The judgment talked of all such interceptions meeting the tests of “necessity, proportionality and due process”.
If the WhatsApp-Pegasus controversy wasn’t bad enough, Google’s report on 500 Indian citizens—out of a total of 12,000 worldwide—being the victims of attacks by government-backed bodies has, once again, brought the issue of government spying to the forefront. While the government has continued to sidestep the issue of whether it had bought the Pegasus software that was used to exploit a WhatsApp loophole to hack into the phones of various activists, the matter continues to be debated in Parliament and a parliamentary panel will try and get more clarity on the issue; for the record, the government has sent a notice to the Israeli firm to get more data on who bought the snooping software.
Pegasus set the cat among the pigeons when it said it only sold its software to governments; assuming this is true, though, it could still have been available on the dark net. And, even Google’s data from its Threat Analysis Group—TAG tracks more than 270 targeted or government-backed groups from more than 50 countries—may not be wholly accurate.
While it finds that the Indian government-backed bodies were intercepting a smaller proportion of Indian citizens than was happening in the US by US-govt-backed hackers—these are attacks on Google Drive, Gmail, and YouTube—the data looks a bit lopsided since it shows that there is less interception by governments in countries like China and Russia! Indeed, in the past, Apple challenged Google over its analysis concerning the monitoring of iPhones.
That said, there is a more fundamental problem that needs resolving—that of reconciling the needs of the government in terms of being able to spy on certain people with their right to privacy. As the Justice Srikrishna panel put it, the design of the current framework for tapping/hacking “lacks sufficient legal and procedural safeguards to protect individual civil liberties”. The tapping or hacking by government agencies is, right now, authorised by the Telegraph Act as well as the IT Act, but as Srikrishna pointed out, there aren’t enough safeguards at the moment.
There is, of course, an oversight mechanism within the government; the review committee is headed by the cabinet secretary and has the law secretary as a member, but as Srikrishna says, citing a recent RTI reply, the “review committee has an unrealistic task of reviewing 15,000-18,000 interception orders in every meeting, while meeting once in two months”; in other words, no matter what the government might say, the review process looks less than robust.
It is in this context that the Puttaswamy judgment of 2012 is critical. The judgment talked of all such interceptions meeting the tests of “necessity, proportionality and due process”. If a committee is clearing 15,000 interception orders, it is difficult to argue ‘due process’ is being followed. That is why, as Srikrishna suggests, India needs a law on interception that builds in checks like having a non-partisan committee examining the intercepts, why they were ordered, and what they revealed.
Such a process could involve a permanent parliamentary committee, with the data/findings not to be made public; another could involve a judicial committee or judicial members on this committee as well. If, for instance, those whose phones were hacked using the Pegasus software were unfairly targeted—say, by a government trying to be vengeful—there has to be some mechanism to punish those responsible.