It Would Be Better If NATGRID Was Delayed Forever

In a talk that he gave at a security conference organised by FICCI in 2012, Raghu Raman, the then-CEO of the National Intelligence Grid or NATGRID, spoke extensively about the true cost of crime and terror attacks. In the aftermath of the 2008 terrorist attack in Mumbai, colloquially referred to 26/11, society in India paid an additional cost, across the country: the cost of having set up additional security procedures, in terms of more stringent checks on vehicles and individuals in hotels and airports, thus adding the cost of unproductive time and the cost of employment of people in a non-productive manner.

Once a system is switched on in security, it remains in perpetuity, he said.

What Raman did not talk about then, is the seemingly everlasting impact on our freedoms, whether it were the amendments to the Information Technology Act in 2008, which were passed in Parliament without debate, including with the regressive Section 66(a) that was eventually declared unconstitutional, or even the setting up of the very organisation that Raman led then, NATGRID.

On Sept. 12, 2019, India’s Home Minister Amit Shah held a meeting to discuss the revival of NATGRID, which has been repeatedly delayed since its setting up was first approved by the Cabinet Committee on Security on Dec.1, 2009. Then, almost 10 years ago, a press note said that it was expected to be completed within 18-24 months. Current news reports suggest that it will be operational by the end of the year or latest by March next year.

NATGRID is a key component of a trinity of surveillance systems that the Indian government sought to set up post 26/11:

• The Centralised Monitoring System is a communications surveillance system that can track mobile calls, messages and data usage in real-time that is embedded within our mobile networks.
• Aadhaar, which was then meant to be used by public and private entities—and the Supreme Court eventually disallowed Aadhaar linking by private entities—was meant to de-duplicate Ram Singh in one database from another by giving a single identification number across multiple databases.
• The third was NATGRID, from what we know, was meant to connect public and private databases together, and make data from them available to intelligence agencies.

At the time that NATGRID was announced, the then-Home Minister P Chidambaram had outlined the problem that the government of India was trying to solve, saying:

“...there is a need to network all the databases that contain vital information and intelligence. Today, each database stands alone. It does not talk to another database. Nor can the ‘owner’ of one database access another database. As a result, crucial information that rests in one database is not available to another agency.”

From 21 Databases To 1,950

Access to this data across databases, although was not available in real-time, would allow intelligence agencies to “access, collate, analyse, correlate, predict and provide speedy dissemination” of information for intelligence purposes. Which intelligence agencies can access this data? From responses to questions raised in Parliament, we know that to begin with, 10 security agencies are to be given access: the Intelligence Bureau, Research & Analysis Wing, Central Bureau of Investigation, Directorate of Revenue Intelligence, Enforcement Directorate, Financial Intelligence Unit, Central Board of Direct Taxes, Central Board of Excise and Customs, Directorate General of Central Excise and Intelligence and Narcotics Control Bureau. No state-level agencies will get access to this database.

That plan tells us a lot about how things work in policy. To rephrase what Raman said at the FICCI event, once a system is set up in government, it tends to remain in perpetuity. A corollary here is that once a system is set up in government, it also tends to expand in scope and size. So, 21 databases may become eventually become 1,950. With time, with demands coming from the local police (CID’s maybe), states might also get access to this data, so the user agencies might increase. This could happen, for example, in exchange for live CCTV access, as more and more states set up CCTVs in cities. In the same vein, where real-time data access is not a part of NATGRID, with time, systems could be evolved for real-time access to data.

Who Watches The Watchdog?

So where’s the accountability? Where’s the control on data collection, data access, and what recourse do citizens, and even companies (whose data will be a part of NATGRID) have? What we know about NATGRID from responses to questions in Parliament is that in 2016, the Minister of State for Home Affairs, Haribhai Parthibhai Chaudhary said that an Audit Committee headed by the Deputy National Security Advisor has been constituted “to audit the manner in which the data is accessed and sought to be used.”

In 2011, the then Minister of Home Affairs in the UPA government, Jitendra Singh had said that legal regimes related to privacy will apply to NATGRID, and that the NATGRID system has been designed covering the implementation of template driven investigation process which capture key elements like ‘why the information is required’, ‘who is asking’, ‘the purpose for which it will used’ etc.

In an interview with the Wall Street Journal’s India Real Time blog, Raman had said in 2011 said there are 11 structural and procedural safeguards and oversight mechanisms in place to ensure that the system cannot be misused, including “extremely robust governance processes, backed by strong information protection technology and external audits.” “Special and elaborate mechanisms have also been put in place to prevent any leakage or misuse of the system. Security and intelligence agencies will not be able to use the NATGRID system to access information for any purpose other than that of countering terror,” he had said.

What kind of scrutiny will this documentation bring, and how will accountability be enforced if everything that happens within the security apparatus stays within that apparatus? Who watches the watchdog? If there was a violation of your privacy, and you were being surveilled without adequate reason, but you never knew about it, did it even happen? India also doesn’t have a data protection law, and the draft data protection bill seems to give wide exemptions to security agencies, and thus does little to address statutory violation of privacy.

Security, At What Cost?

It’s interesting that even though every mention of NATGRID mentions access to the banks database, according to a response on Aug. 1, 2014 by then-Minister of State for Finance, Nirmala Sitharaman, to a question by then BJD MP Jay Panda, had said that Reserve Bank of India and the Indian Banks Association were “unanimously of the opinion that it would not be possible for banks under the current legislative framework to disclose customer information.” Access of banking data for NATGRID was not in line with international practices, and “it may not be possible for banks to allow any agency direct access to its database.”

If that’s the standard that applies to banks, in terms of the privacy norms that prevent giving direct access to largely-unregulated security agencies, perhaps that’s the standard that should apply for all of our data, and all public and private databases. Terror attacks are extreme circumstances, and even in a country that faces as many terror threats such as ours, mass surveillance and direct access to over a thousand public and private databases, with little accountability, would be disproportionate, and a violation of the fundamental right to privacy.

It’s been 10 years. Perhaps it would be better if NATGRID remained delayed forever.

Nikhil Pahwa is the founder of MediaNama.

The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.