On October 28, 2024, Monday, Justice KS Puttaswamy, a trailblazer for privacy rights and former Karnataka High Court judge, passed away at the age of 98. As the lead petitioner in the landmark ‘right to privacy’ case, he played a crucial role in the Supreme Court’s historic recognition of privacy as a fundamental right under Article 21 of the Constitution.

Early life and Legal Journey
Born on February 8, 1926, Justice Puttaswamy had studied in Maharaja’s College, Mysuru and Government Law College, Bengaluru. He was enrolled as an Advocate on January 7, 1952, and later served as the Additional Government Advocate in the High Court. Justice Puttaswamy’s judicial career began when he was appointed as a Judge of the Karnataka High Court on November 28, 1977. After retiring in August 1986, he was appointed the first Vice-Chairman of the Central Administrative Tribunal, Bangalore Bench, on September 1, 1986.

Right to Privacy and Aadhar Case
In 2012, he challenged the constitutional validity of the Aadhaar scheme, leading to significant nuances and deepening of the legal discourse. While the Supreme Court did not strike down Aadhaar, it affirmed that the right to privacy is integral to the right to life, leaving an indelible mark on Indian constitutional law.

The Unique Identification Authority of India (UIDAI) was established in 2009 to “empower Indian citizens with a unique identity through the Aadhaar system.” The first Aadhaar card was issued in 2010; however, the UIDAI was initially created through an executive order without legislative backing, raising concerns about potential infringements on citizens’ rights. One notable critic was the late Justice K.S. Puttaswamy, who challenged the Aadhaar’s validity in the Supreme Court, emphasising that the right to privacy is a fundamental right protected by the Constitution.

In the landmark case K.S. Puttaswamy (Privacy-9J.) v. Union of India (2017) 10 SCC 1, a nine-judge bench unanimously recognised the right to privacy as integral to the right to life and personal liberty under Article 21. Justice D.Y. Chandrachud, writing for the bench, articulated that privacy encompasses personal intimacies and family sanctity, asserting that privacy is not forfeited in public spaces. Subsequently, in K.S. Puttaswamy (Aadhaar-5J.) v. Union of India (2019) 1 SCC 1, the Supreme Court upheld the Aadhaar Act, deeming it valid while striking down certain mandatory Aadhaar provisions. The court acknowledged privacy concerns but concluded that the project’s justifications were sufficient to maintain its legality

Notable judgement
Justice K.S. Puttaswamy’s rulings in key cases reflect his commitment to upholding constitutional principles, particularly equality under Article 14. His judgments addressed arbitrary administrative actions, reinforced the need for transparency, and affirmed the judiciary’s inherent powers to ensure justice in complex situations.

Justice Puttaswamy’s legacy
In R.B. Mutgi v. Karnataka Electricity Board, 1981 SCC OnLine Kar 404, Justice K.S. Puttaswamy addressed the non-examination of claims related to pay scale adjustments, stating that capricious or arbitrary actions by administrative authorities contradict the equality principle enshrined in Article 14 of the Constitution. In Mac Charles Brothers (Private) Limited v. Commercial Tax Officer, X Additional Circle, Bangalore, (1986) 63 STC 452, he expressed disappointment over the CTO’s failure to provide reasons for rejecting a registration certificate for certain goods. He issued a writ of mandamus, deeming the rejection illegal and quashing the CTO’s order concerning “building materials and stone.” In Mohamed Samiullah v. Commissioner of Commercial Taxes, (1986) 61 STC 107, the Full Bench, including Puttaswamy, S.R. Rajashekhara Murthy, and S.A. Hakeem, held that Section 22 of the Sales Tax Act, 1957, confers revisional powers on the Commissioner without violating Article 14. In Corporation Bank Ltd., 1980 SCC OnLine Kar 224, Puttaswamy noted that not every situation in justice administration can be anticipated by the legislature, and Section 151 of the Code allows courts to condone delays in filing essential documents.

Right to privacy
Notably, Justice K.S. Puttaswamy’s passing marks the end of an era for privacy rights in India. As a pioneering advocate for the right to privacy, his legacy is forever etched in the nation’s legal framework. His pivotal role in the landmark Supreme Court case established privacy as a fundamental right under Article 21, significantly influencing constitutional law. Throughout his illustrious career, he championed the principles of justice, equality, and transparency. His notable judgments not only upheld constitutional values but also reinforced the judiciary’s role in safeguarding citizens’ rights. Justice Puttaswamy’s contributions will continue to inspire future generations in the fight for justice and privacy.

Related:

Supreme Court and the Right to Privacy

Understanding the Right to Privacy (R2P)

“The Supreme Court’s Ruling on Right to Privacy is Momentous and Historic”

The post Justice KS Puttaswamy’s passing marks the end of an era for privacy rights appeared first on SabrangIndia.

The message received was “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID.” An email, with the subject line titled “ALERT: State-sponsored attackers may be targeting your iPhone”, went on to provide, “These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.” It further urged the recipients, “While it’s possible this is a false alarm, please take this warning seriously.”

These alert messages and email had been received by multiple opposition leaders, including Mahua Moitra (All India Trinamool Congress), Priyanka Chaturvedi [Shiv Sena (Uddhav Balasaheb Thackeray)] Raghav Chadha (Aam Aadmi Party), Sitaram Yechury [Communist Party of India (Marxist)], and Shashi Tharoor (Indian National Congress) amongst others. It was also sent to several journalists, including Siddharth Varadarajan, (founding editor of The Wire), Sriram Karri (resident editor of Deccan Chronicle) and Ravi Nair, journalist at Organized Crime and Corruption Reporting Project (OCCRP).

The recipients of the above mentioned alerts had taken to ‘X’ (formerly Twitter) to express their shock at being targeted in such a manner. TMC MP (Member of the Parliament) Mahua Moitra had alleged that the Indian government was trying to hack into her phone.  “Received text & email from Apple warning me Govt trying to hack into my phone & email. @HMOIndia – get a life. Adani & PMO bullies – your fear makes me pity you”, the Lok Sabha member had written on ‘X’.

Pawan Khera, media and publicity department head of INC, took to ‘X’ and said, “Dear Modi Sarkar, why are you doing this?” Similar allegations connecting the Indian government to these state-sponsored attempts at comprising the phones were raised by many other recipients.

In the face of such allegations, the Bharatiya Janata Party (BJP) was quick to dismiss the same as baseless.  Ministers and leaders of the ruling parties also took to twitter to slam the opposition party leaders and deem their concerns to be nothing more than publicity gimmicks. After a few hours, Apple Inc. had issued a statement stated that it could possible that some of threat notifications may be false alarms and some attacks may not be detected. The firm had further said that “Apple does not attribute the threat notifications to any specific state-sponsored attacker.” The firm added that state-sponsored attackers are “very well-funded and sophisticated, and their attacks evolve over time”.

While the statement provided by the firm was used by the BJP party to defend itself, the question that is yet to be answered is why only alerts were send to the most vocal critics of the Modi government?  If these alerts were just false alarms, then why did none of the leaders from the ruling party receive them? The alerts that were received by the journalists and opposition leaders alleged that attempts have been made by state-sponsored attackers to steal information from their iPhones. In view of the recent history of surveillance tactics being weaponised by the ruling government, how wrong were the recipients to assume that the union government were behind them?

Senior BJP leader Ravi Shankar Prasad had reacted to the allegations by slamming the opposition for targeting the government without taking up the matter with Apple and dared its leaders, who have received it, to file a criminal case (FIR). Prasad had stated that these confusion and allegations regards the alerts sent were to be clarified by the firm and not the government. But, the question that arises here is that why were the leaders of the opposition and the journalists critical of the current government the only ones who received this alert? Viewing the part track record of India, employing Pegasus malware and the Arsenal report alleging planting of evidence in the case of violence at Bhima Koregaon, do the people of India not have a valid concern of their phones being hacked?

Amid the row, Electronic and Information Technology Minister Ashwini Vaishnaw had stated that the government had ordered a probe into the matter. “In light of such information and widespread speculation, we have also asked Apple to join the investigation with real, accurate information on the alleged state-sponsored attacks,” he added.

State-sponsored cyber-attacks in India

The cybersecurity company Cyfirma, based in Singapore, recently released its 2023 India Threat Landscape Report, which states that 13.7% of all cyber-attacks target India, making it the most targeted nation in the world. According to the aforementioned analysis, there was a 278% surge in state-sponsored cyber-attacks on India between 2021 and September 2023. The majority of these attacks targeted services companies, such as IT and BPO enterprises. According to a report of The Wire, there was a notable 460% increase in targeted cyber-attacks on government institutions during this period, whereas start-ups and small and medium-sized firms (SMEs) experienced a staggering 508% increase.

These statistics, while deeply concerning, are not surprising. It is crucial to highlight here that this is not the first time that opposition leaders and journalists have come under the scrutiny of the current union government. In 2021, India had been rocked by reports that the current government had used Israeli-made Pegasus spyware to snoop on scores of journalists, activists and politicians. An investigation published by 17 media organizations, led by the Paris-based non-profit journalism group Forbidden Stories, had provided that the said spyware was made and licensed by Israel’s cyber intelligence company NSO Group had been used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists.

The Wire had also reported that smartphones of politicians including Rahul Gandhi, a senior leader of the opposition Congress party, and two other lawmakers were among 300 verified Indian numbers listed as potential targets for surveillance during 2017-19 ahead of national elections. Former Indian election commissioner Ashok Lavasa and former Central Bureau of Investigation director Alok Verma were also a part of the list. The NSO Group had provided that its product was intended only for use by vetted government intelligence and law enforcement agencies to fight terrorism and crime.

The government had denied all the accusation of illegally accessing the conversation of many people by hacking cell phones with the Pegasus spyware. In August 2022, a Supreme Court appointed panel had conducted a probe into the allegations raised in the case of using Pegasus spyware to snoop into the phones of certain citizens. The panel, which included three experts on cyber security, digital forensics, networks, and hardware, had been asked to “inquire, investigate and determine” whether Pegasus spyware was used for snooping on citizens and their probe would be monitored by a former apex court judge Raveendran. Notably, the panel members were Naveen Kumar Chaudhary, Prabaharan P, and Ashwin Anil Gumaste.

The said probe panel had found some kind of malware in 5 phones out of 29 examined by technical committee. The panel had said some malware was found on five of the 29 phones its panel examined, but it was not clear if it was Pegasus. The court had also provided that the Central government had not cooperated with the investigation into the Pegasus spyware cases. The said panel has now been disbanded.

As per a report of India Today, in 2019, Facebook had filed a case against NSO Group for creating Pegasus. The report detailed that the security researchers at Facebook were chasing Pegasus across their systems, and they found that the software was used to infect several journalists and activists in India. Notably, in the year 2019, Facebook-owned platform WhatsApp had confirmed that it had informed the government of India in 2019 that at least 121 Indian numbers—belonging to academics, lawyers, Dalit activists, and journalists—had been hacked by Pegasus, exploiting a chink in the chat app’s armour. A report on the same had been written by the Guardian and the Washington Post which had provided details of what they called global surveillance operations using Pegasus. The reports had provided that over 10 governments, including India, have been involved in surveillance of people using Pegasus spyware. India, in a statement to the Guardian, called the Guardian report “fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.” However, the country, in its statement to the Guardian, had not categorically denied using Pegasus.

The concerns regarding abuse of the Pegasus increased when another report had emerged which alleged the employment of the software by the government to frame people in a criminal manner. A 2021 report of the Washington Post had revealed that eight of the 16 under trials in the Bhima Koregaon violence case were targeted by Pegasus before being imprisoned. According to Arsenal Consulting, a US-based digital forensic firm, there is evidence of digital files being planted remotely on the computers of two of those shrivelled, These files are precisely what were deemed as critical evidence for keeping the accused in the case behind bars. Notably, another report by the American forensic firm had exposed how multiple incriminating documents were planted in the computer of Father Stan Swamy, the 83-year-old activist-priest who was arrested for alleged terror links in 2020 in the Bhima Koregaon case and who had died in custody a year later.

A recent report of Deccan Herald had alleged that India has reportedly started looking for alternative spyware after the US-based Amazon.com’s cloud services shut down the infrastructure of the NSO Group. The Financial Times reported in March that India was in the market with an estimated budget of $120 million for buying alternatives to Pegasus like Quadream and Cognyte (both made by Israeli firms) and Predator sold by Greek firm Intellexa, which had employed Israeli military veterans to create the spyware. The report further provided that in April, the Congress party had claimed that the Union government was buying Cognyte spyware to snoop on politicians, media, activists, and NGOs. As expectedly, there is no official information in the public domain regarding the purchase of any new spyware programmes by India.

Laws on surveillance in India

As the allegations of state-sponsored surveillance surfaced, IT Minister Ashwini Vaishnaw stated that Indian has a well-established procedure in which lawful interception of electronic communication can be carried out by federal and state agencies for the purpose of national security, particularly in the case of a public emergency or in the interest of public safety. And yet, an August 2023 report of the Financial Times, alleged that India’s “so-called lawful interception monitoring systems” are helping provide the “backdoor” that allows “Prime Minister Narendra Modi’s government to snoop on its 1.4 billion citizens, part of the country’s growing surveillance regime.”

Laws established in India that govern surveillance and address lawful interception, such as The Indian Telegraph Act, 1885 (Telegraph Act) and Information Technology (Amendment Act, 2008 (IT Act), were adapted by our legislation before spywares that are being used today were even conceivable. Under the legal grounds of the Section 5(2) of the Telegraph Act, 1885 and Section 69 of the IT Act, the state can “intercept, monitor, and decrypt any information for protecting sovereignty, national security, friendly relations with international governments, integrating public order etc.”

These specified laws allow for interception of the phone for certain specific purposes. In specific to targeted surveillance, the current regulatory framework allows the Central and state government directly or notified agencies to conduct an interception of the communication. This provides discretionary power to the state in determining legal enforcement agencies that can perform targeted surveillance without any oversight or contestation of the Parliament and judiciary. However, these law do not permit the state agencies to go to the extent of hijacking and weaponising a phone in the way an illegally used spyware like Pegasus makes possible.

In addition to this, Sections 43 and Section 66 of the IT Act criminalises cybercrime and stolen computer resources. Hacking is a punishable offence under the same. However, the Pegasus ‘snoop gate’ revealed that hacking operations may take place without even the target possessing any knowledge of the said infringement.  Under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, no agency or a person can perform interception without direction and approval of the competent authority.

As has been established above, a gap is present in our legislations when it comes to sustainably protecting the citizens from state-sponsored illegal surveillance. It is pertinent to draw one’s focus to the digital personal data protection Act that was passed by the Parliament in the monsoon session of 2023 in the face of criticism by activist, academicians and scholars. The said act for being one that protects governments from scrutiny and not citizens, providing legal cover for surveillance. Critics and activists voiced their concerns by stating “the government’s favourite catchphrase ‘as may be prescribed’ is the highlight of this DPDP Act. It has been used 28 times in a 21-page Act with 44 sections. The ambiguity has been kept so that the government can take arbitrary decisions,” as per a report of the Wire.

The Jurisprudence on the Right to Privacy

The legislations highlighted above under the IT act and the Telegraph Act allow the state to perform surveillance under broad mandates such as “to maintain public order, national security, and public safety”. These mandates were then adjudicated upon by the Constitutional Courts of India:

Justice KS Puttaswamy v. Union of India:

In August 2017, a nine-judge bench of the Supreme Court in the Puttaswamy Case gave legitimacy to the right to privacy under the Constitution of India. The Court held it to form a part of the fundamental rights guaranteed to the citizens of India (Article 21) and made its derogation subject to the highest level of judicial scrutiny. However, the bench clarified that a person’s fundamental right to privacy could be overridden by competing state and individual interests, or in other words, lawful interception. Premised on the principle that “Privacy is the ultimate expression of the sanctity of the individual”, the Supreme Court held that:

1. The violation of privacy with regard to arbitrary state action would be subject to the “reasonableness” test under Article 14.
2. Privacy invasions that implicate Article 19 freedoms would have to fall under the restrictions of public order, obscenity etc.
3. Intrusion of one’s life and personal liberty under Article 21 will attract the just, fair and reasonable threshold.
4. Phone tapping not only infringes Article 21 but also contravenes Article 19 freedoms. Such a law would have to be justifiable under one of the permissible restrictions in Article 19(2), in addition to being “fair, just and reasonable” as required by Article 21, and as was held in the People’s Union for Civil Liberties (PUCL) versus Union of India (1997). It would also need to be subject to a higher threshold of “compelling state interest”.
5. The ‘proportionality and legitimacy’ test was also established – which is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:

1. The state action must be sanctioned by law.
2. In a democratic society, there must be a legitimate aim for action.

• Action must be proportionate to the need for such interference.

1. And it must be subject to procedural guarantees against abuse of the power to interfere.

Vinit Kumar v. Central Bureau of Investigations and Ors:

In 2019, the Bombay High Court adjudicated upon the law pertaining to phone tapping and surveillance in the post-Puttaswamy era, applying the principles in relation to the right to privacy to section 5(2) of the IT Act. In this case, a businessman, who was alleged to have given bribes to bank employees to avail himself of credit, challenged certain Central Bureau of Investigation orders that directed interception of his telephone calls on the grounds that such orders were ultra-vires of section 5(2) of the IT Act.

At the outset, the Bombay High Court had reiterated that an order for interception as per Section 5(2) of the IT Act can be issued only in the circumstances of public emergency or public safety. The impugned orders were given on the basis of ‘public safety’.

While deciding the case, the High Court took reference from the already settled stance of the Supreme Court in previous cases. Drawing from the case of Hukum Chand Shyam Lal v. Union of India and other case laws, and holding that the impugned offence was related to an economic offence, the High Court was of the opinion that there is no apparent public safety interest to substantiate the said orders or satisfy the test of “principles of proportionality and legitimacy” as laid down in the Puttaswamy Case.

Thus, in regards to the question of interception, the Supreme Court held:

1. An order of interception under section 5(2) of the IT Act can only be given in situations of ‘public emergency’ or ‘public safety’.
2. If interception has been undertaken in contravention of Section 5(2) of the IT Act, it is mandatory for the said intercepted messages to be destroyed.
3. Evidence procured in violation of Section 5(2) and the rules made thereunder, is not admissible in court.

The most important lessons from the aforementioned two cases are that in order to justify an interception under section 5(2) of the IT Act, the stringent requirements of “public emergency” and/or “public safety” must be satisfied, and adherence to the regulations and guidelines established thereunder is required. The evidence will be excluded from court proceedings with even a small divergence from the protocol. The Vinit Kumar Case is helpful in protecting fundamental rights and ensuring that authorities do not abuse their ability to monitor phone conversations to target particular individuals without adhering to legal procedures. Given the turbulent times we live in, it seems like this is a judgment whose applicability will be called into question repeatedly.

Protection from state-sponsored surveillance- a distant dream?

Arbitrary or illegal invasions of privacy are prohibited by International Human Rights Law, which establishes the right to privacy. Furthermore, as noted by the Supreme Court and other Constitutional Courts of India, restrictions and exceptions to the fundamental right to privacy are only allowed if they are both legally mandated and required to accomplish a legitimate purpose. In view of this, the disproportionate, unlawful, or arbitrary use of spyware—like Pegasus—for surveillance breaches people’s right to privacy, erodes their ability to freely express themselves and associate, and endangers their security, safety, livelihood and lives. The recent attempts of the government in employing Pegasus malware and the alerts sent by the Apple Inc. indicate a threat to the already weakened privacy protection practices in India. In addition to overhauling the outdated framework of privacy protection laws in India, it is essential to ensure that the newer laws being implemented are more citizen centric rather than government centric. At present, the legislations have cracks and loopholes that allow state actors to perform targeted surveillance at their discretion in the absence of appropriate checks and balances. To put value to the words, “India is the mother of democracy”, it is essential that we move towards holding the state accountable for employing illegal and unethical tactics against critical voices.

Related:

A surveillance regime that violates both Privacy & Right to Life: Digital Personal Data Protection Bill, 2002

Police scrutiny and verification of documents without any reason is serious invasion of Right to Privacy: Delhi HC

‘An Act of Mass Surveillance’: India Use of Facial Recognition Tech Against Protesters Angers Privacy Advocates

Phone tapping and now face scan, Govt. creeping into our privacy

The post State-sponsored attacks of surveillance reveal an erosion on Indians’ right to privacy, especially journalists, political opposition appeared first on SabrangIndia.

In a plea filed to seek directions on the Delhi Police to make enquiry for correct identification of private person, after both the parties indulged in a quarrel, the Delhi High Court observed that subjecting a citizen to police scrutiny including verification of personal documents for no good reason would entail a serious invasion of his right to privacy, reported LiveLaw.

The plea sought directions on the Delhi Police to make an enquiry in respect of Aadhaar Cards, Voter Cards, Driving License and Pan Cards existing in the name of various names allegedly being used by the respondent individual. According to the plea, the respondent was using different names in the Kalandra proceedings (A proceeding under Sec. 107 of the CrPC issued against a person against whom there is an information that he is likely to commit breach of peace or disturb the public tranquillity or any other wrongful act leading to breach of peace or disturbance to the public.)

The State reportedly submitted that the petitioner was a regular complainant and that a Kalandra was taken against the petitioner when a quarrel had occurred after access by the petitioner’s wife to the terrace was not allowed by the respondent, reported LiveLaw.

The petitioner reportedly submitted that he was not a regular complainant but he admitted that the Kalandra was initiated against both the parties which was later disposed of.

Accordingly, Justice Asha Menon ordered, “Subjecting a citizen to police scrutiny including verification of his personal documents for no good reason, except on the whimsical demand of the petitioner would entail a serious invasion of the respondent’s right to privacy.”

This is significant given how migrants, refugees and even genuine Indian citizens, are often harassed by authorities and vested interests, to provide their documents. It remains to be seen, if the Delhi HC order puts and end to this.

A copy of the order maybe read here: 

Related:

Delhi HC dismisses Brinda Karat’s plea seeking FIR against BJP Leaders for alleged Hate Speech
If Sedition goes, so must criminalising provisions of UAPA: CCG
Delhi HC questions absence of audio in CCTVs at Police Stations

The post Police scrutiny and verification of documents without any reason is serious invasion of Right to Privacy: Delhi HC appeared first on SabrangIndia.

A group of concerned citizens, lawyers, activists, human rights workers, researchers and academicians, have demanded that the DNA Technology (Use and Application) Regulation Bill 2019 should not be passed in Parliament. The bill was introduced in Lok Sabha in July 2019 and was referred to a Standing Committee which submitted its report in February 2021.

The bill is being proposed to regulate the use of the DNA (deoxyribonucleic acid) and with a stated purpose of establishing the identity of victims, suspects, undertrials, offenders, missing persons and unknown deceased persons (and their relatives) in criminal and civil cases by permitting the collection and storage of DNA profiles which are specific patterns determined using the DNA.

Such data will be collected, accessed, indexed and recorded in central and local databases. DNA profiles can provide markers specific to each person. Essentially, for allowed cases, bodily substances of persons may be collected by investigation agencies. Such cases include criminal offences, cases of medical termination of pregnancy, immoral trafficking, parental disputes, issues relating to immigration or emigration, establishing the identity of an individual, etc.

Points raised in the statement

The statement asserts that in the light of the Pegasus scandal, the intentions of the government to snoop on its people is evident and this bill will only expand the scope of surveillance and legitimize it. It will put not just a few individuals but all individuals constantly under State surveillance and also violates an individual’s right to privacy.

Here are a few compelling points made against the bill:

•          DNA data is not foolproof: Use of DNA data is a developing field and it may not give the correct ‘profile’ of a person. It works more by association than correlation. So if a person was at a given place at a given time and traces of her DNA are found there, she can be wrongly linked to the incidents occurring therein, even if she isn’t connected to it. The Department of Biotechnology was firm in its belief that DNA technology is infallible and hence can be depended upon unquestionably
•          Gathering Data for an all-encompassing database: The Bill includes the word “suspect” which is a category of people whose DNA can be collected and since it has not been clearly defined any arbitrary definition can be assumed in the rules or in operation
•          Right against Self-incrimination: Article 20(3) of the Constitution states that no person accused of any offence shall be compelled to be a witness against himself. No person can be compelled to give any form of evidence against himself/herself that incriminates them in a crime. There is a clause that states that anyone accused of committing a crime for which the punishment is more than 7 years imprisonment, life imprisonment, or the death sentence, then the Magistrate can waive off the requirement of their consent.
•          Different Value of Consent based on offence: Section 21 (1) of the Bill says that consent of the person whose DNA is being collected must be taken in writing, however this is waived off in certain offences. Further, if a person refuses to give consent, the police can go to the Magistrate who will decide whether DNA should be obtained. Thus, clearly the state has an upper hand and in all possibility, the Magistrate is not likely to deny the police such request.
•          Attack on persons dignity and bodily autonomy: Investigators have broad and vague powers to collect DNA from sources that can be specified through a regulation, giving the executive the ability to specify any source they want. The police can collect photographs and or video recordings of genitalia of women, which is absurd since DNA cannot be extracted from such a source.
•          Retention of Data: In criminal matters, an accused person can approach the court to remove their DNA data from the Data Bank after the trial. And by default unless one moves to court, the DNA data stays not only in the Data bank but also in the DNA Lab.
•          Attack on privacy: The fundamental right to privacy covers at least three aspects – (i) intrusion with an individual’s physical body, (ii) informational privacy, and (iii) privacy of choice. All three aspects of privacy have been completely ignored by the DNA Bill. Without a data protection regime and necessary protections to safeguard the right to privacy, the DNA Bill is an attack on our fundamental right.

The complete statement may be read here:

The Parliament Committee report

The Parliament Standing Committee on science and technology submitted its report on the DNA Bill on February 3, 2021. The Committee stated that under the law, the statutory Board should be professional and independent and not comprise almost wholly of serving government officials. The Committee also raised its concerns over the “crime scene index” which will be a national databank of DNA left at the crime scene which could include virtually everyone who may have nothing to do with the crime being investigated. 

There is also DNA to be present of those who were nowhere near the “crime scene” but bodily material like hair may have been transported to the crime scene inadvertently by a variety of ways. Many of these DNA profiles will then find their way into the “crime scene index” without the knowledge of these persons. The committee also raised its concern over the accuracy, integrity and security of Regional DNA Data Banks and insisted that only a National DNA Data Bank be maintained.

The report recommends including the definition of “offender” as a person convicted of an offence and punished with imprisonment of 7 years or more. The Committee is of the view that the “suspects” index and “undertrials” index is unnecessary for the purpose of solving crimes, and it can be misused for targeting certain categories of people

The Committee opines that the functions of the Regulatory Board must include issuing guidelines, standards and procedures for the establishment and functioning of the DNA Labs and the National DNA Data Bank as also advising the government on establishment of DNA labs.

The Committee also states that the function of the Board must include making recommendations to the government in the interest of privacy protection, for timely removal and destruction of DNA profiles and information that (a) is obsolete, expunged, or inaccurate; or (b) after the purpose for which DNA information has been collected has been served. Currently, the Clause 12k(iv) provides for timely removal of only “obsolete, expunged or inaccurate DNA information”.

The Committee recommended that the Bill should regulate DNA testing for the purpose mentioned in the object of the legislation and should not seek to regulate all other DNA testing

The Committee suggests that when the Magistrate passes the order for collecting DNA sample, the person should be given an opportunity to be heard

The Committee calls for deleting the clause that allows for purpose of collecting DNA samples, “taking of a photograph or video recording of, or an impression or cast of a wound from, the genital or anal area, buttocks and breasts in the case of a female”. The Committee states there is no current technology to derive DNA profiles from photographs and videos, and therefore recommends the deletion of the Clause 23(3)(b)(vi) in its entirety.

The Clause 23 (3)(c)(i) provides for taking handprint, fingerprint, footprint or toe print but since there is no current technology to derive DNA profile from these. The Committee recommends the deletion of the Clause in its entirety.

The Clause 30 (1)(c) provides that the DNA data bank can match DNA profiles received from the government with its database and can provide information on a “similar DNA”. The Committee feels that the usage of “Similar” in the Clause is vague and will violate the privacy of relatives of those people whose profiles are in the data bank and recommends the deletion of the Clause in its entirety.

The Bill provides that the data in the DNA data bank will be retained unless removed by certain procedures. The Committee recommends that – “The National Data Bank shall promptly remove the DNA profile entered as an offender within 30 days from the day that the court finds such person not guilty.”

The dissent note from Asaduddin Owaisi stresses upon the need for an overarching regulator to prevent misuse. He cites the example of the United Kingdom where the National DNA Database Strategy Board, which oversees the national DNA database, is overseen by the Ethics Board, Biometrics Commissioner, Forensic Regulator as well as Information Commissioner. He also points out that India still does not have a data protection law and a statutory protection of private data is critical as it provides a mechanism for enforcement of rights.

The Parliament Committee report may be read here:

Related:

Pegasus scandal: SC says serious allegations if reports are true
Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking
India’s Deep State: Is any citizen safe?

The post The DNA Bill: A perfect recipe for absolute surveillance and zero privacy appeared first on SabrangIndia.

The Allahabad High Court has held that publication of the names/photographs of alleged criminals / accused persons other than “proclaimed offenders” and “fugitives” in law, on notice boards of police stations is a violation of the right to privacy and human dignity under Article 21 of the Constitution.

Following this ratio, Justices Vivek Agarwal and Pankaj Naqvi directed the Director General of Police (DGP) of Uttar Pradesh to remove the names/identities of top-10 criminals along with their criminal antecedents from the flysheet board from all the police stations. The Bench however clarified that the benefit of this verdict will not be given to any “proclaimed offenders and fugitives in law”.

The petitioners who are also siblings contended that they are relatives of a former member of the Parliament from Allahabad Constituency and due to political vendetta, they are being harassed by the police authorities by illegally publishing their names in the list of top-10 criminals of Police Station-Khuldabad.

They submitted that only one case was registered against each of them and it was on the basis of one case that their names were included under top 10 criminals. They argued in court that the three of them have suffered a violation of fundamental rights, and their names are being scandalised and propagated without following procedure established by law.  

A circular/policy issued by the Uttar Pradesh government on July 6, 2020 was also assailed on the ground that it violates Articles 14, 15 and 21 of the Constitution because paragraph 2 of the policy provides for preparation of a list of “top 10 criminals” at each police station and district so as to help the police in keeping a tab on active, hardened and functional criminals.

Thereafter, the court framed three issues for consideration:

(i) Whether policy/circular is ultra vires of the provisions contained in Constitution of India especially Articles 14, 15 and 21 of the Constitution, Police Act, 1861 or UP Police Regulations?

(ii) Whether the policy/circular grants the right to the police authorities to publish names of so-called criminals/accused persons on the flysheet board of the concerned police station?

(iii) Whether the publication of names of such accused persons violates the right to privacy and dignity?

The judges gave separate but concurring opinions on the issues. On the first issue, the court relied on Indian Express Newspapers (Bombay) Private Limited Vs. Union of India AIR 1986 SC 515, to hold that the validity of any subordinate legislation can be challenged on the grounds of unreasonableness, vagueness or arbitrariness. It ruled that the policy per se does not suffer from the vice of ultra vires, because the aim and object of the policy is to keep the police updated of the activities of the criminals with a view to keep a better control on law-and-order situations.

“I have no hesitation to hold that policy/ circular in its content or language does not suffer from lack of competence. When tested within the four corners of the law laid down in the case of Indian Express Newspapers (supra), policy cannot be said to be the arbitrary, illegal or ultra vires of either the Constitution or the Police Act or the Police Regulations”, was held by the Bench.

On the second issue, whether the policy grants the Police the right to publish names, the court said that there is no provision in the circular nor any of the provisions contained in the police regulations, the Police Act or the Code of Criminal Procedure (CrPC), to publish list of identified top 10 criminals and mafia elements either on the flysheet board of the concerned police station or anywhere else.

On the third question of dignity and privacy, Justice Vivek Agarwal said that: “The sanctity of privacy lies in its functional relationship with dignity. This judgment (KS Puttaswamy) lays down that privacy of an individual is an essential aspect of dignity. Privacy represents the core of the human personality, which is part of a broader concept of liberty. Dignity is an entitlement of a constitutionally protected interest in itself. Dignity and freedom are intertwined and facilitate each other.”

He added: “it is apparent that neither socially nor politically it is desirable to curtail human dignity, which is infringed when names of accused persons are displayed on the flysheet board of the police station concerned or anywhere else without there being any proclamation issued against them under Section 82 Cr.PC. Thus, this practice of putting the names on the flysheet board is derogatory to the concept of human dignity and privacy and therefore Reference Question No. iii is answered in affirmative that publication of names of accused persons violates their right to privacy and dignity.”

Justice Pankaj Naqvi penned down his own opinion (concurring) on this issue. He referred to the teachings of Justice Ruth Bader Ginsberg, Immanuel Kant, French Philosopher Charles Renouvier and international law to emphasise on the idea of dignity. “A welfare State is governed by rule of law. The approach of the Apex Court in respecting and upholding the dignity of an individual, whether he be an accused or a convict, is both pragmatic and sensitive”, he noted.

He observed that, “Sensitization is an important aspect of policing as the Police being in the forefront to maintain law and order are expected to strictly uphold the rule of law. A police force sans sensitivity could play havoc with the life and liberty of an individual including his/her dignity. Dignity is neither class centric nor an elitist concept. It is inherent in all individuals as human beings. Article 21 encompasses all shades of dignity as a necessary concomitant of liberty.”

Justice Naqvi finally said that the circular of DG (Police) dated July 6, last year cannot be faulted, “but the action of its officers in disclosing the identity of petitioners in police stations in public gaze is absolutely unwarranted and uncalled for as being violative of Article 21 of the Constitution.”

The judgment may be read here:

Related:

Notice publication of marriage under Special Marriage Act violates privacy: Allahabad HC

The post Publishing accused’s name on police station flyboards, violates privacy: Allahabad HC appeared first on SabrangIndia.

In a shocking breach of privacy, the Sahibzada Ajit Singh Nagar district authorities in Punjab have published a list of people who are currently in Covid-19 related quarantine. The list contains not only the names of such people, but also their addresses. The list was published on a page with an nic.in domain, making it an official government website. SabrangIndia has a copy of this list that is up to date till May 8 and contains details of 1094 people. But we will not publish it due to privacy concerns.  

Earlier too there were instances of such lists being leaked painting a virtual bull eye on their backs. The lists make it easy to target such people.

On March 20, the Rajasthan government made public details of 45 people in Ajmer through newspapers and social media claiming this would help ensure effective containment.      

On March 21, social media and whatsapp groups across Nagpur came alive with a list of people in precautionary quarantine. Times of India reported that the list was made public by the authorities themselves.

On March 24, Mumbai Mirror reported that a list of over 100 people in home quarantine living in the Borivali-Dahisar area of North Mumbai was leaked on social media. Ever since then the people whose names, addresses and phone numbers were leaked are facing harassment and calls from unknown people. It is noteworthy that none of these people were confirmed to be Covid-19 positive, just asked to remain in home quarantine due to foreign travel or coming into contact with someone who had travelled abroad.

On March 26 Medianama reported that the Karnataka government made a similar list public. The publication said, “…the list published by the Karnataka government includes individuals who are not necessarily infected, but have all flown in from a foreign country recently, and have been asked to stay indoors for two weeks. The list contains their door number, PIN code, and which country they travelled from.” Times of India reported that this list had names and addresses of over 19,000 people who had travelled abroad and had returned to Bengaluru as of March 8. Authorities willfully violated privacy of people stating they were forced to do so as people were not complying with quarantine protocol.

A list of 722 people in self-quarantine in Delhi was leaked on March 27. This list was more detailed because it not only contained names, addresses and phone numbers of people who were asked to stay in quarantine following arrival from foreign countries, but also their email addresses and even passport numbers!

The problem with such lists being leaked is not just an invasion of privacy, but also the possibility of identity theft. The data made public can be misused by criminals to obtain legitimate services like credit cards, cell phone numbers, etc. in the name of the persons on the list. These can later be misused and the person whose identity has been stolen will have to pay the price.

But the biggest problem is how vulnerable it makes the people on the list to not just social ostracism, but also targeted violence. In a country where one’s name can clearly indicate their religion and caste, leaking such a list makes it easy for bigots and fundamentalists to hunt down people from persecuted and oppressed sections of society and victimize them further.

Related:

Covid-19: Does the Aarogya Setu app violate privacy?

Aarogya Setu app in hot water due to MHA’s order on mandatory downloads

Letter petition in SC seeks ban on ZOOM App after MHA advisory

The post Punjab District releases names and addresses of 1094 people in quarantine appeared first on SabrangIndia.

An individual’s right to privacy was re-affirmed by the Supreme Court in 2017 in the Justice Puttaswamy case in which concerns were raised pertaining to violation data privacy caused due to collection of data under the Aadhaar scheme. At one point the government had sought to make mandatory linking of Aadhaar to every service, but the Supreme Court made linking of Aadhaar voluntary, except for availing benefits under government schemes. It also made linking of PAN Card and Aadhaar card mandatory, in order to avoid tax frauds.

It was due to this case that the need for a legislation to regulate data protection and to safeguard people’s right to privacy arose. In the above-mentioned case, the Supreme Court had reaffirmed right to privacy to be a fundamental right. A committee was set up by the government in 2017 under chairmanship of retired Supreme Court Judge Justice Srikrishna. The report of the committee has been in deliberation since it was submitted to the government and finally this draft bill has been presented.
 

The bill in brief

The bill includes many recommendations from the report as provisions. It has some salient features such as definition of personal data, sensitive personal data and handling of data of children, it also provides for withdrawal of consent and seeking of express consent. The bill imposes a lot of regulations on social media aggregators/intermediaries which may have significant impact on electoral democracy, security, public order, sovereignty and integrity of India designating them as significant data fiduciaries. Thus, bringing companies like Google, Facebook, Twitter, Whatsapp under its ambit.

As a whole, the bill seems to be giving protection of people’s data high priority and is also making entities possessing such data accountable, by imposing severe penalties for acting in contravention to provisions pertaining to protection of data, informing on breach of data and so on. It also provides for creation of an Authority to deal with complaints against breach of data and any other complaints against data fiduciaries as also an Appellate Authority for faster redressal of complaints.

The bill covers all personal data collected or shared by the State or any company or citizen or body corporate even outside the territory of India which carries out business in India or one which engages in profiling of data. On technical terms, the bill seems robust and comprehensive, especially in the definitions it has accorded to different categories of personal data; thus, indicating that the Ministry has taken due note of the Justice Srikrishna report and based the law purely on its findings, albeit not completely.

The main issue being, it gives the government certain exemptions from having to abide by the provisions on several counts which are arbitrary and vague in their definition and which could be misused by the government from time to time, to justify its actions of breaching people’s data and for doing away with seeking consent.
 

Waiver of consent

Section 11 of the bill provides for processing of data only by the consent of the data principal, i.e. the person to whom the data belongs. Section 12, however, waives this consent for the government enabling it to process data without the consent of the data principal. It provides that this can be done by the government for performance of its functions for provision of service or benefit, for compliance with order/judgment of any court, to respond to medical emergency, to provide health services and to undertake measures to ensure safety during a disaster or breakdown of public order.

Further, it allows formulation of any regulations under the law to waive off consent for “reasonable purposes” while taking into consideration certain factors such as public interest, interest of data fiduciary and so on. Reasonable purposes may include prevention and detection of unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, operation of search engines.
 

Rectification of Data

Section 18 speaks about rights of the data principal to correct inaccurate data, complete incomplete data, updating data and erasing data that is no longer necessary for the purpose for which it was processed. The same section gives the data fiduciary the authority to reject such an application made by the data principal for making changes in his/her own data, while providing reasons for such rejection.
 

Right to receive one’s own data

Section 19 provides for receipt of data by data principal which is process by automated means. Within the same section the State is exempted if the processing is done for functions of the State or in compliance of any law and if such compliance to data principal’s request would reveal a trade secret of a data fiduciary.

Blanket exemption

Section 35 gives an almost blanket exemption to the government to deal with the data principal’s data , without having to follow the provisions of the law, if such processing of the data (which includes sharing) is in the interest of sovereignty, integrity and security of the state, if it affects friendly relations with a foreign state, for preventing incitement of commission of cognizable offence relating to the aforementioned. There is also exemption of certain provisions if data is processed in interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law; if disclosure is necessary to for enforcing legal rights; if it is necessary for any judicial function; if processing is necessary or relevant for journalistic purpose.
 

Exemption for purposes of research, archiving or statistical purposes

Section 38 provides that if data processing is necessary for research, archiving, or statistical purposes then it shall be exempt from application of provisions of this law if the compliance with the provisions of the law might disproportionately divert resources from such purpose; purposes of processing cannot be achieved if the personal data is anonymised; if data processed does not cause significant harm to data principal and so on.

It is hoped that the joint select committee that examines the law comes up with some suggestions and recommendations that do not expose people’s personal data to be exploited by the government under these ‘exemptions’ which they are mostly likely to misuse and use as a defence for breaching people’s data.

The complete bill as presented in the Lok Sabha may be read here.

The post New data protection law comprehensive but full of exemptions appeared first on SabrangIndia.

When the issue of Israeli spyware being used by government to spy on certain individuals was raised in the LokSabha on the second day of its current winter session, in an unabashed response, the Minister of State in the Home Affairs Ministry Kishan Reddy said that Section 69 of the Information Technology Act (IT Act) empowers the Central Government to intercept and monitor anyone. The question was asked on the floor of the lower house by MDMK’s A Ganeshamurthi.

This statement coming from the Home Affairs Ministry today, has silenced all speculation and can be considered as a clear admission by the central government that it did in fact spy upon lawyers and human rights activists, in blatant misuse of its powers.

Only 10 agencies can tape phones: Centre

In a written reply, the central government further also said there are only 10 agencies that are authorised to tape phones in India. These include the CBI, the ED and the Intelligence Bureau. The government said these agencies have to take permission from the Union Home Secretary approval before putting anyone on surveillance.

The 10 authorities that can intercept phones in India are: Intelligence Bureau, Central Bureau of Investigation, Enforcement Directorate, Narcotics Control Bureau, Central Board of Direct Taxes, Directorate of Revenue Intelligence, National Investigation Agency, R&AW, Directorate of Signal Intelligence and Delhi Police Commissioner.

The Law

Section 69 of the IT Act deals with provisions pertaining to Power to issue directions for interception or monitoring or decryption of any information through any computer resource, whereby, the government or its authorised officers, in the interest of “sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence” may intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource.

Sabrang India had recently done an analysis on how vague and arbitrary are the provisions that allow interception by the government, enabling the government to justify its surveillance activities by using such vague provisions as a shield.

In October this year,WhatsApp filed a complaint in a California Court against Israel’s NSO Group, many things have unravelled. The claims of the IT Ministry that WhatsApp did not inform them about the vulnerability in their service, were countered by Whatsapp stating that besides notifying the government in May about a vulnerability in its service, it sent a letter in early September that 121 Indians were compromised by the Israeli spyware Pegasus. To this, the IT Ministry responded saying that the September letter sent to them was very vague. The government had alleged that it was disturbed that the company had not brought the privacy breach of Indian citizens to their attention during the two meetings with the minister earlier this year.

On November 1, this year, Whatsapp confirmed that NSO Group’s spyware called Pegasus was used to spy upon  journalists and human rights activists in India who were informed by Whatsapp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019

After this shocking revelation, the 19 affected Indian users who were contacted by WhatsApp wrote an open letter to the Central government saying, “It is a matter of public concern whether Indian tax payer money has been spent on this kind of Cyber surveillance… We seek an answer from the Government of India about whether it was aware of any contract between any of its various ministries, departments, agencies, or any State government and the NSO Group or any of its contractors to deploy Pegasus or related malware for any operations within India?” The government, back then, had neither confirmed nor denied the usage of the spyware.

However, by invoking section 69 of the IT Act when asked if the government was tapping Whatsapp conversations, the government has silenced all speculations and we have a clear admission from the horses mouth!

Related:

WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists

Besides May alert, WhatsApp sent another in September on 121 Indians breached

Phone tapping and now face scan, Govt. creeping into our privacy

What is Ravishankar Prasad Hiding on WhatsApp Hack?

The post Did GOI just admit in Lok Sabha to using Pegasus to spy on activists? appeared first on SabrangIndia.

 
A furore was caused by an order issued by the Cyber and Information Security Division of the Union Ministry of Home Affairs (MHA) on 20 December 2018, authorising 10 security and intelligence agencies to intercept, monitor and decrypt information generated, transmitted, received or stored in any computer resource.
 
Under The Right to Information Act, 2005 (RTI Act), the MHA has refused to disclose the reasons and materials such as file noting which formed the basis for issuing this order. Even more shocking is the MHA’s refusal to treat this as a valid query request for not complying with the duty of proactive disclosure of all relevant facts and reasons that underpin the order.
 
Controversy surrounding MHA’s December 2018 order
Through the December 2018 order, the MHA authorised intelligence organisations such as the Intelligence Bureau, the Research & Analysis Wing (R&AW) of the Cabinet Secretariat, the Directorate of Revenue Intelligence and the Directorate of Signal Intelligence ( for service areas of Jammu and Kashmir, North East and Assam only) to access information from any computer resource under the Information Technology Act, 2000. 
 
Security agencies such as such as the Central Bureau of Investigation (CBI), the National Investigation Agency, the Delhi Police and the Enforcement Directorate are also included in this list. The Central Board of Direct Taxes which is neither security nor an intelligence agency per se [although one of its arms- the Directorate General of Income Tax (Investigation) does engage in tax-related intelligence gathering operations] was also authorised to intercept computer resources.
 
In the December 2018 Gazette notification, the MHA stated that the order was being issued under Section 69(1) of the IT Act read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. 
 
Reflecting the very public outrage that the order caused, Opposition Leaders raised the issue in the Rajya Sabha, the next day. The Leader of the House ( also the then Hon’ble Union Finance Minister) is reported to have criticised them for raising the issue in the manner they did, saying: 
 
“What you are doing…is making a mountain where even a molehill does not exist.” 
 
He pointed out that the 2009 Rules were notified under the UPA-II regime and that the same agencies were being notified, for the same purpose, from time to time earlier as well.
 
The order was not an omnibus authorisation to intercept any computer resource but only such instruments that are linked to threats to national security, public order and integrity of India, he said. While beginning his reply to the Opposition Leaders, he is reported to have said that as senior leaders they ought to have obtained complete information about the issue before raising it in the House. (Click here for the verbatim report of the House proceedings): 
 
The RTI Intervention
Deeply influenced by the sage advice of the Hon’ble Leader of the House and remembering the fact that the proviso under Section 8(1) of the RTI Act states that information which cannot be denied to a Member of Parliament cannot be denied to any citizen, I submitted a request to MHA  through the RTI Online Facility seeking the following information:
 
1) A clear photocopy of all official records that contain the written reasons for issuing the authorisation to the 10 security and intelligence agencies specified in the attached Gazette notification as per the requirements of Section 69(1) of the Information Technology Act, 2000 (IT Act);
 
2) A clear photocopy of all file notings, correspondence and related legal opinion, if any, with annexures, if any that form the materials on the basis of which the said authorisation was issued;
 
3) The detailed reasons for not complying with the statutory requirement of voluntary disclosure of facts, details and reasons related to the said authorisation as per the statutory requirements under Section 4(1)(c) and 4(1)(d) read with Section 26(1)(c) of the RTI Act, 2005;
 
4) A list of all other security and intelligence organisations or other authorities that have been authorised for the purpose of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the IT Act, by the competent authority in the Government of India prior to 20/12/2018; and
 
5) A clear photocopy of all notifications issued till date, by every State Government and Union Territory Administration, similarly authorising security and intelligence organisations or authorities under their jurisdiction for the interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the IT Act.”
 
The MHA’s reply
The Central Public Information Officer (CPIO) of the MHA has rejected the information sought at paras 1, 2, 4 and 5 in the following words:
 
“Sought documents/information is classified as ‘Top Secret’ and cannot be disclosed as it is exempted under Section 8(1)(a), 8(1)(g) and 8(1)(h) of the Right to Information Act, 2005. This is in confirmation with the Central Information Commission decision vide no. CIC/VS/A/2014/000378/SB dated 02..09.2015 (available in public domain) in an appeal filed by Shri Amitabh Narayan”. (emphasis supplied)
 
As regards the query about non-compliance with the voluntary disclosure of facts and detailed reasons for the authorisation to intercept computers, the CPIO replied that “It is in the form of a question which is not covered under the definition of ‘information’ under Section 2(f) of the Right to Information Act, 2005.” (emphasis supplied) 
 
What is wrong with the CPIO’s reply?
1) The CPIO seems to be completely oblivious of the advice of the Leader of the House in the Rajya Sabha that anybody speaking about the interception order must so do after obtaining all facts. This was the express purpose of the RTI intervention but it was completely lost on the CPIO. The two gentlemen seem to be operating on completely different wavelengths. Section 4(1)(c) and 4(1)(d) of the RTI Act require every public authority to voluntarily disclose all relevant facts and reasons for such orders to the public at large. Under Section 26(1)(c) of the RTI Act, the Central Government has a duty to ensure that every public authority performs this voluntary duty. Section 26(1)(c) mandates the Government to require all public authorities to proactively disseminate accurate information about their activities effectively from time to time. The CPIO has ignored all these statutory requirements while making a decision on my RTI application.
 
2) Further, the CIC’s order which the CPIO has cited to reject four of the five RTI queries has nothing to do with the IT Act at all. The CIC in its wisdom has thought it fit not to record the contents of the RTI application in its September 2015 order. The CIC had held that the RTI applicant’s request for information about “telephone interception” under the 125+ years old Indian Telegraph Act and relevant Rules cannot be granted because it may prejudicially affect the interests protected under Section 8(1)(a) of the RTI Act (which of the seven grounds mentioned in that exemption is applicable, is not even discussed in the order). The CIC also ruled that disclosure would impede the investigation processes and reveal the source of information given in confidence to law enforcement agencies but there is no discussion about how disclosure will have such an effect. According to several High Courts, a detailed and well-reasoned justification is a mandatory requirement while invoking the exemptions under Sections 8(1)(g) and (h) of the RTI Act. The MHA which had decided this RTI application also had explained that telephone interception-related records are destroyed after six months. So some of the information was not available with them in material form and could not be supplied to the appellant, it had argued.
 
In my humble opinion, despite the glaring defects from which the CIC’s order suffers, it does not apply to anything done or order issued under the IT Act. The December 2018 order is not for telephone interception at all. Instead, it is for computer interception. The CIC’s 2015 order operates in a completely different field. 
 
The CPIO has mechanically washed his hands of the responsibility of being transparent about the routine actions of government. Further, I had not sought any information about any specific computer resource that was being intercepted by any of the 10 agencies listed in the December 2018 order. So the CPIO’s action of invoking Sections 8(1)(g) and (h) is also misconceived.
 
3) Further, there is at least one previous order of the CIC from June 2011 where access to information about telephone interception had been granted after severing the names of officers (see 5th attachment). In this case, information was sought from the CBI. Interestingly, the UPA-II Government issued a notification partially excluding CBI from the ordinary obligations of transparency under the RTI Act, in the same month and year. The CBI challenged the CIC’s order arguing that the benefit of exclusion is available to it with retrospective effect. So, the Delhi High Court stayed the operation of the 2011 CIC order. Meanwhile, several citizens filed petitions in High Courts across the country challenging the partial exclusion granted to the CBI. These petitions were transferred to the Supreme Court on the Central Government’s plea. This issue has been pending for more than seven years without resolution. The CIC’s two-page order of 2015 does not even mention the seven and a half page long CIC’s 2011 order where reasons for partial disclosure are discussed in detail. One would expect that the appeal ought to have been kept pending in view of the stay granted by the Delhi High Court on a similar issue. The CPIO’s MHA has cherry-picked a questionable CIC decision to deny information about the December 2018 interception authorisation order. 
 
4) The CPIO’s reply to my third RTI query is erroneous even under the terms of Section 69(1) of the IT Act, which is reproduced below:
 
69. Directions of Controller to a subscriber to extend facilities to decrypt information.
(1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource.
 
(2) The subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information.
 
(3) The subscriber or any person who fails to assist the agency referred to in sub-section (2) shall be punished with imprisonment for a term which may extend to seven years.” (emphasis supplied)
 
So when any order is issued under Section 69(1) of the IT Act, reasons must be recorded in writing. Under the 2009 Rules, these duties are required to be performed by the Secretary, MHA who is the “competent authority” for the Central Government. At Query #3 of my RTI application, I had asked, why these reasons have not been disclosed as per the requirements of the RTI Act. By holding that Query No. 3 is in the form of a question and is not seeking information, the CPIO has committed another error. While his boss is duty bound to record reasons before issuing the authorisation order, the CPIO has neither the intention of disclosing them nor will he treat non-compliance with the statutory duty of proactive disclosure of those very reasons as a valid basis for the RTI query. 
 
According to the Preamble of the RTI Act, one of its objectives is to ensure accountability of the Government and its instrumentalities to the governed. This accountability applies not only for decisions made and actions were taken by public authorities but also their omissions and failure to comply with statutory requirements. 
 
Every citizen has the right to know all the facts and reasons that form the basis of the December 2018 authorisation order. 
 
Meanwhile, the December 2018 order has been challenged in the Supreme Court of India. Even as we wait for the outcome of this case, I am planning to file the usual appeals. Perhaps a direct complaint to the CIC about  MHA’s non-compliance with Sections 4(1) and 26(1)(c) of the RTI Act might also be ordered in this case.

Nayak is a Programme Coordinator at Access to Information Programme, Commonwealth Human Rights Initiative
 

The post Opinion: Indian agencies can snoop on any computer but my RTI complaint against it gets rejected appeared first on SabrangIndia.

Interview with Paranjoy Guha Thakurta
Interviewed by Prabir Purkayastha Produced by Newsclick Production,

The recent notification by the Home Ministry and the proposed changes to the Information Technology rules threatens citizens’ privacy and freedom of expression. A Newsclick conversation between Prabir Purkayastha and Paranjoy Guha Thakurta.

Courtesy: Newsclick.in

The post Has India Become a Surveillance State? appeared first on SabrangIndia.