The recent invalidation of the EU-US Privacy Shield has led to major speculation regarding the surveillance regime in countries other than the United States of America. Even though India is taking baby steps in developing a comprehensive data protection legislation coherent with the General Data Protection Legislation, personal data of Indian citizens are still not adequately protected. The Information Technology Act fails to provide a satisfactory level of protection as the drafters could not have contemplated the number of ladders that personal data has climbed in terms of its wide array of utility.

To top this inadequacy in the regime of data protection, the surveillance mechanism in India has often been overlooked for its subtle approach. The system of surveillance operates without making people aware that their right to freedom of speech and privacy are jeopardized in order to serve the more important “security concerns” of the country. Censorship through the criminalisation of online speech and social media usage is troubling, especially when it affects legitimate political comment or harmless content. The two major surveillance programs in India operates through the Central Monitoring System (CMS) and Netra. In an attempt to protect our personal data from hackers and cyber attackers, we are induced to bank upon the government to do the same on behalf of us. This article portrays as to how the Indian data governance structure is inadequate in preserving informational privacy rights of citizens. Furthermore, it raises the question of these two surveillance programs becoming a major privacy concern in the long run.

CMS: Constitutional or Infringing?

The existing Information Technology Act and the rules are considered barely adequate because they primarily focus on electronic commerce. Data protection is not viewed as an essential agenda of the statute, thereby raising several questions about the citizens’ rights over their personal data. Additionally, the government has tried to develop various models to monitor virtual activities of the people to further push their selfish surveillance objectives.

Central Monitoring System (CMS) is a heavily funded and well planned government spying project intended to intercept and monitor internet activities by tapping into call data records. Its implementation without giving the public an opportunity to voice their opinion was not in conformity with the country’s data protection structure. This was viewed as a response to cover up the massive intelligence failure which led to the traumatizing Mumbai terror attacks in 2008.

The setup garnered public trust in its initial phases of implementation as it largely seemed to revolve around the principles of “necessity” and “proportionality”. The potential spaces that it could infringe upon and the immense damage it could cause was something people failed to foresee. Firstly, being built upon Rule 419A under Section 5(2) of the Indian Telegraph Act, CMS intended to intercept metadata in that it would only have access to what an individual does rather than what an individual says. It would store the phone numbers of the calling parties, duration of the call, the time and data of the call but not the content.

Secondly, CMS mandated telephone service providers (TSPs) to incorporate Interception Store and Forward Servers along with the already existing Lawful Interception System, which had been deployed by the Centre for Development of Telematics for monitoring Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users, without public knowledge. The authority painted this as a mere attempt to shift to automatic processing. However, this eliminated the role of TSPs in examining requests which meant that the law enforcement agencies would have direct access to records without even notifying the TSPs. The procedure conveniently ignores the chain of command by circumventing its way past proper scrutiny generally done by the nodal officers of the service providers.

Since this was a development which occurred well before the landmark Puttaswamy judgement[i], the implementers could be forgiven if they could bring about enhanced transparency and accountability in the entire process. Bulk surveillance of data goes against the very principle of fundamental right to privacy. Section 69, 69A and 84A of the IT Act have been used as tools to enhance the government’s surveillance schemes negating individual rights of people.This perfectly reflects how the inadequate protection afforded by the IT Act in India has eventually led to unwarranted breach of citizens’ data.

In a world of GDPRs and Personal Data Protection Bills, Section 5(2) of the Telegraph Act certainly seems prehistoric and irrelevant. The IT Act, along with the interception and monitoring rules of 2009, adds more confusion as it permits the government to intercept, monitor and decrypt data to preserve national interests under the pretext of “security”. This leaves enormous scope to the authority to misuse and arbitrarily use its power in electronic governance. Further, clause 35 of the Personal Data Protection Bill, 2019 gives enormous leeway to the government to impose a more vigilant surveillance regime and not being answerable for the same. As the drafter of the Data Protection Report rightly pointed out, the provisions of the Bill has the potential to turn India into an “Orwellian state”.

CMS, backed by a ten-digit figure investment, certainly cannot be erased off the books without an improved substitute. Thus, the most viable would be having a data protection officer or an authority to oversee the interception requests and changing the modus operandi from “bulk surveillance” to “narrowly tailored targeted surveillance”. Maintaining a log of data interception requests by an independent body, instead of the CMS authority, can also be a possible remedy.

NETRA: Are We Being Watched?

Developed by Centre for Artificial Intelligence and Robotics in 2013, Network Traffic Analysis (NETRA) was implemented to provide intel to the law enforcement agencies. While CMS only intercepts telephonic metadata, NETRA’s scope is beyond proportion. It has the capacity to monitor all kinds of text based messages including Facebook posts, e-mails, blogs and even suspicious voice notes circulated through Google Talk Services. It serves three security agencies – Cabinet Secretariat, Intelligence Bureau and RAW. However, the memory space is limited to 300GB for these three agencies while an additional 100GB will be provided to other law enforcement agencies.

The issue with a surveillance mechanism like NETRA is three-fold. Firstly, it uses keywords to intercept communications using words such as ‘terrorist’, ‘attack’, ‘bomb’, ‘blast’ and likewise. The major concern with such identifiers is that even regular conversations are monitored as terms like ‘attack’ and bomb emoticons are often used to convey a different meaning. For instance, the word ‘attack’ might be used to candidly discuss football strategy with friends or the word ‘kill’ might be used by a professor to convey how antibiotics kill bacteria to their students. However, this does not signify consent to the government to intrude into personal chats and voice recordings of the concerned person.

Secondly, using discriminators or filters to track messages in order to ward off risk of cyber warfare or terrorist attacks might sound subtle but it makes the process of evading scrutiny by cyber attackers and terrorists simpler. This scheme can be used as a trap to create unnecessary panic within the society and divert attention of intelligence agencies to something rather trivial. Terrorist outfits have always used coded words to execute their plans perfectly. Having a list of keywords would actually prove constructive to their strategy formulation.

Further, Section 84(A) of the IT Act empowers the government to prescribe the modes and method of encryption for secure use of electronic medium and simplifying e-governance. This essentially means that the government can monitor conversations by asking the data processors to use a weaker encryption model. It would be lucrative for emerging data processors as this mechanism would significantly reduce their costs. This would also ensure government backing to the processors as a weaker encryption standard would eventually trim down government expenditure on decrypting messages.

NETRA deals with several gigabytes of personal data but whether it has been useful in actively protecting the country is a question that remains unanswered. Section 69 of the IT Act provides leverage to the government to deploy surveillance measures. It empowers the government to intercept, decrypt and monitor information generated, transmitted or stored in any computer resource under various situations, such as in the interest of safety and integrity of the country, maintaining cordial relation with foreign states amongst others. The scope of enforcing this provision is extremely wide and leaves massive room for it to be misused. Consequently, data processors like Whatsapp and Signal have policies in place which allow them to supply any information that the government asks for, pursuant to legal requests. Legal requests should ideally come in the form of court order[ii] but the specified provision may also be implemented through an executive command if the need arises.


The two legislations regulating CMS and Netra are the Indian Telegraph Act and the Information Technology Act, respectively. The drafters of these legislations failed to contemplate the privacy issues pertaining to storing and processing of personal data. Right to privacy was not a fundamental right when the legislations were drafted and even the amendments have failed to provide adequate protection to the data subjects.

It was decided by a majority in K.S Puttaswamy that ‘compelling state interest’ should yield to ‘legitimate state interest’ test when it comes to intrusion of privacy. The legitimate state interest has to be effectively complemented by the rational or suitability stage, that is the process initiated must be rational and reasonable. Further, the mode adopted by the government to track data has to be the one which is proportional to the goal pursued. In the present context, CMS and Netra can be portrayed as necessary instruments to preserve the security of the State, but under no circumstances can it be affirmed as the “least intrusive” mechanism for infringing privacy rights under Article 21 of the Constitution.

CMS and Netra are extremely threatening to the fabric of the Indian democracy. Provisions like Section 5(2) of the Telegraph Act and Section 69 of the IT Act only point towards a growing structure of mass surveillance within the country. Bulk surveillance regimes have failed to prove their constitutionality even in the most advanced economies like China and USA. Thus, India should work out a way to provide adequate protection to citizens’ data before seeking to enforce interception and monitoring techniques citing national security obligations.

[i] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. [ii] Shreya Singhal v. Union of India, AIR 2015 SC 1523.

Title Image Source: Canary Trap

This article has been written by Arnab Chakraborty, who is a third year BBA.LLB student at National Law University Odisha, India. He holds keen interest in the developments occurring in the field of data privacy across the globe.