The recent move by the United States Department of Justice (DoJ) against DreamHost, a service that hosts the website disruptj20.org, raises some critical questions about safeguards that Indians may not have in protecting themselves from state surveillance.
DreamHost was allegedly used to organise protests against President Trump on Inauguration Day. DoJ, on the pretext of investigating these offences, sought email lists and correspondences between website managers and third parties relying on a generally worded search warrant. A state court granted this request, and DreamHost’s appeal against the same awaits hearing.
While this has occurred within a different legal and political setting, the Indian State is no better in its desire for mass surveillance of online communications and internet behaviour. Look no further than the various provisions contained in the Information Technology Act, 2008 and the rules thereunder.
Intermediaries are widely defined to cover web-hosting services, search engines, and online portals facilitating payments and even marketplace activities. Section 69 vests authority with the Centre and the States to direct intermediaries to furnish information that is transmitted, received, or stored through them. Those who fail to comply stand the risk of up to seven years of imprisonment. Similarly, intermediaries have to retain data with them for stipulated time periods, under Section 67C, to ensure on-demand access.
There are two basic problems with this framework. The first is that the enumerated purposes justifying surveillance under Section 69 are ineffective to prevent misuse of the power vested in state authorities. Such extensive power, for purposes of interception, monitoring, or decryption of information, can be put to use for a wide list of purposes ranging from state security, sovereignty, and defence, to the investigation of any offence, and the maintenance of public order. The Indian Penal Code, for instance, criminalises a wide range of conduct. It is worrisome when all that the state has to demonstrate is the existence of an ongoing investigation against any such offence, and force open the data lying with intermediaries.
There are no clear limitations on the extent to which data may be gathered to further these enumerated objectives, either. Nothing stops state authorities, who may actually need ten e-mail communications to serve their goals, from compelling the disclosure of fifty such communications. This assessment is left to the subjective satisfaction of the intercepting authority. In short, Section 69 lends itself to overreach by the state.
Hope still persists that the recent Supreme Court verdict in the Justice Puttaswamy case, recognising the right to privacy as a fundamental right, could add some judicial safeguards. These could be in the form of: i) restrictions on the exercise of Section 69 for strong and compelling purposes; ii) deployment of only those measures absolutely necessary to serve such purposes.
The second concern is that the procedural safeguards guiding the exercise of power under Section 69 are wholly insufficient, and place far-reaching authority and trust in senior bureaucrats. The rules that support the exercise of power under Section 69 designate home secretaries at the Centre and the states as “competent authorities” for issuing interception, monitoring, and decryption orders, and empower implementing officials to mandate that intermediaries make their computer resources accessible. The limited review mechanism consists of a Review Committee under Rule 419A of the Telegraph Act, consisting of senior-level bureaucrats.
Evidently, a lot of faith is placed here in the good offices of the bureaucracy. The review committee, a product of Supreme Court intervention in the PUCL case on illegal telephone tapping, does not inspire much confidence as a mechanism to evaluate large-scale data requests and the systemic risks involved therein. Yet, this mechanism received judicial validation in the Shreya Singhal case, where the Supreme Court while striking down the constitutional validity of Section 66A of the Information Technology Act, upheld the rules for website blocking on the basis that the bureaucratic machinery was sufficiently protective of citizen interests.
It is unclear at this point whether the Puttaswamy verdict, reading as it does a bunch of exceptions into the right to privacy on grounds of public interest, could effectively rethink the Shreya Singhal verdict’s confidence in bureaucratic infallibility. But without a drastic revamping of procedural safeguards, including effective citizen representation in these review committees, no amount of substantive guarantees can realistically protect people’s rights.
To conclude, the current legal framework offers insufficient safeguards against mass surveillance and the gathering of big data tranches. Extensive digital surveillance capabilities can inflict great systemic damage, both by way of immediate impact on the right to privacy and the freedom to meaningfully organise, and undesirable chilling effects on free expression and creativity in the long run. Therefore, we must work towards better safeguards that effectively address the problems highlighted here.