The government has said that privacy is not a fundamental right. Its new systems will be able to monitor every transaction and communication you make. It even wants to profile your DNA. It’s time to take a stand.
Upar vala sab dekh raha hai (The one above is watching you). An admonition that God is watching everything has now become the tag line in a television commercial for CCTVs.
And it may well replace “Big Brother is watching you” from George Orwell’s 1984, as the definitive line on being under surveillance. There was only one Big Brother in 1984. Today, everyone is being watched by several Big Brothers.
The government is watching you in the name of security, tax evasion, crime prevention and whatever else it may decide upon. Your Aadhaar number may become the gateway for government agencies to access all kinds of information about you. And soon the government may be even reading your emails or monitoring your online chats in real time.
The ubiquitous CCTV will be watching you, whether you are in your apartment complex, your office, walking down a crowded marketplace, in a shopping mall or even, as Human Resource Development Minister Smriti Irani found to her horror, even in the trial room of a clothing store.
Every activity of yours on the internet is known to someone or the other (see the accompanying piece by Prithwis Mukerjee). You are only safe as long as a hacker doesn’t get to the site you presumed secure.
The corporate sector is tracking every purchase you make and gathering information about you, especially if you are a big fan of online shopping. Nothing, absolutely nothing, is private anymore.
“The extent of personal information being held by various service providers, and especially the enhanced potential for convergence that digitization carries with it is a matter that raises issues about privacy,” the report of a Group of Experts on Privacy headed by Justice A.P. Shah said in 2012.
This situation is not unique to India, but what’s worrying is the fact that there is no legal guarantee of privacy (see the accompanying article by J. Sai Deepak). Though courts have, in various judgements, said privacy is a right, the government has argued before the Supreme Court that the Constitution does not confer a fundamental right to privacy. This observation was made in a specific context—the Court was hearing a bunch of petitions against the Aadhaar project—but it was a grim reminder of how serious the privacy challenge is.
The Shah report had noted that the lack of a policy framework on privacy led to “ambiguity over who is allowed to collect data, what data can be collected, what are the rights of the individual, and how the right to privacy will be protected.” Nothing brings this out more than the massive Aadhaar project, launched in 2009 to give every Indian a unique identity number. It involves capturing the biometrics of applicants, making it a foolproof way of authenticating a person’s identity. But with the government linking the Aadhaar number to the provision of various services—welfare benefits, wages—concerns arose that a programme meant to ensure that a benefit meant for one person did not go to another would become a gateway to access all kinds of information about an individual.
The Unique Identity Authority of India (UIIDAI) has always held that Aadhaar does not breach individual privacy in any way—that there are protocols that agencies collecting data from applicants must follow, that the Central Identities Data Repository (where the data is stored) is highly secure with extremely limited access, that it does not share any information or biometrics with even government agencies and it only verifies if the biometrics of a person with an Aadhaar number matches with the records in the CIDR.
The UIDAI did, after all, appeal successfully before the Supreme Court in March 2014 against a Goa court order asking it to give the biometrics of everyone enrolled under Aadhaar in the state to the Central Bureau of Investigation which was investigating a rape case.
The fact that UIDAI does not share any information may, however, not mean very much. The Supreme Court has recently prohibited the compulsory linking of Aadhaar to various transactions and activities, but Aadhaar numbers have already been seeded with bank account numbers, job card numbers, LPG subscriber numbers, and even PAN numbers. So the tracking of some of an individual’s activities becomes possible by several government agencies.
The Aadhaar application form explicitly offered a choice whether to link one’s Aadhaar number to one’s bank accounts, and many applicants decided not to. However, this year, the Income Tax department has demanded that when filing your returns, you have to mention your Aadhaar card number along with all your active bank accounts.
So a promise was made by one department of the government and has been breached by another.
Now your voter’s card is being compulsorily linked to Aadhaar. That is, you will not be able to exercise your franchise unless you have an Aadhaar number! A provision in the National Identity Authority of India (NIAI) Bill giving legal status to the UIDAI allows Aadhaar information to be shared with security agencies.
The NIAI Bill has not been passed yet, but consider what that provision might mean, given the existence of institutions like NATGRID (National Intelligence Grid) which enable sharing of information across 11 agencies involved in intelligence, criminal investigation, tax administration and financial intelligence.
These agencies will have access to 21 databases, including banks, the Securities and Exchange Board of India, telecom service providers, airlines and railways. “The logical linking of information that was once separate now becomes possible,” rues Elennoi Hickok, policy director at the Bengaluru-based Centre for Internet and Society (CIS). A UIDAI document, Approach Document for Aadhaar Seeding in Service Delivery Databases, she notes, raises questions about the claims that the Authority will not be able to access information stored in databases seeded with the Aadhaar number, as the seeding technology appears to allow the Authority—or whoever is running the software—to access all the information that is linked to an Aadhaar number.
It is this phenomenon of “databasing” that has got activists up in arms over a proposed law on DNA profiling. The Human DNA Profiling Bill, which was first drafted in 2007, allows the collection of DNA samples of those who have committed crimes, are suspects in crimes, missing persons, unidentified bodies and a category called “volunteers”. The DNA samples will be stored in a DNA Data Bank, which will maintain an index and, in the case of samples of suspects or offenders, will also keep information about the identity of the person.
Though DNA profiling has been known to hugely help criminal investigations, and the government claims that the Bill only seeks to set standards for laboratories engaged in it, there are concerns about the possible misuse of the Data Bank. That is scary, considering an individual’s DNA profile is far more personal than biometrics.
Sunil Abraham, executive director of CIS, who was part of an Expert Committee for DNA Profiling, pointed out in his dissent note that protocols for sharing of information by managers of the Data Bank were not robust enough. The Bill mentions the need for privacy safeguards, but, Abraham notes leaves the procedures to be developed and implemented by a DNA Profiling Board.
The 26/11 attacks in Mumbai provided the trigger for a raft of initiatives that could entail serious violations of privacy. NATGRID (which has not become fully operational yet) was an essential part of what then Home Minister P. Chidambaram called “the new architecture” of security. It is supposed to help overcome the problem of individual databases with vital information remaining isolated from each other and security agencies.
Work also started on the Crime and Criminal Tracking Network System (CCTNS), which networks police stations across the country and enables information sharing. Once fully operational, a police station in Rajasthan can check on a person in its custody with a police station in Tamil Nadu.
Far more Orwellian is the centralised monitoring system (CMS), a part of C-DOT, which will allow the government to not only listen into phone calls but also monitor e-mails, web chats and SMS, among other things.
Interestingly, the CMS was conceived in the wake of the leak of the Niira Radia tapes. Earlier, private telecom firms enabled tapping of phone calls of subscribers on a written request from the government. That, says former Union home secretary G.K. Pillai, compromised confidentiality and increased the chances of the person under surveillance being tipped off. The government also came to know of instances where junior police officials misused an emergency provision that allowed phones to be tapped for seven days without authorisation by the relevant authorities—they got private companies to tap phones for six days at a time.
The CMS bypasses private companies and keeps the surveillance within the government’s control. The unified access service (UAS) licence agreement for telecom companies was amended in 2013 to mandate that companies will provide access to their networks to regional monitoring centres of CMS. This way, says Pillai, private telecom operators have no way of knowing whose phone is being tapped.
That does not impress privacy activists. “The surveillance regime can become more opaque with systems like CMS if an accountability mechanism is not incorporated,” says Hickok, and points out that systems like NATGRID will allow for mass surveillance if necessary safeguards and oversight mechanisms are not put in place.
Pillai, who was Home Secretary when many of these initiatives were taken, dismisses these concerns. At any time, the Union Home Secretary will not be authorizing tapping of more than 5,000 phones, he says. There may be more in the case of the states, but this will be nowhere close to the 1 billion phones being tapped in western countries. Neither NATGRID nor CMS (which is also not fully operational) will be fishing expeditions, where individuals are monitored on a random basis, he assures.
The Indian system, he says, is nowhere close to what happens in the United States were interception is based on sophisticated algorithms that trigger off warnings on the use of certain words or phrases. “Indian surveillance is targeted, not mass,” he insists.
Pillai also points out that surveillance protocols in line with Supreme Court directives on phone tapping are in place and that requests have to be authorised by very senior officials. But the 2013 Snoopgate controversy around the surveillance of a young woman in Gujarat puts a question mark over his assurance. People in the seniormost ranks of administration knew about the surveillance.
Security has become an unchallenged excuse for the proliferation of CCTV cameras, which have become ubiquitous not just in public places but also in housing complexes and gated communities, with the active encouragement of the police. The installation of 15 lakh CCTV cameras across Delhi figured in the election manifesto of the Aam Aadmi Party, which now runs the Delhi government.
Unfortunately, as the Shah report noted, there are no protocols followed while installing these cameras nor is there clarity on who can see the footage or how it is stored. “This not only creates the potential for a violation of privacy to take place through the misuse of recording devices or the misuse of recorded information, but also creates a situation where the individual is not aware that his/her privacy was violated,” the report noted.
Indeed, some years back, footage from the Delhi Metro’s CCTV cameras showing young couples canoodling at metro stations and in trains got leaked and went viral on the internet. Janaki Krishnan, who lives in a gated community in Delhi, finds the passive acceptance of CCTVs unsettling. She found herself completely isolated when she questioned the residents’ welfare association on the placement of cameras and protested about a proposal to link them to the internet so that any resident could see what was going on in the complex.
The fight against black money is also becoming another source of invasion of privacy. The PAN has become the financial equivalent of Aadhaar—the gateway for information about all financial transactions of an individual.
High-value transactions have been under the taxman’s radar since 2005 when the Annual Information Return (AIR) was introduced. Banks, credit card companies, mutual funds, companies issuing rights issues are among those who have to report transactions above a certain threshold to the tax authorities. A credit card company reporting one major transaction to the tax authorities could trigger an examination of all transactions on the card. Jewellers and consumer durables retailers now have to take PAN details from customers paying more than Rs 50,000 in cash.
Tapping of phones of suspected income tax evaders is allowed and a proposal some years back to disallow this because tax evasion is not a security threat came to nought. With CMS kicking in by the end of the year, discussing ways to avoid taxes with your chartered accountant even over your mobile phone could become risky.
Tax authorities are now going beyond phone taps. Early in August, the Delhi government’s trade and taxes department raided a popular milkshake joint for under-reporting daily sales and evading tax. The department used spy cameras to nail the outlet. Whether such tapes can be used in court is debatable, but the use of such invasive techniques is a source of worry.
But it is not the government alone that is violating your privacy.
With people increasingly shopping at multibrand retail chains, signing up for membership/discount cards and providing their mobile numbers and email addresses, it is easy to build up a customer profile for most people. Prithwis Mukerjee, professor at Praxis Business School, says companies in India don’t have the wherewithal to process mountains of data, but the danger of information leaks is constantly lurking in the background. Telecom, credit card and insurance companies may insist they have strict privacy protocols in place, but there has been, for years, a booming market in the databases of their customers.
Far more worrying is the complete invasion of privacy of individuals by other individuals. Cellphone cameras, hidden cameras and recording devices have ensured that there can be no private moments anywhere, another issue the Shah report flagged.
The market for surveillance devices is no longer surreptitious or hard to access. There have been many instances of women in trial rooms finding phones with cameras set in recording mode secretly filming them. Honeymooning couples have been filmed in hotel rooms and paying guest accommodation owners have been known to have filmed their young female tenants. Member of Parliament Vijay Darda introduced a private member’s bill, The Mobile Camera Phone Users (Code of Conduct) Bill in 2006 but, like all private members’ bills, it never got passed.
All this only strengthens the case for a constitutional guarantee of privacy or at least a privacy law. “The reason we need a legislation is that there are serious problems involved in jurisprudence developing on its own through multiple judgements in multiple courts. The cost of litigation would be reduced if there is clarity in codified legislation,” says lawyer J. Sai Deepak. “ Privacy law will enhance the privacy of citizens by making both private and public sectors more accountable for the collection and use of data,” says Hickok.
The UPA government had worked on privacy law but the Bill never made it to Parliament. News reports say that the current government is refining that law, but there is no confirmation of this.
It looks like a more relevant line from 1984 for these times will be: “If you want to keep a secret, you must also hide it from yourself.”
The Courts and Privacy
- 1964 In a case relating to the police visiting a man’s home repeatedly to determine his whereabouts, a majority bench of the Supreme Court said the right of privacy is not a guaranteed right under the Constitution and the police action is not an infringement of a fundamental right. Two judges differed and one said: “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” • 1975 In another case related to police action, the Supreme Court said that many of the fundamental rights of citizens can be described as contributing to the right to privacy. But it also said that this right was not an absolute one and could be curtailed by the State if it could establish a “compelling public interest” to do so.
- 1994 The Supreme Court had to decide a case where the right to privacy was poised against the right to free speech in a matter related to the autobiography of a death row convict. The Court said that the right to privacy is implicit in the right to life and liberty guaranteed under Article 21 of the Constitution. But it also said that once a matter becomes public knowledge, the right to privacy did not apply.
- 1997 Hearing a case against telephone tapping, the Supreme Court said that the practice was a serious invasion of an individual’s privacy and would violate Article 21. However, it recognized that the State may need to resort to it and set out mechanisms to limit its misuse.
- 1999 In a case related to a blood donor’s right to privacy of his medical records, the Supreme Court said that while medical records were, indeed, private, doctors and hospitals could make an exception in some cases where non-disclosure could endanger someone else’s life.
- 2005 The Supreme Court said a provision in the AP Stamps Act giving certain search and seizure powers to revenue authorities was unconstitutional. The case related to the privacy of a customer’s records stored in a bank. The Court said that the concept of privacy related to the citizen and not the place and financial records would be considered private even if they were stored in a bank and not an individual’s home.
- 2011 In the famous Section 277 ruling relating to decriminalising of same sex relations, the Delhi High Court said the State could intrude on the right to privacy of a citizen’s sexual relations, protected under Article 21, only if it could establish a compelling interest for such interference. Since the State was not able to establish this, the High Court “read down” Section 377 of the Indian Penal Code that criminalised gay sex.
(Information taken from the Report of the Group of Experts on Privacy, 2012)