Just a few days ago, Delhi police was reported to have issued a global tender to acquire an internet monitoring system. The system, it claims, would enable it to track and intercept emails and chats of suspected terrorists and other criminals. The Intelligence Bureau and the National Investigation Agency already have such systems, which bypass the need for law enforcement officials to obtain internet protocol (IP) addresses from internet service providers (ISPs).
While the police assert that such surveillance would only be carried out after obtaining permission from the home secretary – an assurance meant to satisfy the likes of you and me that our Facebook indiscretions will not become a source of entertainment for some desk jockey — a monitoring system that tracks online activity of individuals as a way of information gathering opens up a can of worms in terms of what is, or should be, permissible behavior for law enforcement officials in fighting crime.
The brave new world of Web 2.0, or social media, brings with it a new set of questions on how far the nation-state can go to assert itself as the supreme authority in cyberspace. Is the internet an extension of the physical world and do those laws and limits apply to our online interactions, or is it a place completely divorced from the “real” world, such as it were, subject to its own rules of behavior and interaction? This push-pull has characterized much of the debate over the governance of the web, and new challenges to current law keep appearing as the pace of technological advancement outstrips the law, leaving most legal systems scrambling to respond to the likes of Facebook and BitTorrent. What legislation is put into place is rather hit-and-miss, with even the enforcement of laws specifically tailored to the internet proving to be difficult. The internet, after all, recognizes neither sovereignty nor territorial boundaries, which makes jurisprudence rather difficult to establish.
The communications revolution connects us and makes geography less relevant. The compression of time and space made possible by new technology enables us to connect with each other, to mobilize, to share information. But just as the real-time benefits of email and social networking can be used to organize by people protesting against an oppressive regime, those same tools can be used by terrorists, child molesters and other garden variety criminals. This presents a dilemma – should these modes of communication be monitored by law enforcement and intelligence agencies? If so, how far should such surveillance go? What oversight can civil society exercise over efforts to track people’s online activities? Is the right to privacy irrelevant in the face of threats to national security, or even more mundane crimes?
In some ways these questions are moot, because most governments already have some mechanism to surveil what people are doing on the internet. But those moves are contested, and the struggle to strike a balance between respecting an individual’s right to privacy and using the internet for information-gathering continues.
The latest iteration of Google’s voluntary transparency report, which details the number of government requests for user data and content removal the search giant receives, revealed that Google received more requests for user information from the United States government in six months than all wiretap orders issued across the nation the whole year. The number of requests for user information filed by Indian government and law enforcement officials was second only to their American counterparts, while France, Germany and the United Kingdom also made over a thousand requests for information between January and June this year. Google also said that it complied with more than half these requests, in whole or in part. Google is legally prohibited from revealing some government data requests, such as US national security wiretap and data requests.
This report is useful to understand the scope of government interest in the data gathered by service providers such as Google on their users, especially given that Google can hardly be the only internet company to receive such requests. Several countries have laws that let officials circumvent general legal procedure and subject users to warrantless surveillance – a case in point is the US’ 25-year old electronic privacy law, which allows the government to access emails and other content older than six months and stored on a third-party server (such as in the cloud). In the UK, the London Metropolitan Police have deployed a surveillance technology that can masquerade as a mobile phone network and allows officials to intercept communications, turn off phones and gather data on thousands of users. The London police also have software that allows them to track the digital movements of suspects and their associates -- in violation of data protection laws, perhaps, but the (il)legality of such an action remains murky, at best.
In India, regulations pertaining to data protection and privacy were largely absent and the right to privacy has developed more through precedent than specific legislation. The Information Technology (Amendment) Act, 2008, contains section 69, titled the “power to issue directions for interception or monitoring or decryption of any information through any computer resource”. According to the Act, the directive may only be issued when public safety is at risk or in a public emergency, and “high-ranking public functionaries” are authorized to issue such directives. But despite strict procedural guidelines, precedence suggests that admissibility of evidence is not affected by improper procedure, thus weakening the incentive of law enforcement to follow procedure.
But the role of digital evidence and electronic discovery in civil and criminal litigation is, in general, unclear, no matter the method through which it was obtained.
The consensus from government agencies across the world seems to be that the online world offers unparalleled opportunity to tackle crime. So, should it be kosher for law enforcement to gather potentially interesting or potentially useful data, or must they be required to present a specific case to monitor a person’s digital life? No government seems to have found the magic formula to ensure a balance between privacy protection and surveillance. Perhaps the best way to protect yourself is to treat all of your online information as public – if it’s really private, maybe it shouldn’t be online. After all, you never know who’s watching.