One of the companies being looked at is Intellexa, which has recently been at the centre of a snooping scandal in Greece. (Representational Image/Twitter)
A news report in the Financial Times of London dated March 31 suggested that our government is in the market for new spyware. The NSO, the company that manufactures and sells Pegasus, has been blacklisted by the United States of America, creating what the FT report terms a "PR problem" for governments that intend to deploy the spying tool.
The report further suggested that the Indian government is willing to spend up to $120 million or around Rs. 1,000 crores in purchasing analogous technology.
Around a dozen spyware sellers are expected to put in their bids for this speculated purchase. One of the companies being looked at is Intellexa, which has recently been at the centre of a snooping scandal in Greece.
What this news report if correct reveals rather portentously is that the surveillance industry is the new kryptonite to citizen’s rights and to national security as well. For what really stops these spyware manufacturers from selling sophisticated, military grade surveillance technology to non-state actors as well? Not every country has robust legal architecture to regulate it.
At the outset, any surveillance or intrusion into a citizen’s private affairs constitutes a breach of the fundamental right to privacy and the right to free speech and expression. Any such intrusion, therefore, must satisfy the requirements of legality, necessity and proportionality. Post-Puttaswamy, the Hon’ble Supreme Court has made clear that the right to privacy is an intrinsic part of Article 21 of the Constitution — the right to life and liberty. It also noted the need for oversight mechanisms over state surveillance, pointing out that such surveillance must be legally valid and have a "legitimate aim".
The first requirement demands all surveillance be done under proper legislation duly framed by Parliament. All intelligence and law enforcement agencies that are permitted to conduct surveillance should have roles, powers, and responsibilities based on a clear, published law, with foreseeable application and effects.
The second prong requires the presence of a legitimate aim that would override the effect on the rights of an individual so surveilled. This aim cannot be vague or undefined, it must be time bound, the legitimacy of which ought to be fully reviewed ex-post facto. Does the current surveillance framework live up to these requirements?
Section 5(2) of The Indian Telegraph Act, 1885, allows the government to intercept a "message or a class of messages". How this is done is provided for in Rule 419A of the Indian Telegraph Rules, 1951. Rule 419A was added to the Telegraph Rules after the Supreme Court verdict in PUCL v. Union of India AIR 1997 SC 568. Under Rule 419A, surveillance needs the sanction of the home secretary at the Central or state level except in "unavoidable circumstance" when surveillance can be carried out by a joint secretary or officers superior in rank subject to the home secretary’s authorisation.
In Re: PUCL, the court held that telephonic conversations would fall in the domain of the right to privacy. Such privacy, the court held, may only be breached through established procedures. Notably, the court in PUCL held that the government had the power to make the rules that govern its interception powers. But since no such rules had been made, the court gave certain guidelines which are instructive as to how narrowly tailored the court conceived of surveillance. It never envisaged a Pegasus-like situation where such spyware could be used without authorisation and with no defined legitimate aim.
Under Rules 2 and 4, for instance, the court required that the communications to be intercepted be specified (Rule 2), and the persons and the addresses specified as well (Rule 4). In extenso, the court’s reading of section 5(2) of the Telegraph Act is that this provision presupposes a reasonable suspicion which must be specified by the authority carrying out the surveillance. A government cannot enter into a roving and fishing expedition into citizens’ phones hoping to find something incriminating or to keep tabs on them. Such surveillance is per se illegal and is a constitutional perversity.
Given the vast amounts of data we save on our phones, they have become veritable information repositories. The Telegraph Act of 1885 could never have imagined the existence of an iPhone or spyware that could enter, infect, and transmit information from your phone without you having clicked any link, as is the case with most phishing malware. More importantly, the court in PUCL unambiguously holds that "public emergency" or "public safety" cannot be secretive. Whatever public safety interest there might be, it should be evident to a reasonable person.
There is also a need to revisit PUCL v. Union of India insofar as it held that judicial review was unnecessary. First, the Supreme Court itself has evolved the judicial standards for ascertaining the legality of surveillance given its decision in K.S. Puttaswamy v Union of India, (2017) 10 SCC 1, where the court held that for any surveillance to be proportional and therefore judicial oversight is a minimum requirement.
This is in direct contradistinction to what was held in PUCL. Second, the PUCL decision was limited to phone tapping and not the kind of technologically advanced surveillance under Section 69 of the Information Technology Act, 2000, that we are faced with today. The power imbalance between the State and the citizens has grown steeper. Third, Section 69 of the IT Act is almost a carte blanche given the absence of even the requirements of "public emergency" and "public safety" that are intrinsic to Section 5(2) of the Telegraph Act.
A first step to protecting the right to privacy is to reform our intelligence agencies. No other major democracy has such a legal black hole in their intelligence and surveillance framework. The United States governs its Central Intelligence Agency (CIA) through the National Security Act, 1947, and the CIA Act of 1949. Germany's intelligence service, the BND, draws its authority from the Federal Intelligence Service Law, 1990. The MI5 in the UK are governed by the Security Services Act, 1989. Even the Foreign Intelligence Service of Russia is covered by a comprehensive legislation — the Law on Foreign Intelligence Organs, 1996.
Our intelligence agencies, such as the Intelligence Bureau (IB), the Research & Analysis Wing (RAW) are outside the purview of any law or parliamentary oversight.
For this reason, I had introduced the Intelligence Services (Powers and Regulation) Bill in 2011 and then again in 2021 in the Lok Sabha. It provided for, inter alia, the setting up of tribunals and committees for better control and oversight of such agencies, and for redressal of surveillance-related complaints from individuals.
Cicero is believed to have said inter armaenim silent leges or in times of war the law falls silent. Intelligence agencies and state surveillance have functioned without laws for far too long. We are being told that when spies do their job, the laws may not speak. But Cicero was wrong then as the Geneva Convention’s illustrate that laws must never fall silent when the rights of citizens are at stake.