The menacing march of a surveillance state

It has been a busy time for the government. On 28 October, it notified the IT Intermediary Amendment Rules 2022, which enables it to establish a Grievance Appellate Committee with powers to direct social media companies such as Twitter and Facebook to take down content. In recent months, it has also published new CERT-In (the Indian Computer Emergency Response Team) Guidelines, which requires VPNs (virtual private networks) to record all customer personal data, and has put out the Draft Telecommunication Bill 2022, which will fundamentally change the way we access and experience the internet.

The combined impact of these laws will be to undermine and imperil privacy in communication over WhatsApp, Signal, Facetime and other internet-based messaging services; render the use of VPNs such as Tor ineffective (VPN use in India rose 671 per cent during the pandemic); expand the writ of the government to shut down the internet for arbitrarily determined reasons; lead to censorship on social media platforms; and enable the government and its agencies to take ‘temporary possession’ of any or all telecom services, such as Gmail or WhatsApp, Netflix or Jio. In effect, these new/redesigned laws, which the government will no doubt package as necessary in the interest of ‘national security’ and other such seemingly paramount objectives, will enable untrammelled censorship and surveillance and, by that token, erode privacy and free speech.

Draft Telecom Bill

The Draft Telecom Bill is perhaps the most dangerous of this spate of laws/draft laws published by the government. It is still technically open to revision following the ongoing public consultation on the bill—and one can only hope that it’s dropped—but why should one worry about it, especially considering it is not yet law?

The Telecom Bill consolidates three anachronistic laws: The Indian Telegraph Act, 1885; the Indian Wireless Telegraphy Act, 1933; and The Telegraph Wires (Unlawful Protection) Act, 1950—all of which govern the telecom sector. In consolidating the provisions of these laws, the government purports to introduce a legal framework “attuned to realities of the 21st century”.

The Explanatory Note to the Bill states that ‘the existing regulatory framework for the telecommunication sector is based on the Indian Telegraph Act, 1885’. The nature of telecommunication, its usage and technologies have undergone a massive change since the era of the ‘telegraph’. Given that ‘We now live in the era of new technologies such as 4G and 5G, Internet of Things...’, the country needs a comprehensive legal framework that reflects the nature and needs of 21st century telecommunication.

This is reasonable on the face of it. India, today, has a telecommunication ecosystem of 1.17 billion subscribers. The telecom sector employs 40 million people and contributes around 8 per cent to the country’s GDP. The Telecom Bill will govern all communication services—from instant messaging apps and network service providers to OTT platforms and smart TVs to wearable devices such as smart watches.

It’s quite plain that there are very many personal—and private—choices involved in who we speak to, what we share with them, what we watch or read on our internet-enabled devices, which stores we visit and what we buy… Among other guarantees, the ‘Right to Privacy’—incidentally a constitutionally guaranteed fundamental right in India— requires that our personal ‘data’ be acquired/ stored/ used (all with prescribed restrictions) strictly with our consent.

A citizen-focused Bill, even ‘for the 21st century’, must protect a citizen’s right to privacy, freedom of expression and equitable access to telecom services, especially on the internet. Instead, unfortunately, the Telecom Bill grants unfettered powers to the government and privileges commercial opportunities for a new digital economy over individual privacy; in so doing, it undermines a fundamental right Indian citizens have. Let’s examine some of its features to understand both the contours of the proposed new law and its ramifications:

Overbroad definition

If the Bill comes into force as it stands, all broadcasting services—voice mail, e-mail, mobile services, internet and broadband services, machine-to-machine communication services, internet-based communication platforms, instant messaging apps, video/ call applications that use the internet—will be brought within its fold. So, a host of OTT platforms such as Netflix, and internet-based messaging/ communication platforms like WhatsApp, Signal, Zoom etcetera—increasingly the default modes of communication for most users but currently outside the purview of telecom regulation—will fall within the new overbroad definition of ‘telecommunication’ and ‘telecommunication services’; they will also, by extension, be within bounds of invasive State scrutiny

Return to Licence Raj

The Bill also grants the Union government the ‘exclusive privilege’ to ‘provide telecommunication services’, and grant a ‘licence’ to provide telecom services or operate telecom networks. Clauses 4(1) and 4(7) of the Bill further stipulate that the grant of a licence will be subject to terms and conditions including a mandate to identify the persons to whom it provides services.

These clauses, read with the expansive definition of ‘telecommunication services’, mark a return to the infamous Licence Raj. It will affect not just new-age tech behemoths like Alphabet (Google) or Meta (Facebook, WhatsApp) or Twitter and Signal, or Tata Play but also throttle open source innovation (Jitsi, for example). These companies will have to apply for a licence to operate in India.

Broadcasters may also be subject to additional government regulation, further undermining their independence. If the government has the power to give or take licences, they will be able to command and control telecom service providers and other intermediaries, a move that is already being reported on in some parts of the country.

Most apps (all apps that use the internet/ communicate with servers) will also need a licence to function—from Google Pay to Zomato to Ludo King to AirBnb.

The Bill also Introduces disproportionate and excessive penalties for users who use services provided by an unlicensed entity (Clause 47 read with Schedule 3) and makes the company officials personally liable for any offence that the company may be liable for under the Bill (Clause 48).

Violation of the Right to Privacy

The draft Bill also mandates all telecom service providers to identify every user of their service. This is a broad-sweep, excessive requirement, which fails to prioritise user safety and security, and is liable to be misused in the absence of a data protection law. It also gives short shrift to the idea of user anonymity and privacy.

Since the word ‘identify’ has not been defined, it is unknown whether telecom service providers will have to collect and store identifying information such as the Aadhaar number, phone number, address, demographic details etc. of their users. For instance, if a dating app designed for the LGBTQIA+ community (which, by virtue of being an instant messaging platform falls within the definition of a ‘telecommunication service’) chooses to operate in India, it will be mandated to maintain and disclose the identification information of all its users. What could be a more glaring violation of their privacy?

Government Surveillance

The new Telecom Bill is a clone of the antiquated colonial law (The Indian Telegraph Act, 1885) it seeks to replace. It relies heavily on the terminology used in the Telegraph Act. Clause 24(1) enables the government to take possession of unauthorised telecom networks or equipment and Clause 24(2) authorises the government to direct electronic surveillance on broad grounds. The Bill mimics but also widens the scope of Section 5 of the Telegraph Act, which only authorises the government to intercept messages through telegraph/ telephones as a part of the surveillance framework of the country.

‘End-to-end encryption’ is a highly valued feature of the new-age messaging platforms—it encapsulates the promise of a secure private exchange. What you share with someone on these platforms stays between you and the intended recipient—or so goes the promise. The explicit mandate to disclose user information on (government) demand, which will apply to these platforms if the Bill becomes law, threatens to make a mockery of this feature. Signal, a free, opensource, end-to-end encrypted messaging service, used extensively by vulnerable groups, dissidents, refugees, activists, lawyers and journalists, has asserted that it would rather leave a country than compromise on end-toend encryption. Companies such as Signal, which prioritise privacy and security over commercial gain, are likely to leave India if the Telecom Bill is notified.

It is also worrisome that Clause 24(1) allows the government to take temporary possession of ‘telecommunication equipment’, which can be interpreted to include phones, tablets, watches, TVs, laptops etc. There is worry that the government is empowering itself to search and seize our personal mobile devices on the occurrence of any ‘public emergency’ or in the interest of ‘public safety’. Since public emergency and public safety have not been defined, the government is vested with the discretion to conduct a search and seizure.

Clause 24 and 25 of the Bill confer discretionary powers on the government to suspend or intercept telecommunication services without any restraining provisions to prevent misuse. Clause 25 even has a residuary clause that grants the government power to ‘take any action that the central government deems expedient… in the interest of national security’.

The usage of vague, freely interpretable terms such as ‘public safety’ and ‘emergency’, and the absence of any accountability or judicial oversight of the government’s power to surveil its citizens must be re-examined. Left to the Executive and its whimsical interpretation of what constitutes an ‘emergency’ or ‘public interest’, we risk indiscriminate tapping of phones, interception of private communication on messaging platforms and more internet shutdowns, not to even mention the chilling effect all this might have on free speech.

If the Telecom Bill is really, as the government claims, about a comprehensive legal framework that reflects the nature and needs of 21st century telecommunication, it must account for citizen concerns about the safety and privacy of their telecommunication, even as it tries to build in legal protections for all business interests in a growing digital economy. Far from promoting the kind of forward-leaning technological innovation we need for this century, the present Telecom Bill will only facilitate government surveillance, undermine privacy-enabling security features such as encryption, and take us several steps closer to a panoptic State.

What we need instead is a thorough re-examination of the entire surveillance and security apparatus in the country by all actors—the Executive, the Judiciary, the media and citizens. We need to urgently introduce a citizen-focused data protection law that protects their constitutionally guaranteed right to privacy, especially from a panoptic State.