, , ,

Earlier this year, ex-NSA contractor and whistleblower Edward Snowden revealed the industrial-level surveillance of private communications undertaken by the American government. One feature of the American surveillance program is what is known as “telephony metadata collection“.  Under this, all the details of phone conversations minus the actual content of the call – that is, the two numbers involved, the time and duration of the calls etc – are intercepted and stored in a vast database maintained by the National Security Agency. Later in the year, The Hindu revealed that the Indian government’s Central Monitoring System was doing something very similar (the technical details of how the two programs differ is not relevant at the moment, because CMS surveillance is at least as intrusive as NSA surveillance – and in actual fact, is more so). For details, refer to the CIS website here, and articles here and here.)

NSA surveillance was challenged on statutory and constitutional grounds by the American Civil Liberties Union, and the oral arguments took place today morning at the Southern District Court of New York. In what follows, I summarize today morning’s proceedings, because ACLU’s two core constitutional arguments – violations of the rights to privacy and free association – are fundamental constitutional rights in India as well (Article 21 and 19(1)(c)). Examining the constitutional debate in the United States, therefore, can help us understand precisely what is at stake – constitutionally – as far as the CMS goes.

(Caveat: I reconstruct the following from my hurriedly-taken courtroom notes. For a full account of ACLU’s written submissions, please refer to their website here).

As mentioned above, ACLU rested its claims on statutory and constitutional grounds. The statutory argument involved a detailed analysis of Section 215 of the Patriot Act, the likes of which do not exist (thankfully!) in India. The relevant statutory provisions in India are the S. 5 of the Telegraph Act, and S. 69 of the Information Technology Act (along with the 2009 Rules). So while ACLU’s statutory arguments are of limited relevance, it is important to underscore the following: S. 215 of the Patriot Act requires a relevance requirement before data can be collected. Similarly, the IT Act requires the government to be convinced that it is “necessary or expedient” in the interests of the security or integrity of the state etc. – a standard that permits at least a degree of judicial review. One of the arguments made by ACLU was, given that constitutional rights were implicated, the Patriot Act (and other associated legislation) should be construed a manner that preserved – and did not putatively violate – the rights of privacy and free association. That argument, of course, applies to India as well.

Another important takeaway from the statutory arguments was ACLU’s argument that a statutory authorization of individual, targeted surveillance operations did not amount to the massive dragnet operation that the NSA was carrying out. Both because of the sheer scope and because of its potentially limitless extension, mass telephony metadata surveillance could not simply be equated to an individual targeted operation, given that it raised a whole host of issues not ordinarily implicated in standard cases of surveillance. This is critically important, because the 2003 case of PUCL v. Union of India is taken to establish that S. 5, Telegraph Act permits surveillance in general. PUCL, however, did involve individual targeting, and therefore, ACLU’s arguments suggest the first important legal issue for us to consider: does the PUCL opinion legitimate CMS surveillance as well? If the answer is yes, then the potential consequences could be devastating – especially because, amongst the procedural safeguards mandated by the judges in that case, one is conspicuous by its absence: judicial authorization of surveillance. Even the United States, that has, over the past few months, come under sustained criticism for blatant privacy violations, has something called a FISA Court that is – admittedly, in ex parte proceedings – required to authorize surveillance before it can be carried out. The idea that government can carry out surveillance of citizens’ private data on a nationwide scale with a single-step legitimation process that involves no more than administrative review will have radical consequences for a number of important constitutional principles, not least the separation of powers.

However, as the ACLU’s constitutional arguments show, there is a strong case to be made out for the proposition that bulk surveillance does differ, not only in degree but in kind – from individual surveillance, and that therefore, PUCL does not hold the field. Let us therefore, now, turn to the Constitutional case.

ACLU’s first argument rested upon the Fourth Amendment to the American Constitution, that – inter alia – prohibits an unreasonable search. Two questions arise in an American fourth amendment enquiry:  first, has there been a search? And secondly, is the search reasonable? It is around the first question that the American Supreme Court has developed its privacy law jurisprudence. In Katz vs United States, it held that there exist “spheres of privacy” belonging to each individual, which government may not penetrate. What constitutes a protected sphere of privacy depends upon whether or not citizen have a reasonable expectation of privacy. So – as the US Supreme Court has held, for example, I do not have a reasonable expectation of privacy as I walk down a public road, but I do have a reasonable expectation of privacy within my own home. What constitutes “reasonable expectation” seems – largely – to be culturally determined.

Two questions arose with respect to the issue of “search” (i.e., scope of privacy). The first crucial point – that the judge made, and which the government argued – was that on one theory of privacy, the breach occurs not at the moment that the data is collected, but at the moment at which it is subsequently queried to reveal patterns of association. This would mean that the surveillance as such violates no privacy right. ACLU, on the other hand, argued that the very nature of the right to privacy was that it closed off certain spheres from governmental intrusion – and consequently, privacy was violated at the moment of penetration, independent of what was done with the data afterwards. The basic question, according to ACLU, was whether people had a reasonable expectation of privacy with respect to their phone records and the various associational inferences that could be drawn from them. The answer, it was argued, was an unequivocal yes, because of the very nature of metadata surveillance: sociologically – and this is a vitally important point –  it has been shown that a detailed enough metadata trawl can reveal as much information about someone as a straightforward content trawl. As ACLU’s lawyer argued, the government can know when you last called your doctor, your lawyer, your stock-broker, your pastor, your ex-girlfriend, and so on. Over time, a pattern of associational relations would build that would reveal huge amounts of information about your personal life – and surely that was a violation of a reasonable expectation of privacy.

The government also argued, by relying on precedent, that it had already been held by the Supreme Court that there was no reasonable expectation of privacy in phone records. ACLU distinguished the case by arguing that previously, the Court had only considered a specific, temporary targeting – whereas this was bulk targeting, and potentially limitless. This takes us back to our earlier point about the distinction between individual targeting and bulk targeting, which assumes specific importance in light of PUCL.

The second fourth Amendment question was whether, if there was a search (privacy intrusion), it was reasonable. The government argued that there was a compelling state interest at hand, that of counter-terrorism. Counter-terrorism was necessarily prospective in nature. It was designed to detect, disrupt and prevent future terrorist attacks. Consequently, what the intelligence agencies needed to detect was patterns over time and over different (phone) carriers. Such information or connections could not be known at the outset, which is why ACLU’s proposal – of only carrying out surveillance of individuals with known links to terrorist organizations – could not work (although many of these arguments were made in the statutory context, they are equally relevant for understanding the government’s definition of compelling interest). In responding to a question from the judge as to whether bulk surveillance was uniquely suited to achieve governmental objective, the government argued that no other mechanism was as timely or effective. Given all this, it was clear that by placing limits on what part of the data could be queried post-search, it was clearly a narrowly-tailored intrusion, and hence reasonable.

ACLU, on the other hand, argued that the government had produced no evidence to show that bulk surveillance was actually necessary to achieve the objectives of counter-terrorism. ACLU produced evidence to the effect that in most circumstances, a three-hop trail was enough. This is what a three-hop trail is: suppose you have a suspected terrorist, X. You place his phone under metadata surveillance. You then do the same with all the persons he contacts, then all the persons they contact, and then repeat the process once more (three steps). In any event, on the government’s own argument, the only occasions on which surveillance had actually led to a substantive outcome had been simple cases of one-hop.

Readers should now be in a position to recognize that our own fledgling privacy jurisprudence, evolved out of three cases, Kharak Singh v State of UPGobind v State of MP and R. Rajgopal v State of TN, and placed under the all-ecompassing rubric of Article 21, is utterly inadequate to deal with the complex issues raised by bulk metadata surveillance, or other forms of bulk surveillance. There are two questions of particular urgency: first, what is the philosophy of underlying our Article 21 right to privacy? If it’s something like the Katz standard, protecting zones or spheres of privacy from any intrusion, then the mere collection of records could constitute an infringement; pre-Katz law, on the other hand, which seemed to focus more on common law trespass, might not reach the same outcome. Gobind and Kharak Singh tell us nothing, being good, old-fashioned house-surveillance cases. In light of the sheer scope of CMS and government surveillance, this is a debate that must be had now. And secondly, once an infringement of privacy has been demonstrated, what burden of justification is placed upon the government? In today’s hearings, both sides seemed to argue upon a strict scrutiny standard: namely, that the government had to show a compelling state interest, as well  show that no less intrusive measure could serve that compelling state interest than the measure it had chosen (bulk surveillance). The question of whether or not strict scrutiny applies in India is a minefield that we cannot venture into now; but the basic question remains – given the amount of intrusion that the current surveillance system puts into place, what standard is government to be held to (I’m not here referring to the statutory burden under the IT Act, but the constitutional burden of justifying an infringement of privacy). Can the government simply claim deference from the Courts as long as it can demonstrate some reasonable relationship with its objectives of counter-terrorism, and others? Or must the government affirmatively demonstrate that bulk surveillance is the only way that it can achieve its objectives? In today’s district court, the US government spent great amounts of time and effort doing that. Let us see what the outcome is.

In the next post, we shall analyze the freedom of association claim made by ACLU, also litigated in today’s hearings.