Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Surveillance policies

In general, all communications are presumed to be entitled to privacy. Thus, all laws in India dealing with mediums of inter-personal communication - post, telegraph and telephony and email - contain sections prohibiting the unlawful interception of communication.1 However, each of these laws also contains analogously worded provisions permitting interception by the State under specified conditions.

Interception

Section 26 of the India Post Office Act 1898 confers powers of interception of postal articles for the 'public good'. According to this section, this power may be invoked "On the occurrence of any public emergency, or in the interest of the public safety or tranquility". The section further clarifies that "a certificate from the State or Central Government" would be conclusive proof as to the existence of a public emergency or interest of public safety or tranquility.

Similarly, Section 5(2) of the Telegraph Act 1885 authorizes the interception of any message:

a) On the occurrence of any public emergency, or in the interest of the public safety; and

b) if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence.

Thus, the events that trigger an action of interception are the occurrence of any 'public emergency'or in the interests of 'public safety'.  Most recently, Section 69 of the Information Technology Act 2008 contains a more expanded power of interception which may be exercised "when they [the authorised officers] are satisfied that it is necessary or expedient" to do so in the interest of:

a) The sovereignty or integrity of India;

b) defense of India;

c) security of the State;

d) friendly relations with foreign States;

e) public order;

f) preventing incitement to the commission of any cognizable offence relating to above; or

g) for investigation of any offence.

From a bare reading of these sections, there appears to be a gradual loosening of standards from the Post Office Act to the latest Information Technology Act. The Post Office Act requires the existence of a 'state of public emergency' or a 'threat to public safety and tranquility' as a precursor to exercising the power of interception. This requirement is continued in the Telegraph Act with the addition of a few more conditions, such as expediency in the interests of sovereignty. Under the most recent IT Act, the requirement of a public emergency or a threat to public safety is dispensed with entirely - here, the Government may intercept merely if it feels it 'necessary or expedient' to do so.

In Hukam Chand Shyam Lal vs. Union of India and Others2, the Supreme Court was required to interpret the meaning of 'public emergency'. Here the court was required to consider whether disconnection of a telephone could be ordered due to an 'economic emergency'. The Government of Delhi had ordered the disconnection of the petitioner's telephones due to their alleged involvement, through the use of telephones, in the (then forbidden) practice of forward trading in agricultural commodities. According to the government, this constituted an 'economic emergency' due to the escalating prices of food. Declining this contention, the Supreme Court held that a 'public emergency' within the contemplation of this section is one which raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or the prevention of incitement to the commission of an offence. Economic emergency is not one of those matters expressly mentioned in the statute. Mere 'economic emergency' - as the High Court calls it - may not necessarily amount to a 'public emergency' and justify action under this section unless it raises problems relating to the matters indicated in the section.

In addition, the other qualifying term, 'public safety', was interpreted in an early case by the Supreme Court to mean "security of the public or their freedom from danger. In that sense, anything which tends to prevent dangers to public health may also be regarded as securing public safety. The meaning of the expression must, however, vary according to the context."3

Another, relatively more recent elaboration of these terms occurs in the case of PUCL vs. Union of India4. Here the Court observed:

"Public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action. The expression 'public safety' means the state or condition of freedom from danger or risk for the people at large. When either of these two conditions are not in existence, the Central Government or a State Government or the authorised officer cannot resort to telephone tapping even though there is satisfaction that it is necessary or expedient so to do in the interests of it sovereignty and integrity of India etc. In other words, even if the Central Government is satisfied that it is necessary or expedient so to do in the interest of the sovereignty and integrity of India or the security of the State or friendly relations with sovereign States or in public order or for preventing incitement to the commission of an offence, it cannot intercept the message, or resort to telephone tapping unless a public emergency has occurred or the interest of public safety or the existence of the interest of public safety requires. Neither the occurrence of public emergency nor the interest of public safety are secretive conditions or situations. Either of the situations would be apparent to a reasonable person."

Thus the phrases 'public emergency'and 'public safety' do provide some legal buffer before the Government may impinge on our privacy in the case of post and telecommunications. In a sense, they operate both as limits on our privacy as well as limits on the government's ability to impinge on our privacy - since the government must demonstrate their existence to the satisfaction of the court, failing which their actions would be illegal.

However, as mentioned, even these requirements have been dispensed with in the case of electronic communications falling under the purview of the Information Technology Act where sweeping powers of interception have been provided extending from matters affecting the sovereignty of the nation, to the more mundane "investigation of any offence".  Paradoxically, it would appear from the foregoing discussion that the two colonial legislations are more attentive to the safeguarding of privacy than the more post-independence one. In the next sections, we take a closer look at the separate surveillance and interception regimes under the Telegraph Act (governing most telephony) and the Information Technology Act (governing most electronic communications).

Telegraph Act 1885

In February 2011, Reliance Communications, a large telecom service provider, disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 - almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs.5  In this section we look at the regime of interception under the Telegraph Act and licenses issued under it.

First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes and the internet. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over "telegraphs"6. The following sections apply:

1)         Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of 'public emergency'or "in the interest of the public safety". Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government.  The officer must be satisfied that "it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence"7

2)         Section 23 imposes a fine of 500 rupees on anyone who enters a telegraph office without proper authorization.

3)         Section 24 makes it a criminal offence for a person to enter a telegraph office "with the intent of unlawfully learning the contents of any message". Such a person may be punished with imprisonment for a term of up to a year.

4)         Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.

5)         Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.

6)         Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.

Although the statutory provisions themselves govern the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to them which permit them to conduct business.8. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. The following examples are apposite:

National Long Distance License: Clause 21 of the National Long Distance License9 comprehensively covers various aspects of privacy including:

1)    Licensees to be responsible for the protection of privacy of communication, and to ensure that the unauthorised interception of messages does not take place.

2)    Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service, and to use their best endeavours to secure that:

a.    No person acting on behalf of the licensees or the licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and

b.    No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.

3)    The above safeguard however does not apply where:

a.    The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or

b.     The information is already open to the public and otherwise known.

4)    The Licensees shall take necessary steps to ensure that they and any person(s) acting on their behalf observe confidentiality of customer information.

Unified Access Service License/ Cellular Mobile Telephone Service License: Clause 39.2 of the Unified Access Service License and Clause 42.2 of the Cellular Mobile Telephone Service License enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information except as may be necessary in the course of providing such service to the third party.

Internet Services Licence Agreement: The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

1)         Part VI of the License Agreement gives the Government the right to inspect and monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.

2)         Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

a.      to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide services and from whom they have acquired such information by virtue of those services; and

b.      to ensure that no person acting on behalf of the ISPs divulges or uses any such information except as may be necessary in the course of providing such services to the third party.

c.      This safeguard however does not apply where:

                                               i.     The information relates to a specific party, and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or

                                             ii.      The information is already open to the public and otherwise known.

d.      To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

3)         Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.

4)         Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http, etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in real time to the Telecom Authority. The clause forbids logins where the identity of the logged-in user is not known.

5)         Clauses 34.12 and 34.13 require  the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.

6)         Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.

7)         Clause 34.22 makes it mandatory for the Licensee to make available "details of the subscribers using the service" to the Government or its representatives "at any prescribed instant".

8)         Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network" for a period of "at least one year for scrutiny by the licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".

9)         Clause 34.28 (viii) forbids the ISP from transferring the following information to any person or place outside India:

a.      Any accounting information relating to subscribers (except for international roaming and billing) (N.B.: it does not restrict a statutorily required disclosure of financial nature) ; and

b.      User information (except pertaining to foreign subscribers using an Indian operator's network while roaming).

10)      Clauses 34.28(ix) and (x) require the ISP to provide the traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.

11)      Clause 34.28(xix) stipulates that "in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories".  (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 201010 reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company."

The same news report quotes Rajesh Chharia, President of the Internet Service Providers' Association of India, as saying "at present, we only keep a log of all our customers' Internet Protocol address, which is the digital address of a customer's internet connection."

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to "put in place a system that can uniquely identify any person using the internet across the country" through "a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider." Worryingly, the report goes on to discuss the setting up by the telecommunications department of "India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic - wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls - and gather intelligence inputs. The centralised system, modelled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels." Although the CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it an era of constant and continuous surveillance of all internet users.

The Information Technology Act 2000

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with "Power to issue directions for interception or monitoring or decryption of any information through any computer resource". In addition, the Government has been given a more generalised monitoring power under Section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource". This monitoring power may be used to aid a range of "purposes related to cyber security"11. 'Traffic data' has been defined in the section to mean "any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted."

Rules have been issued by the Central Government under both these sections.12 These rules stipulate the manner in which the powers conferred by the sections may be exercised. The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to:

a) Who may issue directions of interception and monitoring;

b) How are the directions to be executed;

c) The duration they remain in operation;

d) To whom data may be disclosed;

e) Confidentiality obligations of intermediaries;

f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act;

g) maintenance of records of interception by intermediaries; and

h) Mandatory destruction of information in appropriate cases. 

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining 'meta-data' about all communications transacted using a computer resource over a period of time - their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to 'cyber security', while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation.13

However, this distinction is not very sharp " an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering an ISP to intercept "all communications sent or received by Prashant Iyengar", the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology.14 This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India's "cyber security" from possible external threats " a Defence function " while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any systematic data on interception orders,  it is unclear to what extent these powers are in fact being used in the manner laid down.

Data Retention

Section 67C of the Information Technology Act requires 'intermediaries' to maintain and preserve certain information under their control for durations. Both the categories of information and the duration of their retention are to be specified in rules to be notified by the Central Government. Failure by an intermediary to retain such electronic records is punishable with imprisonment up to three years and a fine [Sec 67C(2)].

With the exception of cyber cafes, no rules have yet been framed under this section to specify the kinds of information and the duration for which such information must be retained by intermediaries.

An 'intermediary' has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, "any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes". It is evident, on a plain reading, that this definition includes virtually any node through which "electronic records"15 may be transferred.

The pre-independence Destruction of Records Act 1917 empowers the appropriate Government - Central or State - to determine the schedule for destruction of records with respect to all public authorities within their purview. It also empowers the High Court to determine the retention schedule for all courts subordinate to it. Rules framed under the Act provide for destruction of records by various functionaries including, for instance, the bodies under the Companies Act including the Registrar of Companies16, the Company Law Board17 and the Office of the Public Trustee.18 

Several government organisations have their own internal 'destruction schedule'. For instance, the Central Vigilance Commission has an elaborate schedule of shredding according to which the organisation shreds some of its data periodically, while retaining other data permanently.19

In addition several statutory instruments contain data retention provisions appropriate to their context - for instance, Rule 33 of the Registration of Electors Rules 1960 requires all records relating to the preparation of electoral rolls to be kept by the registration officer for a period of a year following the publication of the rolls. These records must be shredded upon the completion of that period.20

Rule 6F of the Income Tax Rules require specified professionals21 to preserve their books of accounts for a period of 6 years after the assessment year.22

Rules framed under the Companies Act 1956 require all Indian Companies to preserve certain records permanently, and permit other records to be destroyed according to a varying schedule, depending on the type of document, from 8 to 15 years. A record of documents destroyed is also to be maintained under these Rules.23

Visual surveillance

According to a number of market research reports, Asia, and within Asia, India is poised to be one of the biggest markets for surveillance technology in the world. The video surveillance market in India grew by 24.5% in 2010 and amassed revenues of $135 million. IP surveillance systems accounted for almost 28% of the overall value of the surveillance industry.24The volatile security environment in the country is one reason many attribute to this growth. One research observes that "increasing terrorist activities and attacks have created strong demand for advanced safety and security solutions. As a result, the CCTV market in India is anticipated to grow at a CAGR of more than 30% between 2010 and 2013."25

In May 2008, Japan-based CBC Co. Ltd., a major manufacturer of CCTVs, announced plans to set up a production facility in India through which it hoped to sell "50,000 units of CCTVs every year to be set up across retail malls, real estate projects, industrial houses and government aided infrastructure projects such as subways, highways, heavy traffic zones such as railways stations, airports (Mumbai airport) and huge commercial buildings".26 This suggests both the aggressive growth of the market for CCTVs in India, and the range of potential customers for these products.

Aside from industry reports of these kinds, this growth of CCTV technology is verifiable anecdotally, through media reports and through the quotidian experience of living in any of India's cities and towns. Both the government and private businesses have enthusiastically embraced CCTV technology and they have, in a relatively short time, attained near-ubiquity as municipal corporations, police departments, airports, banks, schools, supermarkets and malls increasingly scramble to install their own private networks of surveillance.

The Delhi International Airport reportedly has the "largest single installation of an IP video system anywhere in Asia" with more than 3700 IP Surveillance cameras piping video feeds into the airport's Operation Control Centre. The OCC reportedly boasts the biggest video wall in Asia. "The 32 x 16 foot wall holds twenty-eight 70-inch screens that display the information inputs from all the airport departments through live camera feeds. Each screen can display up to 25 multiple camera images, providing the AOCC with the capacity to display 700 images at one time."27 In October 2011, the village of Budania in Rajasthan decided to install twenty CCTVs in their administrative offices and provide live feeds over the internet in a bid to enhance transparency.28 More than any real assistance to the airport police that such an aggregation of images may provide, or any actual boost in transparency that the CCTV's in Budania might achieve, these two installations are a testament to India's deep enamor of video surveillance technology.

The police in a number of Indian cities have issued directions requiring public places such as theatres, hotels, guest-houses, colleges, jewellery shops, cyber cafes, malls and departmental stores to install CCTV cameras. An incomplete inventory of such cities includes Mumbai29, Surat30, Junagadh31, Jaipur32, Ludhiana33, Hyderabad34, Bangalore35, New Delhi36, Chandigarh37, Gurgaon38, Mohali39, Mysore40, Vadodara41, Kolkata42, Patna43 etc. The Pune Municipal Corporation even decided to amend its building development laws to require 'shopping malls, markets, religious structures, hotels, important tourist attractions, exclusive business buildings, historical buildings and the offices of government and semi-government organisations to install CCTV cameras'44

So, a vast apparatus of private surveillance already exists in readiness for the police and other investigative apparatus to tap into. The city of Chennai for instance, reportedly has about 8000 CCTV cameras installed by shops, malls, hospitals and other commercial establishments.45 Likewise, the Haryana Government is reportedly planning to interlink some 1000 of its own cameras with nearly "20,000 cameras already installed at malls, BPOs, headquarters of multinational companies and markets."46

Private institutions and associations have, even absent any pressure from police departments, begun installing CCTV surveillance networks of their own. In January 2011, residents of a colony in Gurgaon resolved to install "300 hi-tech CCTV cameras in the colony" According to the scheme, the footage "would be stored in hi-tech gadgets for ten days and would be accessible through the Internet."47 Diamond Merchants in Surat announced that they would set up a network of 5000 surveillance cameras "linked to the internet" in three prominent market areas.48 The Bangalore Jewellers Association decided to impose a fine on all its members who did not have CCTV cameras on their premises.49 In response to a survey, women commuters on Mumbai's suburban railway network requested the installation of CCTV cameras inside railway coaches.50 A number of schools and colleges51 across the country have installed surveillance camera systems of their own volition for a variety of disciplinary and security reasons. In a tragic incident, a girl committed suicide after she was reprimanded by her college chairman who caught her on CCTV 'sitting beside a boy and chatting with him'.52

This move towards surveillance of academic spaces has not been without demur. In May 2010, association of teachers at the Aligarh Muslim University demanded removal of the 70-odd CCTV cameras installed at the campus, on grounds of "unacceptable encroachment into their privacy.53 Months later, a student of the institution was suspended for spearheading student protests against the move.54 In September 2010, students of Jadavpur University in Kolkata resisted a move to install CCTV cameras on the university premises.55

The police in a number of cities have announced ambitious (and expensive) plans of installing city wide networks of surveillance cameras under their own control:          

1.    In April 2011, the Delhi Police announced plans of augment its existing CCTV surveillance network by adding a further 1045 cameras to the existing stock of 206 cameras (of which 98 were not functional).56

2.    In June 2011, the city police of Surat announced the installation of 70 CCTVs to monitor roads.57

3.    In July 2011, in the wake of terrorist attacks in Mumbai, several cities decided to install or upgrade their CCTV surveillance networks. The Maharashtra Government announced that it had plans of installing over 5000 cameras - over the 400 existing ones58 - across the city of Mumbai to meet its security requirements. This figure is inclusive of private security cameras which the police would have access to.59 The Chennai police, likewise, announced that they planned to install an additional 5000 CCTV cameras in the city.60 The same month, the city police of Ahmedabad announced that it was setting up 300 advanced IP surveillance cameras in popular spots across the city61 and the city of Allahabad announced video surveillance in 49 locations.62 The city of Hyderabad which already had about 225 cameras installed across the city, made a requisition for an additional 600 cameras in the wake of the blasts.63

Many popular tourist spots in the country are covered by extensive CCTV surveillance, for instance, the Taj Mahal64, Mecca Masjid at Hyderabad65, Eliots" Beach in Chennai66 Nellaiyappar-Gandhimathi Ambal Temple in Tirunelveli67 Rameswaram Temple68, etc

Apart from providing security against terrorists, CCTVs have been deployed for some years in various cities by traffic police as a routine aid to identifying and apprehending those who violate traffic rules.69 In many of these cases, the technology includes or is proposed to include automatic recognition of number plates.70

As an aid to police investigation and to curb traffic violations, CCTV technology has proven invaluable in hundreds of cases across the country. Vindicatory accounts of the use of CCTV technology to apprehend criminals are reported enthusiastically by newspapers and news channels almost on a daily basis. From solving heinous crimes like rape71 and murder72, to relatively less serious crimes such as thefts (by far the most numerous of these accounts)73, traffic rule violations74 and instances of everyday shoplifting75, CCTV footage have become a vital input into the forensic apparatus of law enforcement authorities in India. Even where CCTV footage is unavailable at the actual scene of the crime, the police have sought and analysed CCTV footage from the vicinity in a bid to piece together clues.

However, equally numerous accounts appear frequently in the press about the impotence of video surveillance. In a revealing disclosure, the Delhi Police in October 2010 revealed that they had solved only one case in the previous three years by using CCTV footage.76 Frequently, cameras are found to be dysfunctional or missing within a short period of their installation. Examples of this abound.77 Thus, for instance,

1.    Barely months after they were installed with much fanfare, 13 of the 23 surveillance cameras installed at the Mecca Masjid in Hyderabad were reported not to be functional.78

2.    In 2008, in an embarrassing incident, 16 surveillance cameras were stolen from the Taj Mahal.79 After they had been replaced, in December 2010, it was reported that all of the CCTVs in the Taj Mahal had stopped working due to a "virus attack" on their computer systems. The district administration and the police department were apparently in disagreement as to who bore the burden of their maintenance.

3.    In March 2011, it was reported that out of the 70-odd CCTV cameras installed in the city of Pune under its Rs. 17 crore "intelligent traffic system" launched the previous year for effective traffic management, only half were still functional. The remaining were being used, not for traffic management, but "primarily for monitoring garbage vehicles, garbage depot, octroi posts and water works".    80

4.    In April 2011, the Minister for Home Affairs admitted in Parliament that of the 206 CCTV cameras installed at a cost of Rs 75 crore in New Delhi, "98 were not were in a working state".81

Even where the cameras are functional, in several cases, the video quality is too poor or indistinct to be of any assistance to law enforcement authorities.82 In September 2009, ahead of the Commonwealth Games, the Delhi Police complained that "a majority of the 3,000 plus cameras installed at various stadia and venues and connected to Delhi Police central command, communication integrated control room " to keep a hawk-eyed vigil seem to be ''out of focus''."83

In other cases, those in charge of CCTV cameras have been negligent either by not switching them on,84 or in maintaining backups for reasonable periods. In many cases, cameras have been installed by the police "without recording facility"85 or without networking them to a central office.86

Despite the proliferation of CCTVs, as evident from the foregoing account, there are no laws that govern their deployment or use in India " either by the government or in the private sector. The closest applicable law concerns electronic voyeurism and is contained in Section 66E of the IT Act which penalizes the "capturing, publishing and transmission" of images of the "private area"87 of any person without their consent, "under circumstances violating the privacy" of that person. This last phrase has been explained as meaning "circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place".88 This offence is punishable with imprisonment of up to three years or with a fine of up to Rs. Two lakh rupees or both.

Although India currently does not have the roughly 1.85 million CCTVs that Britain reportedly has,89 it is making rapid, unthinking strides to make up the shortfall. Certainly the CCTV industry is gearing up to provision the government, should it choose to embark on this course, for a program of total surveillance. Nor is there a dearth in demand for this surveillance " as indicated above, there is general consensus among the public of both the desirability and utility of CCTV cameras in preventing crime and particularly in forestalling terrorism. Over the past few years, each successive terrorist attack incident has fuelled a new round of frenzied CCTV purchase by the government under the censorious gaze of the media. In their portrayal of the absence of CCTV cameras as a lack of serious commitment to security, and by providing mesmerising accounts of the state's plans to install hundreds and thousands of such cameras, the media have played a catalyst role in this march towards a surveillance-state that India has currently begun.

  

The availability of CCTV footage - sometimes perceived as instant proof - has been an ally to the otherwise rather passive police apparatus in India. In a country with a conviction rate hovering around 41% with over 7 million criminal cases pending trial, and with only 1.3 policemen per 1000 civilians90, the promise of CCTV aided law-enforcement carries a particularly optimistic charge.

Restrictions on Internet use in cyber cafes

According to a report by the Internet & Mobile Association of India titled "I-Cube 2009-2010: Internet in India", 37% of all internet usage in India occurs through cyber cafes.91  Despite the figures in this report, there is a sense that cyber cafes are on the decline in urban areas due to a combination of factors such as the rise of broadband, declining prices of personal computers, and the high costs of real estate.92

An additional reason for their decline could also be the onerous restrictions that have been imposed on cyber-cafes in various states, most recently through rules notified under the Information Technology Act in 2011. Cyber cafes are viewed with deep suspicion by the law enforcement apparatus in India, and tend to be seen as sites that promote criminal activity. This has led to the imposition of a range of restrictions on them, from requiring cyber cafes to obtain registration before opening business to requiring them to maintain detailed logs of users and use internet filters.

Simultaneously the government has attempted to curb the freedom of expression online through new regulations which expose 'intermediaries' to liability unless they assist government agencies in tracking down individual users who post a range of officially unwanted content. Section 79 of the IT Act grants immunity from liability to 'intermediaries' for third party content made available or hosted by them, provided, inter alia, the intermediary observes 'due diligence' and follows prescribed norms. As noted previously the IT Act contains a very expansive definition of 'intermediaries'. In 2011, the Ministry of Information and Technology issued two sets of rules under this Act - one to govern intermediaries such as ISPs and web-platforms, and another set to govern cyber cafes. These rules severely attenuate both the freedom of expression of citizens and their right to privacy.

Due diligence rules

In April 2011, the Government issued rules defining the 'due diligence' measures intermediaries are required to observe. According to these rules, intermediaries must incorporate into their terms of service, the warning that users are forbidden from publishing the following categories of information:

(a)       belongs to another person and to which the user does not have any right to;

(b)       is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c)       harm minors in any way;

(d)       infringes any patent, trademark, copyright or other proprietary rights;

(e)       violates any law for the time being in force;

(f)         deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(g)       impersonate another person;

(h)       contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(i)         threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Within 36 hours of obtaining knowledge of any such information being transmitted through its networks, an intermediary is required to take steps to "disable such information". Further, the intermediary is required to provide assistance to government agencies "purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law".      

These rules have been widely condemned as being unlawful since they are both ultra vires Section 79 of the IT Act under which they have been made as well as the Constitution of India which guarantees the freedom of speech and expression.93

Cyber cafe rules

Along with the due diligence rules, the Ministry also notified separate rules to be adhered to by cyber cafes94. Like the word 'intermediary', cyber cafe has a very broad definition under the IT Act and means "any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public".95 As is evident, this definition includes not just conventional cyber cafes, but also a host of other venues where internet may be accessed including hotels, airport lounges etc. According to the new rules, cyber cafes are forbidden from allowing any user to use their computer resources "without the identity of the user being established." A user may establish his identify by producing any of seven different identity documents including driving license, passport etc. The cyber cafe is required to keep either a scanned copy or photocopy of the identity document produced and such a copy is to be retained for a period of one year. In addition, the cyber cafe "may" photograph a user using a "web camera" and such photograph would be included in the log register maintained by the cyber cafe.

The cyber cafe is required to maintain a detailed log of every user that includes the user's name, address, gender, contact number, type and detail of identification document, date, computer terminal identification, log-in time and log out time. For at least one year, the cyber cafe must also retain the complete history of websites accessed using computer resources at the cyber cafe and all logs of proxy server installed at cyber cafe [Rule 5]. The rules require that all computers "may" be equipped "with commercially available safety or filtering software".The rules also stipulate the size of cubicles and their orientation.

Any officer authorized by the government has powers to check and inspect cyber cafes and the log registers maintained at any time.

As with the due diligence rules, these rules have come under heavy fire for their draconian content from civil society commentators and bloggers.96 Previous state-level regulations of this kind have exposed cyber-cafe owners to undue hardships and harassment at the hands of local police while not leading to a corresponding increase in security.97 In other cases, in the absence of a monitoring mechanism, the cyber cafes have, under government regulation, accumulated vast logs without any actual oversight ever occurring.98 In both cases, unfortunately, it is the privacy of the individual that has ultimately suffered as copies of increasing numbers of ID documents accumulate in the hands of cyber cafe owners, mobile phone agents etc.

Already a cottage industry of fake identity documents has mushroomed due to this availability of ID documents. In August 2011, the Economic Times reported on the existence of a "Fake ID market" in Mumbai where the going rate for an ID proof was as low as "Rs 5 for an ID proof with an original photograph, and Rs 50 for an ID with an original photograph and two supporting documents." The article goes on to report that "in just the past six months, 54 FIRs have been registered against several retailers, cutting across a spectrum of service providers, for stealing a customer's identity and then using it to issue multiple SIM cards to multiple customers."99 Far from this being a solitary occurrence, this seems to have become a widespread phenomenon across the country with similar incidents having been reported in West Bengal100, Hyderabad101, Patiala102, Lucknow103 and New Delhi104 among other places. Most often when these scams are 'unearthed' the harms to privacy of citizens are dulled by government through an overriding discourse of national security which presents these incidents primarily as aids to terrorism.

It is here that perhaps a critique based on the citizen's privacy could prove most beneficial since it would, perhaps more than one founded on national security, reveal the complicity of the state in begetting this fake identity market. By forcing people to deal promiscuously with their identity documents in order to secure basic telephony and internet services, the state has unwittingly created the conditions for the flourishing market of fake documents we witness today. In its pursuit of 'national security' - supposedly secured through scrupulous verification of identity documents - the state has created the conditions for a situation where practically nobody's identity document is credible anymore since there are too many fakes floating around. Perhaps nothing more serves to illustrate the urgent need in India to build privacy concerns into state policy at the planning stage itself.

Cyber security

In April 2011, the Ministry of Information Technology released a draft Cyber Security Policy which talks in general terms about "deployment of technologies and capabilities for real-time protection and incident response", the need for "cyber intelligence and cyber intelligence" and the need for preparedness at all levels. The policy has still not been finalized and contains no discernible privacy implications. 105

The IT Act confers vast powers of interception and monitoring under Sections 66-69 of that Act. These powers extend to issuing directions requiring any person in charge of a computer to extend all facilities to decrypt information. In other words, the government may hack in order to gain access to information that it lawfully requires.

Section 66 of the IT Act creates a broad offence of "dishonestly or fraudulently" hacking or tampering with source code, which applies equally to the government. However, this is subject to Section 84 of the IT Act, which immunizes actions by officials undertaken in good faith and in pursuance of the provisions of the Act.

Workplace surveillance

Perhaps one of the most neglected areas of privacy law in India pertains to privacy in the workplace. Labour law in India has largely tended to focus on providing the organized sector with safe working environments and assuring workers a minimum and non-discriminatory wage. Perhaps the only privacy-type concern that is consistently referenced in these legislations has been the imperative to provide adequate toilet facilities to workmen at sites of employment.106 

There is no law in India governing the extent to which employers are allowed to monitor their employees. In many industries such as call centers and IT enabled services, pervasive video surveillance of the workplace, use of biometric identity cards, monitoring of employee use of the internet etc. is routine. Courts have not so far dealt with this issue in a general way, perhaps because the legal framework to bring such an issue does not exist. For such an issue to arise before a court it would require a workman who has been dismissed or suspended to bring a suit claiming that employee surveillance was unfair and that he had been dismissed on account of it. Although the Constitution provides, as a Directive Principle of State Policy, that the state shall endeavor to secure "just and humane" conditions of work107, there is currently no law that gives workmen a general remedy for "unjust or inhumane conditions" of work. Employers are required minimally, to ensure that they do not expose employees to hazardous work conditions, provide basic sanitation and rest facilities, and are required to treat male and female employees equally. They may not dismiss their employees capriciously. Beyond that, however employers are accorded sovereignty over their workplace which may extend to surveilling their employees at will. Of course this may not extend to taking clandestine pictures of "private areas" as forbidden by Section 66E of the Information Technology Act

Notwithstanding the thin articulation of workplace privacy rights in India, the Supreme Court has, in at least one case, placed fetters on the kind of information that employers could seek from employees. In Mrs. Neera Mathur v Life Insurance Corporation108, the petitioner was a woman who had applied for a post in the Life Insurance Corporation of India. Having succeeded at a written test and interview she was asked to file a "declaration form" and was also examined by a lady doctor on the panel of a corporation. Thereafter she was given a letter of appointment subject to a six-month probation period. Shortly after her appointment, within her probation period, she applied for and took maternity leave for a period of three months. During this period, the company discharged her from service without assigning a reason. In a petition that ended up in the Supreme Court, the company defended its action on the ground that "the petitioner had deliberately withheld to mention the fact of being in the family way at the time of filling up the declaration form before medical examination for fitness". The declaration form contained several questions which impinged on her privacy including whether she was married, whether her menstrual periods always been regular and painless, the number of conceptions that had taken place and the number that had gone to full term, the date of her last menstruation, the date of her last delivery and whether she had undergone an abortion. The Supreme Court held that the "real mischief" in this case was "the nature of the declaration required from a lady candidate". The court held that the details sought in the declaration form were "embarrassing if not humiliating" and that the "modesty and self respect" of a woman would "preclude the disclosure of such personal problems". The court ordered the company to reinstate the petitioner with full back wages and instructed the company to delete the offending columns in the declaration. 

In the same vein, in a number of cases, courts have forbidden public sector employers in India from conducting HIV/AIDS tests without the consent of the employee or discriminating against HIV positive employees. There appears to be a strong line of rulings protecting persons with HIV from discrimination in public sector employment,109 although private sector discrimination continues unchecked.

Identity documents

India does not yet have a mandatory identity card system; that is, no Indian law mandates that failure to produce an identifying document is an offence.

However, this statement is qualified by two facts: first, the government is currently undertaking an exercise under the Citizenship Act to mandatorily register citizens (see National Population Register, below). Second, in certain conflict-ridden states of India - the entire North East and Jammu and Kashmir, for instance - the army and the police have been given extraordinary powers including arresting without warrant. In these areas failure to carry and produce upon demand valid ID documents can have serious implications. As one commentator notes in relation to Jammu and Kashmir, "Movements of people on roads and bazar is regulated with frequent demands to show their IDs and frisking and searching of bags. It is a known fact that anyone in area declared "Disturbed" found without a ID can suffer anything from having to bribe his way to freedom to becoming a victim of enforced disappearance."110

Given the trajectory of 'security measures' in India, it would not be unfair to say that the country is one major terrorist attack away from a generalized compulsory identification system. In any event, the police in India have vast powers of arrest in the case of cognizable offences and may in certain cases provided under Section 151 of the Code of Criminal Procedure (CrPC), arrest without a warrant. Section 42 of the CrPC permits the police to arrest a person "who has committed an offence in the presence of a police officer or has been accused of committing a non-cognizable offence" and refuses, on demand being made by a police officer to give his name and residence or gives false name or residence. Such a person may be arrested only for the limited purpose of ascertaining his name and residence.111

Foreigners registered under the Foreigners Act (see Sec. 9 above) are required upon demand "by any Registration Officer, any magistrate or any police officer not below the rank of a head constable" to produce their certificate of registration and other identity documents.112

In 2008, the Ministry of External Affairs began issuing RFID chip enabled 'e-passports' to select officials in the government. Although the plan was to extend this facility to the general population starting in 2009, successive delays in implementation have prevented a full-scale unrolling of this project. There are rumours that the project has stalled due to allegations that Gemalto, the multi-national company selected to supply the chips and software113 for the e-passports, had links with Pakistan's spy agency, the Inter-Services Intelligence. The project is reportedly awaiting clearance from the home ministry and the ministry of defence. 114

In the past decade there have been two kinds of attempts at providing identity cards. First, various states have issued ad-hoc identity documents for a variety of purposes including to secure employment and food supplies. Secondly, the Central Government has hatched schemes - not always successfully - to provide Pan-Indian identity documents to all citizens. These identity documents are canvassed below.  

State-level Identity Cards

Due to the federal setup of the Indian constitution, the administration of most welfare schemes - from employment guarantee to disability pension and food rations - tends to be the responsibility of the various state governments. Obeying the inexorable market logic of India in the 21st century, in the past decade, practically each such welfare scheme in each state has spawned its own identity document. Perhaps the most ubiquitous of these is the ration card, which entitles families to specified monthly allocations of food grains and other supplies. These ration cards have traditionally been used in India as identity documents for a range of corollary transactions such as obtaining a gas, electricity or a telephone connection. In the past few years, most states have either announced or implemented schemes to convert these paper documents into biometric cards, with mixed results.

In August 2010, Orissa began collecting biometric data including fingerprints and iris scans from citizens.115 The State of Karnataka has reportedly already issued biometric bar-coded ration cards to "74 lakh households" in the state between 2008-2011.116 In the past year alone, the states of Goa,117 Tamil Nadu,118 Rajasthan,119 Maharashtra,120 and Haryana121 have all announced plans to distribute biometric ration cards to all residents of those states. In a curious display of pioneerism, each state unfailingly declares itself to be the - first state in the country - to have introduced this facility.122

In addition, the states also issue driving licenses through their respective Transport Departments. Although in the past, inadequate interlinking between state departments prevented driving licenses from becoming a national ID, recent measures by the central government, including the mandating of smart-card based driving licenses by December 2009123 and the setting up of a National Registry of Licenses have imbued locally issued licenses with a national character. In addition, there are plans to issue all driving licenses in the Union of India's name.124

In July 2010, the Union Ministry of Road Transport announced the establishment, within six months, of a "national registry of all driving licenses" that envisaged the interlinking of all state transport departments to prevent duplicate licenses from being issued. The purpose of the National Register would be to provide "information to the department of road transport and highways, RTOs, inter-state check posts and the police for quick verification of documents and information."125 The registry "www.vahan.nic.in" was officially inaugurated a year later in July 2011 and includes details of "about 90 lakh vehicles, including complete information about owners, tax payment and permit, and about 80 lakh driving licences are available."126

In May 2011, the state of Gujarat announced plans to launch its own identity card project to rival the Aadhar project of the Central Government (see below). Accordingly to news reports, the project would "give every individual an UID number and have details such as if the person is below or above the poverty line, whether he/she pays income tax, permanent address, property ownership and if entitled to reservation benefit."127

The Permanent Account Number Card

The Permanent Account Number (PAN) is a ten-digit alphanumeric number, issued by the Income Tax Department in India, specifically to facilitate the interlinking of all financial transactions related to a specified person. According to a document on the Department's website, "PAN enables the department to link all transactions of the 'person' with the department. These transactions include tax payments, TDS/TCS credits, returns of income/wealth/gift/FBT, specified transactions, correspondence, and so on. PAN, thus, acts as an identifier for the 'person' with the tax department"128

Although introduced in 1995, the PAN was made mandatory in January 2005 and it is compulsory to quote this number in most high value transactions exceeding Rs. 50,000 and certain other specified transactions such as applying for a telephone or opening a bank account, payments to hotels exceeding Rs. 25,000.129

Section 139A of the Income Tax Act forbids persons from obtaining more than one PAN Number. Failure to obtain a PAN Number and quote it during transactions could lead to an imposition of a penalty of Rs. 10,000 (Sec 272B). Failure to quote PAN numbers, however, appears only to be pursued and penalized by the IT Department in cases where the value exceeds Rs. 25 lakh.130

Unlike the Social Security Number in the United States, the avowed purpose of the PAN system is to interlink various transactions of a person in order to gather intelligence about their activities. The Central Information Branch, the intelligence wing of the Central Board of Direct taxes, newly revamped in 2010 to "ensure current, constant and consolidated reporting and delivery of information on transactions"131 has recently put in place 'software that already has extensive information on taxpayers mapped to their respective PAN cards".132

In 2006, the then Finance Minister Chidambaram, proposed a plan to issue biometric PAN cards which "would have carried the I-T assessees' fingerprints (two from each hand) and the face." However, with the announcement of the more ambitious UID project (see below) and the transfer of the minister to the Home Ministry, this plan was put on hold.133

In May 4, 2011, the Finance Ministry announced measures to streamline the financial information provided by third parties, such as banks and mutual fund companies, to the CBDT to facilitate smoother and faster access to information about persons.134 In August 2011, the Indian Banks' Association, representing "more than 160 Indian and foreign banks operating in the country," agreed to provide access to banks' data bases with the Central Board of Direct Taxes, purportedly in order to check the accumulation of black money. This move, it is stated, would give tax authorities "a 360 degree view of the taxpayer."135

Despite the aspiration of the system to achieve total financial e-supervision of all persons in India, these ambitions have been thwarted by rampant counterfeiting of PAN cards.136 In a revealing report by the Comptroller and Auditor General of India (CAG) on Direct Taxes in Parliament in 2011, it was revealed that "958 lakh PANs were issued up to March 2010 but IT returns filed in the last fiscal were only 340.9 lakh". The CAG report suggested "issuance of multiple PAN cards" as a possible reason for this large discrepancy.137

As noted previously, the linking of PAN cards as a condition to accessing a variety of quotidian services has created the necessary conditions for a wholesale counterfeit market. With the failure of each successive form of 'foolproof' ID, the state rushes blindly into the next newest available technology in the hope of finding redemption. Paradoxically, as the webs of generalized surveillance intensify through such measures as the interlinking of databases and international tax information sharing, there is no corresponding sense of more and bigger criminals being brought to book.

The Electoral Voter ID Card

The Election Commission of India (ECI) is a permanent constitutional body responsible for overseeing the conduct of elections in India. One of the functions of the ECI is to prepare electoral rolls of registered voters in all assembly constituencies in India and, more recently, to issue Elector's Photo Identity Cards (EPIC) to all voters. For this purpose, a registration officer may access and requisition copies of the Register of Births and Deaths and the admission register of any educational institution in any area.138 The complete electoral rolls " containing details such as full name, relatives, age, sex and EPIC number " are required by law to be available for inspection at office of the registration officer, and copies of the rolls must be supplied to every political party.139 All citizens may obtain copies of extracts of the rolls pertaining to themselves upon payment of a fee.140 In addition, it has become common practice for state election commission websites to provide online access to complete lists of electoral rolls that they maintain.141 Political parties are provided with soft copies of complete electoral rolls, although photographs of voters are not made available to them in soft copy.142

In August 1993, in what was probably the first initiative of its kind and scale, the ECI began to issue EPICs to all voters in the country to ensure their correct identification and prevent impersonation.143 The EPIC contains the details of the user's name, relations, date of birth, gender, address and the photograph. In addition, every EPIC is fixed with a security hologram and has a unique ten character alphanumeric string called the EPIC Number.144

Despite having the potential to serve as a kind of Pan-Indian unique identification, in practice, the scheme was highly decentralized with databases being maintained at the level of each constituency instead of in one centralized repository. There was no standardization in either the database technology employed or data structure adopted at each level, and this led to incompatible databases being maintained at each level.145 The fact that databases were being maintained in regional languages made the task of integration even more difficult. Voters were required to obtain fresh ID cards in each new constituency that they shifted to, and inadequate co-ordination within the election commission led to a situation where it was possible for voters to maintain separate voter IDs in different constituencies that they transferred to. In addition, the database of voters and the database of photographs were frequently maintained separately and were imperfectly linked.

In order to streamline the process and consolidate the disaggregated data, in February 2008, the ECI decided to centralize its databases and directed the Electoral Database and the photo database to be centrally maintained in one database for the entire State.146 Without commenting on the prospects of this new centralized database, it would be pertinent to consider some aspects of the career of the voter ID card so far:

- Firstly, like the Ration Card and the PAN Cards, EPICs have proven highly susceptible to forgery. One source of these fakes is the pilferage of the 'security holograms" that have occurred from the offices of the election commission. In November 2003, the Madhya Pradesh state election commission had reportedly "misplaced" over 5 lakh (500,000) of these holograms. Although most were subsequently recovered, there were no records indicating the actual numbers lost.147 In August 2006, a leader of a political party in West Bengal was arrested "for running an offset press that printed fake voter ID cards".148 According to the news report, "he acquired a hologram software from Mumbai and used it to make dud voter ID cards.  Such machines can be easily procured from the nearby Nohata Market, close to the Benepole border."149 As recently as August 2011, the police arrested three members of a gang in Secunderabad who were issuing fake EPIC cards. The news report revealed that "twenty-one EPICs, 400 holograms and stamps were seized from the arrested persons".150 Previously, similar incidents had been reported in New Delhi151 and Bhubaneshwar.152 Frequently the supply of the holograms to these forgers has been traced to personnel within the Election Commission itself, indicating lax or missing security protocols within the organisation. In the Secunderabad case, newspapers reported that an attender in the Election Commission office, who was the main accused, had 'secured an old software used to make the EPIC and stored it in his computer at home. Using this software, he would scan an EPIC, replace the details with those of his clients and issue the card using the holograms available with him.'153 In another incident in Kanpur, the accused were reportedly supported by government officials who actively provided them with details needed to prepare fake electoral IDs.154

- In several cases of forgery, the mischief has been traced to the private company contracted by the Election Commission to record data and supply the electoral ID cards. In October 2007, for instance, the Maharashtra State Election Commission lodged an FIR against an employee of a private software company who admitted to running a fake voter ID scam.155 In 2003, an employee of the private agency contracted to make ID cards in Mahipalpur constituency was arrested for running a fake ID racket.156 In the recent case in Secunderabad, mentioned above, the news report observed, the entry of data was assigned to the CMC Ltd. on contract basis but there were no records showing details of voters approved by the electoral officer to make entries in the database.157 In this case, the police were reportedly investigating the role of the private agency. In another revealing incident, the Bangalore Municipal Corporation (BBMP), which had outsourced the task of data entry of voter ID cards on an ad hoc basis to unskilled and "unemployed youths" reportedly conceded that "BBMP is aware that computers used in cyber cafes by unskilled youngsters have led to mistakes and leakage of data, but such usage has become inevitable due to shortage of computers".158

Despite the high incidence of fakes, the EPIC remains today one of the most widely used modes of identification used by citizens. An important source of concern from the privacy perspective is the degree to which the enrolment process is controlled by the contracted agency. Apart from thinly worded contractual terms which require the agency to turn over all data collected to the Election Commission and not retain anything beyond the period of the contract, there are usually no safeguards and standards that the ECI mandates these agencies to observe. Already, as witnessed above, this laxity has occasioned the mushrooming of fake voter id rackets. An important contribution to privacy, in this context, would be the evolution of a strong data protection guideline, backed with sanctions to govern those agencies whom the ECI contracts to perform the tasks of enrollment in and issuance of EPICs.

The National Population Register/Multipurpose National Identity Cards (MNIC)/National ID Number

In 2004, the Citizenship Act 1955 was amended to include a new section dealing with the "Issue of National Identity Cards". The new Section 14A empowers the Government to "compulsorily register every citizen and issue a national identity card to him". The section designates the Registrar General of India " in charge of conducting the decennial Census in India " as the National Registration Authority for the purpose of enrolling citizens and issuing them with identity cards. Rules have been framed under the Act which make it mandatory for every Citizen of India to get themselves "registered in the Local Register of Indian Citizens during the period of initialization".159 Failure to do so is punishable with a fine of up to Rs. 1000. Under the rules, Multipurpose National Identity Cards (MNIC) are to be issued to every citizen enrolled in the National Register of Indian Citizens. The local registrar is empowered, upon an application from the citizen to make modifications in the register with respect to changes in name, residential address, marital status or change of sex.160

In 2010-2011, as a part of the decennial census, the actual process of compiling the National Population Register and issuing MNICs was initiated. According to the website of the Registrar General, the "NPR will be a comprehensive identity database that would help in better targeting of the benefits and services under the Government schemes/programmes, improve planning and help strengthen security of the country. This is being done for the first time in the country."

Under the scheme, the issue of the MNICs is the last step and is to be "given in a phased manner to all usual residents" with no specific timeline set. In September 2011, a public interest litigation was filed against the Registrar General alleging that the machinery, which the government was about to procure for manufacturing the MNICs did not meet the specifications of the technical committee and would result in the issuing of cards which would "not survive more than two years."161

Apart from the technical problems, one source of concern for privacy advocates is that one major step in the process, the digitization of NPR forms collected from individuals, is being outsourced to private companies. More specifically, personnel from private companies such as ECIL are responsible for the digitization of all demographic data collected by the census department. As witnessed above, in the context of the electoral ID, this is a process fraught with the risk of data theft. In the absence of strict data protection guidelines on the protocol to be observed by these personnel, the protection of citizens' informational privacy hinges on the ability and willingness of the State to enforce contractual clauses against the agencies hired by it for this task.

The Unique Identity scheme (Aadhar)

The Unique Identity (UID) scheme purports to be a voluntary scheme. However, owing to the complex operational structure that the UID scheme adopts, the actual task of enrollment entirely in the hands of third party "Registrars", which include a host of central and state social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on an individual's consent to UID registration. In practice, many of them have made and will continue to make UID registration a preliminary formality before access is granted to their services. So the citizen's "freedom" to resist UID registration depends on their ability to forego minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.

In addition, the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, is also a 'Registrar' for the purposes of the UID. This means that an individual's registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules 2003 make it mandatory for everyone to be enrolled in the National Population Register. Thus, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.

A frequent assertion about the UID scheme is that the data collected will be limited to a standard set of information such as an individual's name, residence, date of birth, photo, fingerprints and iris image. However, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the Memorandum of Understandings with Registrars enabling them to collect additional data that "is required for their business or service". Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts.162

Although the Unique Identification Authority of India (UIDAI) makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear. The entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI's responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars, by which time the information has already passed through many hands including the Enrolling Agency and the Intermediary, who passes on information from the Registrar to the UIDAI.

Rather than setting out an explicit redress mechanism and a liability regime for privacy violations, the UID's documents stop at describing the responsibility of the Registrars as a "fiduciary duty" towards the resident/citizen's information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit. In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies "untill the UIDAI finalizes its document storage agency."163

The "Data Protection and Security Guidelines" which the UIDAI requires all Registrars to observe merely call on Registers to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.

Although the Draft National Identification Authority of India Bill (NIA Bill) penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.   

The UIDAI has frequently claimed that it will not disclose any information, but merely authenticate information.164 However, many of the UIDAI's documents conflict with this position. The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of "the information of Aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct". In practice, prior "written consent" for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.165 In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her 'consent'.

The draft NIA Bill permits the authority to "make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge". There is nothing in the Act that requires that this information be made available on an individual basis - in other words, it is possible for the data to be shared en-masse with any agency "in the interests of national security".

There is nothing preventing Registrars who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses, irrespective of what the UIDAI does with that information.

In September 2011, the National Human Rights Commission, set up under the Human Rights Act, issued an opinion cautioning against the potential harms of the Aadhar scheme. The Commission noted the possible discriminatory effects of the scheme and the fact that no provision had been made in the Bill for compensation to the victim in case of breach. One newspaper account reported that "The NHRC noted that the "biometric information" and "demographic information" have not been clearly defined and while framing the regulations under the Act, precautions should be taken to ensure that individuals are not required to disclose confidential information about themselves."166

Immigration

Like most countries in the world, India requires foreigners to obtain a visa before entering the country. Standard documentation is required to obtain a visa including proof of address, passport photographs and invitation letters.

The presence of foreigners in India is regulated by the provisions and rules under the Foreigners Act 1946 and the Registration of Foreigners Act 1939.

Foreigners visiting India on long term visas (more than 180 days) are required to register with the relevant Foreigners Regional Registration Officers (FRROs) within 14 days of their first arrival. The District Superintendents of Police typically function as Foreigners Registration Officers in each State. The process of registration entails the submission of a number of records, as well as passport size photographs. Although foreigners are not currently required to submit biometric details, this is a plan that is being developed. Under the "Immigration, Visa and Foreigners Registration & Tracking" (IVFRT) system, part of the National E-Governance Plan, the Ministry of Home Affairs aims to "enable authentication of traveler's identity at the Missions, Immigration Check Posts (ICPs) and Foreigners Registration Offices (FROs) through use of intelligent document scanners and biometrics, updation of foreigner's details at entry and exit points, improved tracking of foreigners through sharing of information captured during visa issuance at Missions, during immigration check at ICPs, and during registration at FRRO/ FROs"167 The scope of the project includes 169 Missions, 77 ICPs (Immigration Check Posts), 5 FRROs (Foreigners Regional Registration Offices), and FROs (Foreigners Registration Offices) in the state and district headquarters.168

Once registered, a foreigner may be compelled to produce sets of finger impressions, passport photographs and signatures if the proof of identity submitted by him during registration does not contain these details.169

Apart from this, every "keeper of a hotel" is required to maintain a separate register for foreigners. They are required to transmit, a copy of a memo containing details about the foreigner to the Registration Officer.  

An immigration check is carried out for all passengers at the port of arrival in India by the Bureau of Immigration. Passengers (both Indian and foreign) entering the country are required to furnish details about themselves in the disembarkation card (arrival card) including their name and nationality, age, sex, place of birth and address or intended address in India, the purpose of visit and the proposed length of stay in India. Immigration check includes "checking of passport, visa, disembarkation card, entering foreigner's particulars in computer, retention of arrival card and stamping of passport of the foreigner".170

Customs rules permit passengers to bring up to two laptops into the country without paying additional duty. Customs officials are empowered to seize laptops that are thought to be smuggled into India over and above this permissible quota.

There have been no reported cases of customs or immigration officials having searched laptops at the borders in India.

Profiling/Data Mining

There are currently no laws in India that specifically either proscribe or permit profiling or data mining in a general way. Article 14 of the Constitution of India grants all citizens the right to "equality and equal protection" and to the extent that the state conducts profiling to the disadvantage of any citizen or class of citizens, this article may be viewed as a "law against profiling".

DNA and other forensic tests and databases

India does not currently have a national DNA database, although there is a bill pending in Parliament that envisages the creation of such a database. The draft DNA Profiling Bill, pending since 2007 before Parliament, attempts to create a centralized DNA bank that would store DNA records of virtually anyone who comes within any proximity to the criminal justice system. Specifically, records are to be maintained of 'suspects, offenders, missing persons and "volunteers"'.171 The schedule to the bill contains an expansive list of both civil and criminal cases where DNA data will be collected, including cases of abortion, paternity suits and organ transplant. Provisions exist in the bill that limit access to and use of information contained in the records, and provide for their deletion on acquittal. These are welcome minimal guarantors of privacy.172

Meanwhile, the infrastructure for DNA testing by both state and private players to create such databases has proliferated. In June 2008, newspapers reported that a "Biotech Park" in Lucknow in northern India had announced the establishment of a DNA bank - purportedly Asia's first. According to the report,"The members of the DNA bank will receive a microchip based DNA card containing information of their fingerprints, and anthropological details, said [the CEO of the park]".173

In December 2010, Nehru Nagar, a region in Mumbai, announced that it had established a DNA database of over 800 "anti-social elements and other people from the area".174

In January 2011, the Indian Army began DNA profiling of its soldiers in order to "to help in identification of bodies mutilated beyond recognition."175

Even without the DNA Profiling Bill, various existing laws already permit the collection of a range of physiological evidence.

The pre-independence Identification of Prisoners Act, 1920 empowers police officers to take 'measurements' (including finger impressions and footprint impressions) and photographs of persons arrested or convicted for any offence punishable with rigorous imprisonment for a term of one year of upwards or ordered to give security for his good behaviour under Section 118 of the Code of Criminal Procedure.176 The Act also empowers a magistrate to order a person to be measured or photographed if he is satisfied that it is required for the purposes of any investigation or proceeding under the Code of Criminal Procedure, 1898.177 The Act also provides for the destruction of all photographs and records of measurements on discharge or acquittal.178

In 2005, the Code of Criminal Procedure was amended to enable the collection of a host of medical details from accused persons upon their arrest. Section 53 of the CrPC provides that upon arrest, an accused person may be subjected to a medical examination if there are "reasonable grounds for believing" that such examination will afford evidence as to the crime.  The scope of this examination was expanded in 2005 to include "the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples and finger nail clippings by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."

In a case in 2004, the Orissa High Court179 affirmed the legality of ordering a DNA test in criminal cases to ascertain the involvement of persons accused. Refusal to co-operate would result in an adverse inference drawn against the accused.

After weighing the privacy concerns involved, the court laid down the following considerations as relevant before the DNA test could be ordered:

"(i) The extent to which the accused may have participated in the commission of the crime;

(ii) the gravity of the offence and the circumstances in which it is committed;

(iii) age, physical and mental health of the accused to the extent they are known;

(iv) whether there is less intrusive and practical way of collecting evidence tending to confirm or disprove the involvement of the accused in the crime;

(v) the reasons, if any, for the accused for refusing consent."180

The utility of this mass of information - fingerprints, handwriting samples, photographs and DNA data - in solving crimes is immense. Without having said a word, it is possible for a person to be convicted based on these various bodily affects - the human body constantly bears witness and incriminates itself. Both handwriting and finger impressions beg the question of whether these would offend the protection against self-incrimination contained in Article 20(3) of our Constitution which provides that "No person accused of any offence shall be compelled to be a witness against himself." This argument was considered by the Supreme Court in The State Of Bombay vs. Kathi Kalu Oghad And Others.181 The petitioner contended that the obtaining of evidence through legislations such as the Identification of Prisoners Act amounted to compelling the person accused of an offence "to be a witness against himself" in contravention of Article 20(3). The court held that "there was no infringement of Art. 20(3) of the Constitution in compelling an accused person to give his specimen handwriting or signature, or impressions of his thumb, fingers, palm or foot to the investigating officer or under orders of a court for the purposes of comparison [...] Compulsion was not inherent in the receipt of information from an accused person in the custody of a police officer; it will be a question of fact in each case to be determined by the court on the evidence before it whether compulsion had been used in obtaining the information."182

Over the past two decades, forensics has shifted from trying to track down a criminal by following the trail left by her bodily traces, to attempting to apply a host of invasive technologies upon suspects in an attempt to "exorcise" truth and lies directly from their body. One statement by Dr M.S. Rao, the Government's Chief Forensic Scientist, captures this shift:

Forensic psychology plays a vital role in detecting terrorist cases. Narco-analysis and brainwave fingerprinting can reveal future plans of terrorists and can be deciphered to prevent terror activities [...] Preventive forensics will play a key role in countering terror acts. Forensic potentials must be harnessed to detect and nullify their plans. Traditional methods have proved to be a failure to handle them. Forensic facilities should be brought to the doorstep of the common man [...] Forensic activism is the solution for better crime management.183

Although there are several such "technologies" which operate on principles ranging from changes in respiration to mapping the electrical activity in different areas of the brain, what is common to them all, in Lawrence Liang's words, is that they "maintain that there is a connection between body and mind; that physiological changes are indicative of mental states and emotions; and that information about an individual's subjectivity and identity can be derived from these [...] physiological measures of deception"184

So, how legal are these technologies, in view of the constitutional protections against self-incrimination? In a case in 2004, the Bombay High Court upheld these technologies by applying the logic of the Kathi Kalu Oghad case discussed above. The court drew a distinction between 'statements' and 'testimonies', and held that what was prohibited under Article 20(3) were only 'statements' that were made under compulsion by an accused. In the court's opinion, 'the tests of Brain Mapping and Lie Detector in which the map of the brain is the result, or polygraph, then either cannot be said to be a statement.' At the most, the court held, "it can be called the information received or taken out from the witness."185

This position was, however, overturned recently by the Supreme Court in Selvi vs. State of Karnataka186 (2010). In contrast with the Bombay High Court, the Supreme Court expressly invoked the right of privacy to hold these technologies unconstitutional.

"Even though these are non- invasive techniques the concern is not so much with the manner in which they are conducted but the consequences for the individuals who undergo the same. The use of techniques such as "Brain Fingerprinting" and "FMRI-based Lie-Detection" raise numerous concerns such as those of protecting mental privacy and the harms that may arise from inferences made about the subject's truthfulness or familiarity with the facts of a crime."

Further down, the court held that such techniques invaded the accused's mental privacy, which was an integral aspect of their personal liberty.

"There are several ways in which the involuntary administration of either of the impugned tests could be viewed as a restraint on `personal liberty' [...] the drug-induced revelations or the substantive inferences drawn from the measurement of the subject's physiological responses can be described as an intrusion into the subject's mental privacy"

Following an examination of the issue, the Supreme Court directed that "no individual should be forcibly subjected to any of the techniques in question, whether in the context of investigation in criminal cases or otherwise. Doing so would amount to an unwarranted intrusion into personal liberty." The court, however, left open the option of voluntary submission to such techniques and endorsed the following guidelines framed by the National Human Rights Commission:

(i)      No lie detector tests should be administered except on the basis of consent of the accused. An option should be given to the accused whether he wishes to avail such test.

(ii)     If the accused volunteers for a lie detector test, he should be given access to a lawyer and the physical, emotional and legal implication of such a test should be explained to him by the police and his lawyer.

(iii)    The consent should be recorded before a judicial magistrate.

(iv)    During the hearing before the magistrate, the person alleged to have agreed should be duly represented by a lawyer.

(v)     At the hearing, the person in question should also be told in clear terms that the statement that is made shall not be a "confessional" statement to the magistrate but will have the status of a statement made to the police.

(vi)    The magistrate shall consider all factors relating to the detention including the length of detention and the nature of the interrogation.

(vii)   The actual recording of the lie detector test shall be done by an independent agency (such as a hospital) and conducted in the presence of a lawyer.

(viii) A full medical and factual narration of the manner of the information received must be taken on record.

Although the right against self-incrimination and the inherent fallaciousness of the technologies were the main ground on which decision ultimately rested, this case is valuable for the court's articulation of a right of "mental privacy", grounded on the fundamental right to life and personal liberty. It remains to be seen whether this articulation will find resonance in other determinations in domains such as, say, communications.

Other Databases

In 2009, the Government announced the establishment of a National Intelligence Grid (NATGRID), reportedly modeled on the US model. The project is expected to consolidate "over 20 diversified databases such as banks, financial intermediaries, telecom service providers, etc". It is anticipated that "once institutionalized, it will promote effective and speedy retrieval of financial and non-financial data by over 10 government agencies (including RAW, Intelligence Bureau, Revenue Intelligence & the Income-tax department)".187

In July 2011, the Chennai police announced field trials for "the Crime Criminal Tracking Network and System (CCTNS), which would connect all the 1,400-odd police stations in the State to a central database". "Once operational", the report goes on to state, "the database would provide details of all first information reports (FIRs), pending cases and those relating to court proceedings."188

Footnotes