Telecommunications Bill 2023: State-Sponsored Surveillance of Citizens?
National Security, Right to Privacy and America's Surveillance Program
On Monday (December 18), the Union Minister for Eletronics and Information Technology Sh. Ashwini Vaishnaw introduced the Telecommunications Bill, 2023, in the Parliament.
The term “Telecommunications Bill” generally refers to a piece of legislation that addresses issues related to telecommunications, which includes telephone, internet, and other forms of communication using electronic devices. Telecommunications bills can cover a wide range of topics like - development, expansion and operation of telecommunication services and telecommunication networks; assignment of spectrum; and for matters connected therewith. The new Bill introduced in Parliament to replace the outdated Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act, 1950.
The Question of Privacy!
The Telecommunications Bill 2023 contains several provisions to improve the management of telecommunications infrastructure and services, one particular provision has sparked concerns regarding its potential impact on privacy of the citizens of the nation.
On page 9 and 10 of the bill, there is a provision that grants the Indian government the authority to take over telecommunication services in certain circumstances. These circumstances include emergencies, national security interests, and the integrity and defense of the state. It is also mentioned in this bill that the government can stop the message sent by the sender from reaching the receiver for the sake of national security. However, the provision lacks specific details about what actions the government can take after assuming control of telecommunication services. Does the lack of clarity in the bill raise questions about whether the government would engage in surveillance of citizens? What kind of data collection would be involved if the government were to take over telecommunication services? Let’s discuss.
20(1): This part of the bill says that in case of a public emergency or for public safety, the Central Government or State Government or any officer authorized by them can take certain actions if they believe it is necessary. These actions are meant to protect the sovereignty and integrity of India, the defense and security of the State, maintain friendly relations with other countries, keep public order, or prevent people from encouraging others to commit crimes. The government can take these actions after following the rules and safeguards that will be decided later, and they have to give reasons for their decision in writing.
21(f): This part of the bill says that in the interest of the National Security or in the event of War, the government can take control of or stop the operation of any or all telecommunication services or networks. This means the government can temporarily manage these services itself or give the authority to manage them to a specific government body.
What’s the Problem?
The government has written very specifically about the circumstances in which the government will take over the services of telecom companies, but many intellectuals are comparing it with America's Patriot Act and United Kingdom's RIPA Act. Their argument is that the same circumstances are written in the Patriot Act of the United States and RIPA Act of the UK under which the government can do surveillance on the users of different telecom companies, but after the leak of Edward Snowden, it was revealed that even in peace time, the UK and US governments were misuing these acts and running a domestic and global mass survillance program.
The concerns of these people are not completely wrong because similar privacy concerns have been raised in other countries where government surveillance laws have been used in the name of national security. For example, in the United States, Section 215 of the USA PATRIOT Act was used by the National Security Agency (NSA) to collect metadata from telecommunications companies like AT&T and Verizon. This metadata included information such as the duration of calls, phone numbers involved, and call locations. While these measures were justified as necessary for national security, they sparked a debate about the balance between security needs and individual privacy rights.
However, under the Project PRISM, the US government’s National Security Agency (NSA) was collecting private electronic data, including emails, chat logs, and other types of online communications, from major technology companies such as Google, Apple, Facebook, Microsoft, and others.
Similarly, in the United Kingdom, the Government Communications Headquarters (GCHQ) used the Regulation of Investigatory Powers Act (RIPA) to tap fiber optic cables. After tapping fiber optic cables, the UK's GCHQ reportedly collected various types of data. This data included internet traffic, email contents, and metadata (information about communications, such as the sender and receiver's addresses, the time and duration of the communication, and the type of communication). The collection of this data was part of broader surveillance programs aimed at gathering intelligence and this was done under the pretext of national security and safeguarding the country's interests. However, such actions also raised concerns about the scope of government surveillance and the protection of privacy rights.
If you read the UK’s RIPA Act carefully, words like "in case of emergency", "in the interests of national security", "for the purpose of preventing or detecting serious crime" have been mentioned many times in it.
Despite there being no such circumstances, the UK government, in collaboration with the US’s NSA, was making a mockery of the “right to privacy” by tapping Fiber Optics Cables and collecting private data of the users under the Project TEMPORA.
The Need of National Cyber Security Strategy
The need for a robust cybersecurity strategy in India has never been more urgent, especially considering that 1 out of every 3 Indians has been impacted by a cyber attack. Despite being home to one of the world's largest populations, the absence of a national cybersecurity strategy is glaring. The lack of a comprehensive cybersecurity framework raises concerns about the country's readiness to combat cyber threats effectively. It is crucial to ask the government why, despite having the largest population, India does not have a national cybersecurity strategy in place to protect its citizens and digital infrastructure.
China is our biggest enemy but we neither have the resources nor the capability to counter Chinese cyber attacks and give a befitting reply to them. Be it PLA’s Strategic Support Force or CCP’s State-Sponsored Hackers, China today has the capability to fight a full blown cyber war even with countries like the United States of America. But it is sad to say that those big cyber security plans of India remains stuck in those long bureaucratic hurdles or procedures.
Be it stealing top secret documents and prototypes of American private defense contractors or infiltrating US's domestic networks or penetrating US's big tech firms, China has done it all. Read Operation Aurora.
Will we be able to stand up to a global cyber power like China with such poor cyber security infrastructure?
The Government of India needs to partner with private cyber security players to ensure the security of the country's cyber borders and the government also needs to eliminate government entrance exams and long hiring procedures and create a firm and system in which talent can be placed on the basis of their skills so that they can work for the cyber security of the country. We can learn a lot in this domain from countries like the United States and Israel.
Conclusion
In light of these concerns, it is crucial for the Indian government to provide clarity and transparency regarding the provisions of the Telecommunication Bill of 2023. Clear guidelines should be established on when and how the government can take over telecommunication services, what actions can be taken afterward, and how individual privacy rights will be protected.
The main thing is that the government has not mentioned any clear definition of “Interests of National Security” in this bill. It does not mention what would be the circumstances in “national security” under which the government can intercept user’s messages and this is the most shadowy term or word in the entire bill.
There is no doubt that we need such rules or laws for emergencies but the balance between national security and individual privacy rights is a delicate one that requires careful consideration. The government should mention a specific definition and circumstances for every word in every important bills.
Just as Western governments have been misusing the rules made for the safety of their own citizens and their national security, what assurance can the Indian government give to its citizens not to do so? I know that there is little awareness about all these things in India, and that's why most people are not talking about such a big issue today. However, being a responsible and aware citizen of my nation and a cybersecurity professional, it's my responsibility to ask these questions to the government and make you aware.
Thank You @poorvam_tomar