We take a lot of things for granted online. At the same time, for the most part, we tend to leave our ideals conveniently offline. How rational is it to have a different set of values and principles when looking at everything through the prism of Internet? How do we preserve and protect our democratic values online? We discuss all this and more with Bhairav Acharya, a constitutional lawyer based in Delhi and Bangalore, especially interested in free speech and privacy issues. He practices law in the Supreme Court of India. The views expressed in this interview are his own.
Digit: For a regular citizen, what is the free speech and privacy situation in India? How does it differ from other countries such as the United States, for better or worse?
Bhairav: This is a very relevant question; let’s first deal with free speech and then with privacy. While political criticism is allowed, India criminalises many kinds of speech that are allowed in other democracies. Thomas Macaulay, who drafted the Indian Penal Code in the mid-1800s, believed that Indians were irrational and prone to religious excitement. Unfortunately, this condescending stereotype appears to have been prophetic. While all mature democracies allow and constitutionally protect offensive and insulting speech, India still convulses each time a film or book merely examines issues such as religion, caste, or culture.
Online speech has received even heavier censorship. Ordinary citizens have been arrested simply for liking Facebook posts or voicing other harmless opinions, such as the two young women who questioned a Mumbai bandh. There is something morally unsound about a nation that uses its law as a weapon to harass artists and writers and students. This is unlike the US, which strongly protects the free speech rights of its citizens, including the right to burn the national flag, sexually depict religious symbols, or non-violently insult a community.
India also does not have laws to properly protect privacy. Look at telephone tapping, for instance. Instead of an independent and neutral authority, a senior bureaucrat orders a phone tap and a committee consisting of more bureaucrats is supposed to review this decision. There is no external oversight, unlike other democracies where both national security and citizen’s privacy is better protected. This farcical situation derives from an 1885 colonial law which has not been properly reformed. As you can imagine, privacy is the first casualty.
Digit: The government is rolling out the Central Monitoring System (CMS) for telephone tapping and NETRA for Internet-based surveillance on the ground of ‘national security’. Do such programmes have any oversight to prevent violation of individual rights and subversion of the Indian Constitution?
Bhairav: As long as the CMS is merely an automation of the existing targeted telephone tapping procedure, there is nothing wrong with the project itself. The problem is that the telephone tapping regime in India as a whole needs to be changed. For instance, in the US, a wiretap warrant is only issued by a judge after the government meets certain minimum legal standards. In India, the order is issued by a senior bureaucrat who is not a judicial authority but is allowed to interpret the law. In the UK, which also gives the tapping power to a government official, the tapping order is subsequently audited by an independent commissioner who reports to their Parliament, and the tapping order can also be reviewed by a quasi-judicial tribunal. In India, the only review mechanism is an informal group of further bureaucrats. A recent RTI request revealed no records of the meetings of this review group.
There is a difference between targeted surveillance and mass surveillance, the former is against an individual while the latter is against an entire population. If newspaper reports (quoting an unnamed government official) are to be believed, NETRA is a secret project to conduct mass surveillance of the Internet activities of all Indians. If this is not case, the government should explain NETRA through a parliamentary statement. Assuming the worst-case scenario is true – and I sincerely hope that it is not – NETRA can be used to analyse all traffic flowing through ISP nodes to monitor the all Internet activities and communications. Personally, I hope that NETRA will also be a targeted mechanism that will follow the procedures set out in the IT Act. However, like the telephone tapping regime, the Internet monitoring regime also suffers from broader flaws that need to be rectified before large-scale projects like NETRA should be permitted to function.
Digit: As the Internet slowly becomes indispensable, how are the authorities (particularly the law enforcement and judicial system) adjusting to this new reality? And how are they safeguarding our rights?
Bhairav: The answer to this question is very worrying. Sadly, there is no understanding of how technology is changing the nature of governance and crime. In a recent corruption trial in Delhi, the magistrate and court staff did not know how a digital voice recorder, which had captured the allegedly illegal transaction, functioned or how the data was transferred to a CD. If this happens in the national capital, the future of evidence law is bleak. There is also a childish understanding of cyber-crime that comes into play whenever the Internet is used to coordinate crime, which nowadays is quite common.
From the police to government officials to judges, there is only an amateur-level understanding of basic concepts of the Internet. We see manifestations of this each time entire top-level domains are blocked instead of specific sub-domains because the relevant officials failed to provide deep links. Our law, too, reflects this inexperience. In my opinion, many provisions of the IT Act and several IT Rules appear, prima facie, to violate the constitutional requirement of fairness and non-arbitrariness.
Digit: In a healthy democracy, there can be no rights without responsibility. As an Indian netizen of the 21st century, what are some of my rights and responsibilities online? What should I accept and reject when it comes to maintaining online freedom?
Bhairav: I think the basic principle to demand is this: whatever is legal or illegal offline should be similarly legal or illegal online. In India, this simple principle of equivalence is not followed. Hence, in the case of section 66A of the IT Act, communications that are annoying and inconvenient invite jail terms simply because they were sent using a computer. If we were to go about punishing inconvenience, I think most of the country would find themselves locked up. We must follow the principle of equivalence which extends our regular rights and responsibilities to the Internet.
Digit: Online censorship has been a hotly debated issue in the recent past. What are your observations in this regard?
Bhairav: The Internet has tremendously democratised knowledge; and, like all communications platforms, it can also be used to commit crime. The way forward does not lie in restricting and censoring the Internet, but in understanding how it functions to be able to intelligently address crimes. Take, for instance, the law of website blocking. Like the banning of films or books, website blocks should be seriously studied. Instead, the law permits websites to be blocked in secrecy, even the user who generated the content is unaware of the block. Neither an opportunity to be heard is provided nor an avenue for appeal. This sort of censorship is authoritarian and completely inconsistent with democratic values.
But, as I said earlier, I think the fundamental problem is both societal and legal. As long as we censor books and films and music and art that some people do not agree with, we are allowing fringe outfits to impose their views on the whole nation. The problem of intolerance in India afflicts all religions and communities, and for too long the free speech rights of the many are hijacked because of the fundamentalism of the few. We must understand that we should not have a right not to be offended. The law should not be invoked each time someone says something we do not like. Getting offended is a part of multicultural democracy; we just have to deal with it.
Bhairav Acharya, Constitutional Lawyer at Supreme Court of India, with a keen interest in all matters concerning free speech and privacy issues.
Digit: Is hacktivism a nuisance, gimmick or something that’s worthy of people’s time and effort?
Bhairav: This is an interesting question and, at the outset, let me confess that I do not think I can give you a full answer. If you compare hacktivism to street protests, then it should be allowed – even encouraged – as long as it does not impede the rights of others. So, for example, DOS attacks that prevent others from accessing a service are as condemnable as bandhs that prevent normal people from working. However, all democracies must allow protest, and hacktivism is a form of protest. The answer lies in finding a balance that is not coercive. The most common legitimate democratic restrictions on public protests are with regard to the time and place of the protests. Maybe something similar could be formulated for hacktivists?
Digit: In a post-Snowden world rife with cyber-terrorism, can ultimate privacy really be achieved? What is ultimately at stake here and what are some of the acceptable compromises of rights at an individual level in light of this new reality?
Bhairav: As long as humans are social beings, ultimate privacy cannot be achieved. For me, the objections to the Snowden revelations were not about the lack of ultimate privacy, but about these two issues: (i) that mass surveillance is being conducted on a global scale, and (ii) that many surveillance programmes are illegal. There are two ways to respond to this. First, as an individual, I feel that these violations of my privacy by various intelligence agencies are too intrusive to be justified on the ground of counter-terrorism because I have never displayed even the slightest interest in engaging in violence. I think privacy invasions must be supported by some basic facts or reasonable suspicion. Second, as an Indian, I am alarmed that my government, which is usually very quick to take cover under the national security umbrella, has been caught napping and that its communications – far too many government officials use commercial US email service providers such as Yahoo or Gmail – have probably been intercepted.
Many people ask: if you are not doing anything wrong, then why object to surveillance? This is a logically fallacious argument. Privacy is not about concealing your illegal acts, it is about protecting your dignity and intimate acts from others. Most people do nothing wrong in their bathrooms and bedrooms, would we consent to strangers watching us through cameras in our intimate spaces? Our emails, Internet activities, telephone calls and so on are similarly private and should be protected. But, since we live in a community and we have elected a government to provide us security, we should indeed be prepared to suffer some surveillance. However, this surveillance should be supported by some credible reasons, and it should be audited by an independent third party. Surveillance is power and, as we know from the popular saying, absolute power corrupts absolutely.
Digit: Can people sue online companies for breach of private data? What are the means of going about doing that?
Bhairav: India does not have uniform laws to allow people to take legal action for the breach of private data. In respect of certain kinds of financial information, the RBI has issued directions to banks and financial institutions on how to appropriately process this information. However, for most other kinds of personal data – such as those we routinely submit online – there is very little law to enable legal proceedings for breach. In 2011, some rules were issued to protect some forms of personal data; but they were extremely poorly drafted and ultimately the government had to issue a clarificatory press release (which was itself controversial because the government is not allowed to interpret the law via press releases).
At this moment, India urgently needs a law to protect the privacy of personal data. This law should apply to the state and to private parties alike. Those companies or government departments who collect personal data (‘data controllers’) from ordinary people (‘data subjects’) should be held accountable for the manner in which they process this data, their security and anti-breach measures, their decision to outsource the data to others (‘data processors’), their disclosure of the data, and other similar requirements. Data subjects should have enforceable rights in law, including clearly specified monetary amounts they may receive for data privacy violations.