Low point

When it comes to securing online data, the Indian legal system has failed to keep up


Surveillance is not new, but technology has permitted surveillance in ways that are unimaginable, noted Supreme Court judge Sanjay Kishan Kaul in his separate judgment when the apex court declared privacy to be a fundamental right in August 2017.

In words that may now seem prophetic, Kaul said, “Knowledge about a person gives a power over that person.... It can be used as a tool to exercise control over us like the ‘big brother’ state exercised. This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford.”

The furore over attempts to install malware in phones through a WhatsApp video call has now put the spotlight on the need to protect the digital privacy of individuals. The controversy also exposes the inadequacies of the present legal framework in safeguarding the immense data that the citizens are putting out in the virtual sphere.

Legal experts describe the WhatsApp breach as a clear violation of the individual’s right to privacy, with reference to the judgment passed by a nine-member bench of the Supreme Court on August 24, 2017, declaring privacy to be a fundamental right. “WhatsApp promised users end-to-end encryption. It made a representation to its users that their chats and other data will not be shared. So there is a breach of that representation. More importantly, there has been a violation of the individual’s fundamental right to privacy,” said Supreme Court lawyer Shilpi Jain.

The Indian Telegraph Act, 1882, permits surveillance by state actors under certain conditions. Section 69 of the Indian Information Technology Act, 2000, permits and regulates surveillance through interception, monitoring and decryption.

People do care for the privacy and security of their online data, and the WhatsApp breach only goes to underline that a legal framework is urgently needed. —Shilpi Jain, Supreme Court lawyer

The Supreme Court, too, has recognised the need to balance individual rights with legitimate concerns of the state, stating in its privacy judgment that “the legitimate aims of the state would include, for instance, protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge and preventing the dissipation of social welfare benefits.”

However, under both the Telegraph Act and the IT Act, surveillance by private players is not allowed. Also, under the existing legal framework, Pegasus-like intrusion into devices was in any case not permitted, said Apar Gupta, lawyer and executive director of the Internet Freedom Foundation. According to Gupta, the pre-existing surveillance powers available under the two Acts do not permit the installation of spyware or the hacking of mobile devices. “Hacking of computer resources, including mobile phones and apps, is, in fact, a criminal offence under the Information Technology Act,” he said.

Also, since Pegasus, the malware which allowed breaking into WhatsApp, is provided only to governments, questions are being raised about the possible involvement of government agencies in an illegal manner. “This raises some extremely disturbing questions about likely illegal hacking by unknown government agencies—or other actors operating in India—and suggests flagrant disregard for the rule of law and contempt for our fundamental right to privacy,” said Gupta.

Experts ask why the government did not act on the alerts provided to it by WhatsApp twice earlier. “WhatsApp acted very responsibly. When it found that the privacy of its users was violated, it informed the government. It got Citizen Lab to investigate the breach. It informed the affected persons and has also sued NSO. However, the narrative that the government is trying to build involves targeting WhatsApp,” said digital rights activist Nikhil Pahwa.

He referred to the ongoing matter in the Supreme Court, wherein the government wants WhatsApp to decrypt messages in matters pertaining to prevention and investigation of crimes. The Centre has said in court that WhatsApp and Facebook cannot come into the country and not facilitate decryption, terming it a penal offence. “The government expects the social media platform to do away with end-to-end encryption and compromise the privacy of people,” said Pahwa.

Lawyer Rodney D. Ryder, who specialises in cyber law, called for legal safeguards to protect against the possibility of the government abusing its power through surveillance agencies. “Therefore, in the absence of legal safeguards against illegal surveillance, the free speech of an average citizen could be compromised and such surveillance without safeguards for citizens is detrimental to democracy,” he said.

According to Ryder, in the present circumstances, citizens have no other option but to file a writ petition against such surveillance. “In the absence of a formal legislation for the protection of personal data, there is no alternative to a writ,” he said.

In its privacy judgment, the Supreme Court had emphasised upon the need to set up a strong data protection regime. It has been two years since the verdict was pronounced, but the government is yet to enact a data protection law.

The Justice B.N. Srikrishna Committee, set up to recommend a data protection framework, had submitted its report in July 2018. It recommended restrictions on the collection and processing of personal data, and said such data should be stored in servers located in India and suggested safeguards against the transfer of data outside India. It also suggested the setting up of a data protection authority that would supervise and regulate authorities and bodies entrusted with the personal data of citizens. Pursuant to the report, the Personal Data Protection Bill was drafted, and the government has said that it will be introduced in the upcoming winter session of Parliament.

“The government has let down the people by delaying the data protection law,” said Jain. “People do care for the privacy and security of their online data, and the WhatsApp breach only goes to underline that a legal framework is urgently needed.”