Surveillance Reform and India’s new Telecom Act

The recent Telecom Act in India has sparked concerns over potential surveillance implications, especially for their lack of surveillance reform. I was on CNBC-TV18 with Ashmit Kumar towards the end of the year, discussing the act (link in the comments). I’ve had some time to think about this more, so a few points: :

1. Unchecked Power to do surveillance: The Telecom Act lacks sufficient checks on government surveillance, enabling unrestricted access to personal communications, which is a privacy concern. Government officials both issue and evaluate surveillance orders, creating a situation where the entity in power polices itself, leading to a clear conflict of interest.

2. Ubiquity of requests for call data records: Call Data Records (CDRs) are obtained by local police in almost 90% of cases by local police without adequate oversight, compromising the privacy of countless individuals.

3. Intrusive CMS: The Centralised Monitoring System, which is embedded in telecom networks, enables extensive monitoring capabilities of non-WhatsApp calls and messages, without necessary limitations, potentially leading to abuse under the guise of security.

4. Lack of proportionality in surveillance: As per previous reports, around 300 orders per day for surveillance were issued. How can there be adequate application of mind? Also, there needs to be a graded approach: under what circumstances, and based on what kind of information, and what kind of threat, what level of surveillance and for how long, is permitted. As of now, there’s no such limitation.

5. Lack of definition of National Security: There is no definition in law, in terms of what National Security means. It could mean whatever the government wants it to mean. Can snooping on an opposition politician during elections be seen as a national security issue? Currently, it can.

6. Ambiguities in Legislation: The Telecom Act’s vague language could extend its reach beyond telecom networks to the internet, impacting digital privacy. If applied to the internet, the Act could validate IT Rules, which have been challenged by WhatsApp for undermining end-to-end encryption, vital for private digital communication. The minister has clarified that online is not impacted, but the wording of the law opens it up to this kind of interpretation.

How do we fix this?

1. Take the internet out of the ambit of telecom surveillance
2. Bring in Parliamentary and Judicial oversight of surveillance agencies.
3. Create a structure of proportionality for surveillance
4. Enhancing Transparency: Mandating detailed reporting on surveillance orders and their rationale, and only a surveillance that is done under high threat perception of national security may be kept out of oversight of courts.

I don’t expect surveillance reform from the executive, but there is an opportunity that courts have, in terms of addressing the Pegasus case which has been pending in the Supreme Court for a while now.

Watch the show here: