———————————–
Disclaimer :
The article “State: how does it monitor everyone & how much does it know?” is intended to provoke thought and discussion on the complex relationship between citizens and the state. It is presented for informational purposes only and does not constitute legal, financial, or professional advice. The views and opinions expressed within this article are solely those of the author and do not necessarily reflect the official policy or position of any person, group, or organisation.
The article does not advocate for or against any political party, ideology, or government. It is crucial to form independent opinions based on comprehensive research and analysis. This article is not intended to incite hatred, violence, or discrimination. Any such interpretation is strictly prohibited.
———————————–
The idea of someone knowing everything about you is impossible to accept. After all, no one likes to be spied on by anyone, let alone by a democratic institution sworn to serve the people. But it’s not an idea. It’s, in fact, the reality we live in. We ARE constantly observed, 24/7, 365 days a week, like guinea pigs in a lab, by State functionaries like CBI, National Bureau of Intelligence, SEBI, CCI, etc.
Note: The word ‘Government’, for the purposes of the article, should only be construed as State functionaries, not any political party/parties.
This situation warrants answers to some questions.
Why should the Government observe at all?
There are two reasons as to why people are observed. First, government agencies and institutions will become ineffective if they can’t monitor people. Second, because of what happened on 26th November 2008.
With respect to the first reason: Crimes like murder, insider trading, fraud, cartel, abuse of power & dominance, etc., can only be established if information like personal communication between people, the location of the person, device details, SIM cards/network details, etc., is available. If access to this kind of data is restricted for any reason, Investigative agencies (like the Central Bureau of Investigation), Regulatory bodies like (the Securities Exchange Board of India and the Competition Commission of India) and other policing branches of the government will essentially become toothless tigers.
With respect to the second reason, the incidents of 26/11, where more than 200 people were killed and at least 300 people were injured in a terrorist attack, depicted where the Government of India is lacking in identifying threats. In order to make sure there is NO repeat of the incident and to ensure that these kinds of threats are detected well in advance, it needed to create a large-scale surveillance network that keeps an eye on every person. Even if it means it impairs the freedom and privacy of the people it serves.
It’s a mix of two sentiments – for the sake of the larger good, one needs to do what needs to be done & it’s better to have it and not need it than to need it and not have it.
But the purpose itself doesn’t fully answer the question of how EXACTLY the Government spies on its people.
How does the Government observe?
Prior to 26/11, the Government of India (GOI) collected on people on a case-by-case basis – a Government agency / regulatory authority would only approach a public/private company if they needed to collect the data from the company. They did not have the right to gain the data, and the businesses never provided the data without adequately vetting the requests made by the concerned government agency. It was never after many delays and threats from government agencies that private companies shared the data. But all of it changed when 26/11 happened.
After what happened on 26/11, the Government of India wasn’t just interested in obtaining data on a case-by-case basis or collecting a few data points (each data collected on a person is referred to as a data point on the person). It wanted to collect real-time data on all the people present.
Real-time data includes real-time mobile phone location data, Internet data, telephone conversations, emails, chats, pictures, activity, etc.
Initially, prior to smartphones & 5G, it collected the data by forcing companies to provide the data. It made it mandatory for telecom operators and Internet service providers to provide data about real-time mobile phone location data, Internet data, telephone conversations, emails, chats, etc.
But later, after smartphones & devices came into the picture, it took a less aggressive approach to collecting such real-time data. It made businesses add just one clause in their terms of use & privacy policies. That clause is:
The wording of the clause may change across the policies. However, the essence remains the same – all the data of the person that is collected by the business will be transferred to the government when it asks for it.
Using the data it collected by mandating some businesses to provide the data and by exercising its right to collect data because of a clause in the businesses policy, it built large-scale surveillance networks like Central Monitoring System (CMS) & National Surveillance Grid (NATGRID).
Currently, these systems are being actively fed the data that the Government keeps on collecting and these systems are performing their job of monitoring for threats.
This leads to the following question:
How much does the Government know?
As mentioned before, the government and several agents collect information from businesses that provide services online. The businesses that provide the information to the government collect two types of data on the consumer – Personal and behavioural information.
Personal data includes a user’s precise geographical location, device information, contacts of the user, call log, microphone and all the content that is generated by using the microphone, all the recordings, access to the camera & the gallery, access to all the downloads and the files downloaded, access to the network that is connected (WiFi, Bluetooth, Mobile data), access to all media in the phone, access to notes, access to read notifications on the mobile and access to monitor the user’s activity on other apps (observe what the user is doing on the other app).
Businesses gain behavioural information by observing a consumer’s usage patterns. They embed machine learning algorithms into their services, which can instantly interpret the user’s behaviour and adapt the platform to their interests.
In essence, every piece of information that is about a consumer’s / person’s identity and every piece of information that is related to a person’s behavioural traits is gained by companies, which in turn is passed on to the Government and its many agencies.
This means that the Government knows if a person visits a new website. If a person registers in a new app, it knows. If a person visits a prohibited website, it knows. If a person speaks to another person for a specific period, it knows the entire conversation. If a person spends time in a particular app, conducting business or chatting with a person, it knows what the business is and what the conversation is. If a person goes on a date and clicks pictures, it knows. If a person invests in something, it knows. If a person walks outside a home and takes a lift with a security camera, it knows. If a person travels somewhere, it knows. If a person meets someone, it knows. If a person does something outside the established pattern, it knows.
Essentially, it knows everything and anything about a person. This leads to the following question:
What is the issue with the Government knowing everything?
The problem with the Government knowing everything is NOT that it violates privacy & freedom. Let me explain.
Every person has the fundamental right to freedom and privacy. But these rights are not in themselves absolute. The State (in this case, the Government) can keep reasonable and proportionate restrictions upon these two fundamental rights if needed. So, if a case comes in front of the Apex Court, the Supreme Court of India, this argument – To monitor potential threats and ensure the Government functions in the best way possible – is an argument that is more than likely to justify the Government’s act of violating the fundamental right to privacy and freedom. Because of this, the argument that the government collecting data on a user violates a user’s right to privacy and freedom falls flat.
The problem with the Government knowing everything is the the lack of effective enforcement agencies to act on the threats detected by the large-scale monitoring systems, the lack of transparency on this collection issue, the excessive amounts of data collected & the lack of safeguards to protect the transferred data.
Lack of effective enforcement agencies:
A surveillance system can only be considered to be working to its finest if it can detect the threat and stop the threat from ever seeing the light of day.
CMS, NATGRID & other large-scale surveillance systems are extremely great at monitoring. However, they still cannot identify the threat and protect the people.
Take the Kolkata Gang-rape murder. Clearly, because of the data collected by the government to feed into CMS & NATGRID, it would have been possible to identify the immediate danger to the person. But nothing was done to protect the 31-year-old doctor, who ten men brutally gang-raped her.
Lack of Transparency:
The Information Technology Act of 2000 (IT Act) & the new Digital Personal Data Protection Act of 2023 (DPDP) say that any Investigative Agency / Regulatory Authority / any government agency that wants to collect data can make such a request to the business & the business is prohibited from informing the user about the agency that is requesting the data, the time at which they are asking, the purpose of soliciting, and the extend of data sought.
Because of this, a consumer who provides the data to the business will never know when the Government asks the company for their data. If the collection is for legal purposes, as mentioned before, then there is no point in keeping things under the rug. By informing the consumer about the authority that is collecting the data, when they are collecting the data and what data they are collecting, at least the consumer’s right to know is respected. By prohibiting businesses from informing the consumers (Section 11 of DPDP), the consumer’s right to know is massively undermined.
Excessive data:
Because the data that these companies collect is extremely exhaustive, there is a transfer of excessive and unnecessary amounts of user data to Regulatory bodies, which is not essential for enforcement/monitoring purposes and which, if leaked or breached, makes everyone involved in that data transfer a victim.
For example, exhaustive data collected from apps like Among Us, Kindle e-books, Spotify / Apple Music or Starbucks, Hinge, IRCTC, Calculator, weather app & others are unnecessary for a regulator – either for enforcement or for monitoring purposes. If this data is leaked, it becomes an unnecessary issue for the user providing it and for the collector who was collecting it.
Lack of safeguards:
Because businesses are prohibited from spilling the beans, as per the relevant laws, no one knows how much data is collected, how such data is stored, and how effective those storage mechanisms are. Without detailed security & disposal mechanisms, the chances of consumers becoming victims of a data leak increase.
If the government knows everything, it might as well inform the people that it is getting to know everything, collect only relevant data, provide comprehensive measures to secure data transfer, storage and disposal and enhance the crime prevention mechanism to protect the people it is sworn to serve.
This leads to the final question:
Should the Government stop monitoring?
The answer to the question – should the Government & its agencies be restricted in their ability to monitor people is not easy. Constant surveillance indeed violates the fundamental right to privacy and freedom. However, there is a valid justification for the developed large-scale surveillance mechanisms. However, the ability to quickly prevent crimes is still questionable.
Perhaps it is too idealistic for a democratic Nation not to have some threat surveillance. Perhaps it is not ideal to collect data only upon a regulatory request. Perhaps it’s too problematic for the rights of an individual if a democratic Government spies on its citizens. Whatever it may be, one thing’s clear –
There’s no getting out of this.
As long as a business knows what a consumer does, the government knows what a person does. As long as the law (IT Act & DPDP) paves the way for developing surveillance mechanisms without informing the user about the data collection, the government gets the last say on a person’s privacy and freedom.
Welcome to Democracy – A prison where everything a prisoner does is monitored every day, constantly and continuously, regardless of whether they are protected or not.