Emad Ahmed says he is terrified by the rise of facial recognition surveillance in India. Since December, the 26-year-old has been taking part in nationwide protests against Prime Minister Narendra Modi’s controversial new citizenship law that has fuelled anxiety over discrimination of Muslims.
The ruling Bharatiya Janata party has used what critics say are authoritarian tactics to contain the unrest, from mass detentions to suspending mobile networks and bans on rallies.
Mr Ahmed, a masters student in gender studies, says police are also relying on footage from ubiquitous cameras and drones to identify and intimidate people demonstrating against the Hindu nationalist policies of the BJP.
Protesters have been arrested, served legal notices and even received calls from security officers threatening them to stay away from the protests, says Mr Ahmed. “It is very scary, we don’t feel safe in front of the police,” he says. “They say ‘you are under camera, you’ll be behind bars soon’.”
The surveillance build-up has sparked fears about the future of privacy in India, just as Mr Modi’s government embarks on a dramatic overhaul of how authorities and companies can use the data of the hundreds of millions of Indians rapidly coming online.
At the heart of the development is India’s first personal data protection bill, a comprehensive privacy framework introduced in December that was initially presented as the country’s answer to the EU’s General Data Protection Regulation, providing new protections for India’s internet users.
But New Delhi’s proposed law has alarmed many of its original champions by carving out broad exemptions for authorities to access the personal data of its 1.4bn citizens. Now privacy activists fear India will build up surveillance projects with minimal oversight — in effect adopting a model for privacy rights that has more in common with China than with Europe.
The fierce debate about surveillance comes at a time of broader concerns about political liberty in the world’s largest electoral democracy. For many critics, Mr Modi’s muscular Hindu nationalist policies, including some provisions of the citizenship bill that has prompted widespread protests around the country, are undermining civil liberties and fomenting religious divisions.
BN Srikrishna is a retired Supreme Court justice, who was appointed in 2017 to write the original draft of the privacy bill. He now says the version of the proposed legislation, which is being reviewed in parliament, is “Orwellian”.
“Somebody along the way has hijacked it,” he says of the considerably changed bill. “The government has carte blanche. They can [do] what they want and get away with it.”
Mr Srikrishna says he had imagined India would forge a bold new path, distinct from both Europe’s GDPR on the one hand and China’s state control on the other, that could offer a privacy model to other developing nations by ensuring strict protections for individuals while giving businesses the freedom with data to help fuel the rapid growth of India’s digital economy.
He now fears that the changes give too much power to the state at the expense of civil liberties. “It is unconstitutional,” he says. “If I were the judge, I would strike it down.”
Like other countries, India has witnessed an explosion of personal data in the past decade, with the spread of smartphones and cheap data packages set to propel the number of internet users to 850m by 2022 from 450m in 2017, according to PwC.
In 2009, New Delhi launched Aadhaar, the world’s largest biometric identity scheme, providing citizens with a unique identity number after their fingerprints and iris scans are recorded. Championed as a way to improve access to vital services such as food rations and banking, it alarmed privacy advocates who said it opened the door to voter profiling and commercial exploitation.
While those concerns culminated in a 2017 Supreme Court ruling that Indians had a fundamental right to privacy, there remained little clarity on how to regulate the flood of online data. The new bill seeks to address that gap.
It gives individuals the power to require their consent before others can process their data, singles out for special protection data it considers “critical” or “sensitive”, such as health or financial information, and proposes strict limits on the use of children’s data, defined as anyone under 18.
But critics allege that the exemptions undermine the bill’s ability to offer protection from the government itself. While Mr Srikrishna’s original draft made the ability of government to bypass privacy protections contingent on clearing a high bar, India has proposed that the central government itself be able to exempt any agency from privacy obligations on broad grounds, such as maintaining public order.
“There are many examples . . . of private companies being held to an even higher standard than GDPR,” says Udbhav Tiwari, a public policy adviser at internet non-profit group Mozilla. “But the government is being given extremely wide discretion when it decides that it doesn’t want certain provisions of the law to be applied to it.
“Right now there are no meaningful checks and balances with regard to how the government exercises powers of surveillance,” he says. If enacted as law, the latest draft will not address this, he adds.
A government official who helped draft the privacy bill disputed the suggestion, arguing the bill represented a significant improvement from the current vacuum. If the authorities abused their powers they would be stopped in court, he says.
The new law comes as India rapidly builds its surveillance capability, buoyed by the enthusiastic use of facial recognition by local police departments. The home affairs ministry, which oversees domestic security, is inviting bids to build a nationwide facial recognition database that could be one of the world’s largest, collecting images from CCTV feeds and newspapers, for example. The government has argued this will help improve public safety.
The tender was the latest in a series of controversial surveillance initiatives by the government, including an order in late 2018 giving 10 government agencies — from the intelligence bureau to the tax department — blanket powers to monitor all computers in the country. The home ministry did not respond to a request for comment. Delhi police also did not comment, beyond confirming the use of facial recognition technology.
With about 10 CCTV cameras per 1,000 people, Delhi has become the 20th most heavily monitored city in the world, according to tech research group Comparitech. There is a boom in companies offering facial recognition technology, with research firm TechSci predicting that the Indian market will grow 36 per cent annually over the next four years to be worth $4.3bn in salesby 2024.
Innefu Labs, a New Delhi-based security and data analytics firm, provides services including facial recognition to police in Delhi, Mumbai and Jammu and Kashmir, the Muslim-majority region that was subject to an enormous military mobilisation and five-month internet blackout after the government scrapped its autonomous status in August.
Talking over tea at their New Delhi office crammed with young workers, Innefu founders Abhishek Sharma and Tarun Wig tout their ability to help police pre-empt suspicious movements or violence. “We can use it for crowd management, to see if there is violence,” says Mr Sharma. “It can identify if someone pulls out a weapon or a woman is in distress in a dimly lit spot.”
But he demurs on whether he had concerns about how that technology was being put to use by the government. “Our job is to give them the tools. How they use it is entirely up to them,” Mr Sharma says.
Many of the activists worried about growing surveillance point to an alleged hack of WhatsApp in India, the messaging service which has 400m users in the country, as a glaring example of why citizens need more robust protection.
From October, WhatsApp and the University of Toronto’s Citizen Lab informed a group of more than 20 Indian academics and lawyers that they believed their phones had been hacked using the Pegasus spyware. Israeli company NSO, which makes the spyware, has said it sells exclusively to governments. The alleged victims — many outspoken critics of the ruling party — accused Mr Modi’s government of targeting their phones using Pegasus.
New Delhi has previously denied the accusations. Instead, India’s IT minister Ravi Shankar Prasad turned the spotlight on WhatsApp, saying the government was “concerned at the breach of privacy” and ordering the company to “explain” what happened. India’s parliamentary panel on information and technology is probing the hack, but a person close to the proceedings accused the ruling BJP of “obfuscation”.
Maharashtra’s state government, a coalition of three parties that overthrew the BJP in 2019, is also conducting an investigation into the hack. “It is a very serious issue,” says Sachin Sawant, a spokesperson for Congress in Maharashtra. “Leaders of the [opposition] Congress party” were under surveillance, he says, adding: “This does not have any precedent.”
The hack intensified calls for a robust law to prevent such incidents in the future. “I do feel exposed,” says Saroj Giri, an assistant professor of political science at Delhi university, who was among the alleged victims. “It’s enormous power, arbitrary power without a check at any level.”
Mr Giri criticised the new bill. “The government is trying to find ways to legally do surveillance,” he says.
The WhatsApp hack occurred when Mr Modi’s government was engaged in a long-running campaign to compel the Facebook-owned company to hand over de-encrypted messages on national security grounds. Facebook has refused and is challenging the government in India’s Supreme Court. WhatsApp declined to comment. Facebook did not respond to a request for comment.
This battle epitomised the often antagonistic relationship between the BJP and Silicon Valley, for whom India is one of their most promising markets.
The government official argues that, if not robustly regulated, foreign tech companies pose a greater risk to Indians’ security than its own initiatives. A lack of clear rules will leave Indians vulnerable to breaches, such as the unlawful use of US voters’ Facebook data by Cambridge Analytica, with minimal recourse.
“What’s happening with Facebook, Instagram, TikTok and WhatsApp will be much, much wider and more critical than what is happening with Aadhaar,” the official says. If there aren’t clear policies governing their behaviour, “in the future there will be much bigger issues to be concerned about”, he adds.
As tech titans face off with Mr Modi’s government, some Indian companies have positioned themselves as an alternative. Last year India’s richest man Mukesh Ambani, whose oil conglomerate Reliance Industries has used its financial might to build a fast-growing digital arm including the smartphone operator Jio, cast the need to protect Indians’ data in patriotic terms.
Mahatma Gandhi “led India’s movement against political colonisation”, he said. “We have to collectively launch a new movement against data colonisation.”
Mr Ambani argued that foreign firms have for too long profited from processing Indians’ personal data without offering adequate safeguards. Reliance has suggested it will offer its customers more protection. “We will have to migrate the control and ownership of Indian data back to India,” he said.
But India’s more muscular approach to data regulation has set it on a collision course with the US, one of its largest trading partners, which accuses it of protectionism. Washington has painted India’s efforts to ensure foreign companies store data locally as little more than a trade barrier, arguing it is designed to hurt tech companies such as Amazon and Google which have lucrative businesses transporting and processing data internationally.
India’s central bank in 2018 mandated that payments data had to be stored in India, a move that primarily affected US payment groups Visa and Mastercard. Other branches of government followed with their own proposals to mandate local data storage.
The clash over data further strained relations, with the US trade department last year calling India’s data localisation proposals “discriminatory and trade-distortive”.
Since then, both India’s central bank and IT ministry have softened their localisation proposals, with the latest privacy bill mandating that only personal data it deems “sensitive”or “critical” be stored in India.
But American tech executives insist that these and other policies will still hurt them. They point to one proposal that would compel companies to hand over “anonymised” data sets to the government when asked, such as showing search habits or commuting patterns, in order to aid the delivery of services and help craft policy. Tech groups say it undercuts their business models, unfairly raiding proprietary data they have painstakingly collected.
“We are very much concerned,” says Mukesh Aghi, president of the US-India Strategic Partnership Forum. “What we’re saying is: ‘Give us a level playing field.’ What we’re seeing now is some kind of a subtle reining in of these [US] companies, while trying to support domestic companies.”
As India charts its course on privacy and data regulation in parliament, its efforts to build up surveillance capabilities continue. Innefu’s Mr Sharma says India should not be judged for asserting its data sovereignty, arguing what is being done is no different than what has already happened in the US and China.
“They [the government] understand data protection well,” says Mr Sharma about the BJP. “The thought process is changing.”