
There exist large loopholes with respect to privacy laws of citizens which is concerning
considering the fact that the populus may not even know that it is being monitored due to the
opaque nature of such operations.

8
9
Id at 262.
10
Id at 494.
11
R.M. Malkani v. State of Maharashtra AIR 1973 SC 157
 RECCOMENDATIONS AND THE WAY FORWARD

In the landmark 2017 judgment, Justice Chandradud opined that the constitution guarantees
certain fundamental rights such as the right to life and within that right, is the implied right to
live with dignity. Privacy is a primary part of living with dignity. Privacy may be composed of
many elements such as anonymity, security and solitude. Considering the importance of
privacy in an individual’s life, the state is bound to respect the same and to actively protect it.
Mechanisms should be put in place to ensure that data is accessed in a limited manner and only
when necessary by competent authorities. Such data must be carefully protected to ensure that
it is not leaked or unnecessarily shared. Safeguards must be put in place to ensure data is
protected from unnecessary access. Punishment for violation must be severe to deter authorities
from abusing such powers. Furthermore, it is imperative that the nature of data that can be
accessed be defined. The law as it stands grants direct access of all data passing through a
service provider. This must be considered a serious violation of privacy of an individual,
considering that technology today has reached the stage where we tend to perform all our tasks
online. The nature of data that individuals transmit online is of extremely personal nature and
must be protected. Therefore, there must be a specific definition of “private data” so as to
quantify the extent to which a breach must be committed.12
It must be the role of the government to ensure that privacy of its citizens is respected. From
other jurisdictions such as U.K., Canada, Germany, we can see that the government plays an
active role in protecting privacy of its citizens.13 A regulatory body must be assigned which
looks into privacy issues in India.14 Recent events have further brought to light the corruption
and misuse prevalent in intelligence organizations of the government.15 No central organization
can be given unbridled powers over such a vital aspect of citizens’ lives. The Shah Commission
has previously commented on how in such agencies whose purpose is to gather intelligence,
immense powers invite misuse.16 Intelligence must be gathered only as a tool to defend the
homeland and not as a means to look into the personal lives of citizens.

12
https://www.emeraldinsight.com/doi/pdfplus/10.1108/IJLMA-01-2018-0013
13
In the UK, a complaint can be filed to the Information Commissioner’s Office to initiate investigation.
14
http://eprints.lse.ac.uk/90006/1/southasia-2018-05-07-why-india-needs-a-privacy.pdf
15
https://thewire.in/government/after-midnight-ouster-cbi-director-alok-verma-faces-snooping
16
https://www.epw.in/system/files/pdf/1989_24/1/civil_liberties_misuse_of_intelligence_services.pdf