India is gradually opening up to the threat of mass surveillance and cyber snooping by the state as well as rogue actors, as modern technology makes its way into the country in a landscape of weak privacy laws.
A report by foreign policy think tank Carnegie Endowment for International Peace (CEIP) has said India is among 75 countries in the world with access to modern AI surveillance technology— putting it in the same list as China, Russia and Saudi Arabia. The study was published in September.
“Many governments in the Gulf, East Asia, and South/Central Asia are procuring advanced analytic systems, facial recognition cameras, and sophisticated monitoring capabilities,” said Steven Feldstein, a Carnegie Endowment fellow and the author of the report.
These systems are used to surveil citizens “to accomplish a range of policy objectives—some lawful, others that violate human rights, and many of which fall into a murky middle ground,” he said, without detailing their use in specific countries.
Governments in autocratic and semi-autocratic countries are more prone to abuse AI surveillance than governments in liberal democracies, the report noted. Some autocratic governments like those in China, Russia, Saudi Arabia are exploiting AI technology for mass surveillance, while others with dismal human rights records are using it to reinforce repression.
On the technology front, the capabilities are strong. Modern systems can create 360-degree profiles of citizens by stitching together data from street cameras, card transactions and social media profiles. These systems can snoop on private interactions on the smartphone and monitor real-time location of the target.
According to the report, the biggest supplier of AI surveillance solutions is China with Huawei being the biggest exporter. (See chart)
India is still far from being a victim of mass state-sponsored snooping but concerns loom over some new-age technology systems being implemented.
To be sure, not all the technologies are used for illegitimate purposes —cameras on streets prevent traffic violations, while facial recognition entry-management systems are common-place at offices for their sheer ease. A lot of advanced tech is being deployed as part of the government’s Smart City project for sewer management to reducing traffic congestion.
The concern, however, is whether the data collected is used for purposes intended, and — given absence of strong regulatory over-sight — who is going to pull up the violators if it is not.
So, when the Telangana government in 2018 deployed Samagra Vedika, a highly-sophisticated citizens directory, there was backlash from public and privacy activists calling it akin to snooping.
Now in use, the software allows the state to verify and check citizen’s data from 25 different government departments, forming a mega cross-sectional profile of a citizen.
It certainly puts immense powers in the hands of the authorities, but bigger worries are misuse by rogue actors within the system, like profiling voters and whether the data is adequately safeguarded.
Take the recent WhatsApp-Pegasus expose for instance, where it was revealed that 121 WhatsApp users in India, including activists and journalists, were targeted using the Israeli snooping malware. It is not clear who initiated these attacks, however, the government did not definitively deny never having used Pegasus in a parliamentary discussion last week.
At national level, efforts to form a unified repository of citizen data have been foiled on two occasions.
In April 2018, the information and broadcasting ministry had invited proposals to develop a system to monitor social media posts of citizens, including ‘emails’ and ‘historical communications’, to gauge public opinions about government policies, and create a ‘360-degree view of people.’
Two months later, after reviewing a barrage of petitions, the Supreme Court (SC) advised the government to shelve the plan. “If the government starts tapping WhatsApp messages, we will be moving towards becoming a surveillance state,” Justice Chandrachud had said at the time.
Further, in September 2018, the apex court ruled that Aadhaar was not mandatory for banking and other corporate services, thus reducing the risk of the unique identification number potentially becoming a one-stop snooping tool.
As per law, state surveillance is permitted under Indian Information Technology Act 2000, or IT Act, which says that ‘competent agencies’ can intercept data on any ‘computer system’ with the approval of the home department.
In December 2018, the government widened the scope by giving 10 agencies the power to snoop (within the ambit of IT law).
These include Intelligence Bureau (IB), Narcotics Control Bureau, Enforcement Directorate (ED), Central Board of Direct Taxes (CBDT), Directorate of Revenue Intelligence;, Central Bureau of Investigation (CBI), National Investigation Agency Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for service areas of Jammu & Kashmir, North-East and Assam only), and Delhi Police.
While the rules lay down cases where data interception is permitted along with formal procedures for the same, wide-ranging powers go against the fundamental right to privacy, some argue. In August 2017, the SC declared the right to privacy as a fundamental right of a citizen, and incorporated it under Article 21 and Part III of the constitution. Even as right to privacy has been declared a fundamental right, India does not have a personal data protection law yet.