A government’s defence of its indefensible conduct usually requires the citation of precedents created by other governments. Indeed, the Ministry of Home Affairs (MHA) did just that after issuing its outrageous order of December 20, claiming that it was in line with practices followed in the United States, France, Germany, the United Kingdom and Australia.
But context is everything in determining the motives for the authorisation of surveillance on an unprecedented scale and scope. This is the context: this order violates the Supreme Court’s recent rulings in relation to privacy and the Aadhaar project and specific rules governing the tapping of telephones of citizens, and comes in the wake of the Centre’s recent request for proposal (RFP) to sweep-surveil social media interactions. It also comes even as Parliament is to consider the Data Protection Bill and, an even more contentious piece of legislation, the DNA Profiling Bill. Thankfully, it comes after the Edward Snowden-WikiLeaks revelation that demonstrated to people worldwide that governments could break into any phone in the world. The only thing the MHA can now claim—perversely—is that it is catching up on the “best global practices” in the matter of snooping on its own citizens!
But the context in which the MHA order has come has another significant dimension too—its collusion with non-state actors. And, with elections just round the corner, who would have the courage to dismiss the possibility of a public-private partnership of sorts to further a sectarian political agenda of the ruling Bharatiya Janata Party (BJP)? As the Facebook-Cambridge Analytica scandal demonstrated shockingly, it was possible for such a collusive enterprise to harness citizen data to further the cause of specific political formations or even determine outcomes of elections such as in the U.S. in 2016 and the Brexit vote.
The order allows the Centre to arm-twist non-state players, specifically corporations with access to user big data such as Google, Facebook and Microsoft, and computer and mobile hardware manufacturers and service providers to part with data on both the Internet and Internet-connected devices that should normally remain private and secure. In effect, the might of the state is being used not to protect any legitimate state interest (against terrorism, etc.) but to make private companies part with data in their domains. What makes this truly scary is the ominous possibility that this is being done not to protect the state but to further the interests of a political party that now holds the key to the state apparatus.
Facebook-Cambridge Analytica scandal
Over the last decade, data science has evolved in terms of the statistical techniques it uses, the deployment of technology tools and the ever-growing areas of their application. The explosive growth in the use of more convenient, cheaper and more capable devices is what has made social media all-pervasive. This, in turn, has made large data sets available for scrutiny for those who wish to profit from targeted advertisement revenue or, in a more sinister context, tailor the content to suit the needs of a specific audience.
Specifically, political parties and governments have realised that they can understand the mindset of the people since smartphones and apps that run on them provide their creators detailed and granular data on who their users are, what they do and what is the nature of their social networks. In short, they allow them to take a peek at the nature of the real “humans” comprising a particular social network. Cambridge Analytica Ltd was a British firm, partly owned by the American hedge fund manager Robert Mercer, that specialised in predictive analytics and behavioural sciences for political and commercial purposes. Investigations revealed that Cambridge Analytica had illegally harvested the data of more than 87 million Facebook users through a Facebook app, and using this data, it was able to analyse the behaviour and habits of users, understand the type of opinions they were expressing, and predict the type of messages that would influence them. The data from this leak were used by the 2015 and 2016 campaigns of Donald Trump and Ted Cruz and in the Brexit campaign.
The scandal came to light when the whistle-blower Christopher Wylie—who was research director of Cambridge Analytica working with Aleksandr Kogan, an academic at Cambridge University, to obtain the data from Facebook—said that the Cambridge Analytica system had the ability to profile individual voters to target them with personalised political advertisements. Facebook CEO Mark Zuckerburg was forced to apologise for the data breach and was also called to testify before the U.S. Congress. In order to prevent future misuse of user data, Facebook has decided to implement the European Union’s General Data Protection Regulation (GDPR) in its operations all over the world.
According to reports, in India, both the BJP and the Congress used the services of Cambridge Analytica to analyse the mindset of Indian voters and methods to influence them for the 2014 election. Cambridge Analytica and its Indian partner, Oveleno Business Intelligence (OBI) Private Limited, were in talks with both the BJP and the Congress for the 2019 election. Amrish Tyagi, OBI CEO and son of senior Janata Dal (United) leader K.C. Tyagi, provided professional services to the JD(U)-BJP alliance in the 2010 Bihar elections and then worked with the BJP in Uttar Pradesh in 2012.
Corporations with access to user big data have already been using these techniques to intimately understand users and improve their services or provide targeted services to each user or ensure that advertisements are specific to usage patterns. This departs from older and less-reliable models of data collection and sampling, which involved door-to-door surveys and more expensive generic advertisements over mass media.
Internationally, corporations are being forced to implement the GDPR. With the Data Protection Bill based on the Justice B.N. Srikrishna Committee Report being stalled in Parliament, and important elements in it being watered down, India remains a ground for social media user data misuse. An RFP for a social media communication hub by the Information and Broadcasting Ministry had a paragraph that stated: “How could the public perception be moulded in positive manner for the country, how could nationalistic feelings be inculcated in the masses, how can the perception management of India be improved at the world, how could the media blitzkrieg of India’s adversaries can [sic] be predicted and replied/neutralised, how could the social media and internet news/discussions be given a positive slant for India.”
The quoted paragraph is in effect a proposal by the BJP government for a mechanism to manipulate the users of social media. While the RFP for the social media communication hub was challenged in the Supreme Court and the plea subsequently disposed of as “infructuous” as the Centre stated that it had dropped its plans for the hub, the timing of this move ahead of the 2019 election has to be taken into consideration. With the BJP having won a thumping majority both at the Centre and having control in 21 of the 29 States in the 2014 election, it is at a loss to explain the its recent defeat in Rajasthan, Chhattisgarh and Madhya Pradesh. Cambridge Analytica and OBI were non-state entities offering to influence social media users using big data, but the social media communication hub proposal by the Indian government is an effort by a state actor to influence social media users.
In 2014, a research paper published by Cornell University, titled “Experimental evidence of massive-scale emotional contagion through social networks”, showed that Facebook secretly manipulated the emotional health of around 700,000 users by subtly increasing the number of negative messages or reducing the number of positive messages users saw on their timeline. The effects of this experiment were significant, though highly unethical, since Facebook did not inform its users of this experiment nor did it provide them with an option to opt out. The Facebook experiment shows that with appropriate manipulation of users’ emotions it is possible to manipulate their actions. In the context of the plea against the social media communication hub, Justice D.Y. Chandrachud stated: “If every single tweet or WhatsApp message is monitored, we will be moving towards becoming a surveillance state.”
Widening reach of surveillance regime
While the Congress-led United Progressive Alliance government introduced the Central Monitoring System, which is a forerunner for mass surveillance in India, and the fundamentally flawed Aadhaar system, the BJP-led National Democratic Alliance government took these systems, apart from others, to an entirely new level.
Until recently, the U.S. had telephone tapping rules similar to those in India and the U.K. However, in 2018, the U.S. Supreme Court in Timothy Carpenter vs USA , 585 U. S. (2018) read Fourth Amendment Rights into the Stored Communications Act and provided for judicial intervention if the government needed such data. In Carpenter vs United States , the U.S. Supreme Court held: “The government’s acquisition of Timothy Carpenter’s cell-site records from his wireless carriers was a Fourth Amendment search; the government did not obtain a warrant supported by probable cause before acquiring those records.” The Carpenter case overturned the principle that was laid down in Smith vs Maryland , 442 U. S. 735, 740 which stated: “The installation and use of a pen register, which is an electronic device that records all numbers called from a particular telephone line, by police does not constitute a violation of the ‘legitimate expectation of privacy’ under the Fourth Amendment of the U.S. Constitution because the numbers would be available to and recorded by the phone company anyway.”
In contrast to the Carpenter case, the MHA order, which focusses on devices and not just on the digital traffic flowing on the Internet, violates the procedures on searches and seizures as it does not specify probable cause and is an overt and brazen effort by the Indian government to conduct mass surveillance on the citizen. While this routine order has not conferred any new powers, it in fact activates the rules for digital surveillance that the Central government made in 2009. Further, the scope for tapping has been expanded to monitor every bit and byte that is created not just by specific individuals but by every single citizen of the country.
The overt effort by the Indian government to spy on its citizens may be contrasted with the covert effort by the Central Intelligence Agency (CIA) to spy on the citizens of the U.S. as shown in the Snowden-WikiLeaks revelations. In 2017, WikiLeaks released 8,761 documents showing that the CIA had left security holes in devices by Apple, Microsoft, Google and Samsung. Snowden claimed: “Any hacker can use the security hole the CIA left open to break into any iPhone in the world.” Certain models of Samsung Internet-connected TVs would appear to be off when in reality they were on and could record conversations in the room and send them back to the CIA. After these revelations, several companies ensured that the identified holes were plugged.
Legal experts who were associated with the #saveourprivacy campaign actively participated in the consultations with the Justice B.N. Srikrishna Commission and designed a draft Bill that would address the privacy concerns of citizens. Unfortunately, while the Draft Data Protection Bill proposed by this commission does not address the issue of digital surveillance, the watered-down draft Bill has been stalled in both Houses of Parliament.
To address such far-reaching concerns of Indian citizens from a techno-political perspective, the #saveourprivacy campaign collectively articulated a set of seven principles to guide the Indian privacy code. 1. Individual rights are at the centre of privacy and data protection; 2. A data protection law must be based on privacy principles; 3. A strong Privacy Commission must be created to enforce the privacy principles; 4. The government should respect user privacy; 5. A complete privacy code comes with surveillance reform; 6. The right to information needs to be strengthened and protected; and 7. International protections and harmonisation to protect the open Internet must be incorporated.
These principles, if implemented, will ensure that, while allowing the Indian government to curb terrorism, the Indian citizen is protected from unwanted intrusion by the state into the personal sphere.
In this context, the MHA order has to be viewed critically and in the light of the upcoming election. There is deep unrest among Indian citizens over various policies of the incumbent government. From the RFP of the social media communication hub, it appears that the incumbent government would like to project itself in a good light for the upcoming election and identify and drown out voices of dissent and, in this scenario, appears to be using the state intelligence apparatus to satisfy those needs. The government should desist from its efforts to use data science to study its citizens or try to either overtly or subtly influence them. A strong Indian privacy code based on the seven principles needs to be passed in Parliament so that the privacy of the Indian citizen is protected. The ill-thought-out DNA Profiling Bill need to be discussed in the public domain before it is passed in Parliament. All state-sponsored surveillance apparatuses needs to be brought under parliamentary and judicial review to ensure that their misuse is brought down to a minimum.
Vikram Vincent is a research scholar at IIT Bombay, Mumbai, and a volunteer with the Free Software Movement India.