Context: The government came under attack in Lok Sabha for seeking call data records(CDR) of all mobile subscribers across pockets of the country.
Background: The cellphone operators had red-flagged ‘surveillance’ after local units of the Department of Telecommunications (DoT) sought call data records of all mobile subscribers across several pockets of the country for specific days over the past few months.
The Government’s stand:
According to the Ministry of Communications
- There is no infringement of privacy of any person.
- No personal details are collected.
- There is no tracking of any phone number.
Then why CDR
The Ministry said data of calls had been sought to address numerous complaints regarding quality of service of Telecommunications Network especially on issues of RoW (Right of Way), call drops, echo, cross connections, incomplete or poor caller experience.
- An absolute transgression of the Right to Privacy guaranteed by the Supreme Court in a 9-0 judgment.
- An assault on the fundamental freedoms which have been provided in the Constitution and have been interpreted by the Supreme Court of India.
- An ‘Orwellian state’ is sought to be created which is destructive for an open and free society.
- Breach of trust: The requests from the government for mobile CDRs is a serious departure from the stringent protocol established in 2013 after prominent politicians were found to be under unauthorised surveillance.
- These requests also depart from established protocol and international expectations on multiple counts, and amount to a serious breach of privacy.
- Records of specific information sought: For instance, in the case of Delhi, records were sought for the last three days of campaigning before assembly elections, while the anti-CAA protests were at their peak.
- Exploiting loopholes:
- Requests were delivered by local offices of the Department of Telecommunications, taking advantage of a condition in licences granted to operators, which permits the DoT to inspect their CDRs.
- While a CDR request is supposed to be sanctioned by the home secretary and handled by a police officer of the rank of SP or above, DoT offices were used.
- The requirement to report CDR requests on a monthly basis to the district magistrate was not complied with.
- Most importantly, no reason was offered for snooping on the traffic of citizens.
- Reveals a lot about connections:
- As CDRs are all metadata and have no content they do not reveal any words uttered or messaged. But combining the metadata with phone location data reveals a lot about connections between specific people and the actions that they take.
- If data is available at scale, it is possible to build a multi-dimensional map of human activity, and correlate it with real events.
- This would disturb the balance of information power between the citizen and the state, and amount to a breach of privacy.
- Must not trespass on privacy: It is generally understood that communications surveillance must be specific and purposive, and must not trespass on the privacy of the innocent.
- Detrimental of public trust: Indiscriminate mass surveillance of communications invades the privacy of all citizens to the detriment of public trust.
If the government needs CDR data for a legitimate purpose, it should have no objection to following the rule-book. And if there is a reason for sidestepping protocol in a sensitive matter, the government should explain the reason.
The surveillance laws in India
Is surveillance of this kind illegal in India?
Yes. First, it’s important to explain that there are legal routes to surveillance that can be conducted by the government.
- The laws governing this are the Indian Telegraph Act, 1885, which deals with interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data.
- Under both laws, only the government (under certain circumstances) is permitted to conduct surveillance, and not private actors.
- Moreover, hacking is expressly prohibited under the IT Act.
- Section 43 and Section 66 of the IT Act cover the civil and criminal offences of data theft and hacking respectively.
- Section 66B covers punishment for dishonestly receiving stolen computer resources or communication.
- The punishment includes imprisonment for a term which may extend to three years.
- The IT (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules framed in 2009 under the IT Act. The rules state that
- Only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource (mobile phones would count).
- The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.
The Supreme Court verdict on privacy
Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Others,2017
- The Supreme Court in a landmark decision unanimously upheld the right to privacy as a fundamental right under Articles 14, 19 and 21 of the Constitution.
- It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance.
But as yet a grey area remains between privacy and the state’s requirements for security.
Data Protection Committee under retired Justice B.N. Srikrishna
- It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact.
- Experts have pointed out that the draft law does not deal adequately with surveillance reform.