"Right to privacy v. Infringement of cyber laws"

Introduction
The right to privacy is one of the most essential element of several legal systems that aim to restrain governmental and private actions that infringe or threaten individual's right to privacy.

Whereas on the other hand Government organisations including the NSA, CIA, R&AW, and GCHQ have conducted extensive global monitoring in an effort to combat national and international terrorism.[1]

Government hacking or surveillance pose serious risks to individual's security and privacy. With the ability to remotely and covertly access our personal gadgets and all the personal data they store, it has the potential to be much more intrusive than any other surveillance method.[2]

The threat to users' privacy and security is evolving and getting more serious. This threat comes from indirect infiltration, such as monitoring software that has been covertly installed on computers, rather than direct attacks by viruses or hackers. These monitoring applications are called spyware, and serve to record and transmit a user's computer uses and behaviors to third parties. Frequently used by marketers to harvest customer data for segmentation and targeting purposes.

Henceforth the key question that follows is whether or not the right to privacy needs to be forfeited as a condition of the social compact in order to strengthen and bolster defence against alleged terrorist threats. Threats of terrorism and national security might also be a pretext for spying on the general population.

Elucidation of the term SPY
The literal interpretation or dictionary meaning of the term SPY is a person employed by a government or other organization to secretly obtain information on an enemy or competitor.[3] In other terms, SPY means to work for a government or other organization by secretly obtaining information about enemies or any other person.

Espionage is the crime of spying on or secretly monitoring a person, business, government, or other entity with the intention of acquiring sensitive information or detecting wrongdoing and transferring such information to another entity or state. Industrial espionage, which is the obtaining of a company's confidential information for the advantage of another company, is a separate crime in many jurisdictions.[4]

Meaning of Spyware

Spyware is a type of malicious software that is placed on a computer without the knowledge of the end user. It intrudes into the system, takes personal, sensitive and internet usage data, and then transmits it to other parties like advertising, data companies, or other users. Any software that is downloaded without the user's consent can be considered as a spyware.

One of the most prevalent threats to internet users is spyware.[5] Once installed, it keeps track of login details, spies on confidential data, and monitors internet activities. Spyware's main objective is often to collect passwords, banking information, and credit card numbers - an insidious prerequisite for cybercrime.[6]

However, spyware, such as stalkerware, can also be used to track a person's location. It can track the victim's physical location, intercept emails and texts, listen in on phone calls and record conversations, and access personal information like photos and videos.

Spyware can be used to send computers specialised advertisements. Since installs can be approved as a part of the licensed "clickwrap" agreement that users agree to when installing free utility and file-sharing apps from the Internet, spyware is frequently used legally.[7] In certain circumstances, spyware is installed as a component of legitimate computer software that companies sell to their customers in order to give application users update and communication features. It appears that the ability to monitor remotely and connect with computers is alluring enough to draw the attention of third parties with nefarious and non-legal motives.

Spyware is controversial because, even when it is deployed for comparatively innocent purposes, it has the potential to be exploited and to breach the privacy, breach and theft of data of the end user.

Relevant Laws: Cyber-Crime and Right to Privacy

The Telegraph Act, 1885 and the Information Technology (IT) Act, 2000 contain several electronic surveillance related provisions. For example, section 5 of the Telegraph Act, 1885[8] empowers the Government to intercept messages only where the main concern is public safety, sovereignty, friendly relations with foreign States, or public order and integrity of India. The Act further provides that the interception cannot be used as a tool for securing political advantage or personal benefits, and that it should only be temporary. The section also restricts the interception of press communications unless that has been prohibited by the law.

Further the term "Data" is defined u/s 2(1)(o)[9] of IT Act 2000, as a formalised representation of information, knowledge, facts, concepts, or instructions that is processed in a computer system/network, and may take any form, including computer printouts, magnetic or optical storage media, etc. Moreover, the term "information" has been defined u/s 2(v)[10] of the IT Act. It includes data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer-generated micro fiche.

Data protection consists of a technical framework of security measures designed to guarantee that data are handled in such a manner as to ensure that they are safe from unforeseen, unintended, unwanted or malevolent use.[11]

Breach of Data

Sec. 72[12] of the IT Act provides for a criminal penalty where a government official discloses records and information accessed in the course of his or her duties without the consent of the concerned person, unless permitted by other laws. Hence, it is can be stated that a breach of data specifically means stealing of data that may involve sensitive, proprietary, or any other information, without the permission of its owner.[13] Hence is can be stated that a breach of data specifically means stealing of data that may involve sensitive, proprietary, or any other information, without the permission of its owner.[14]

Moreover, sec. 66C[15] of IT Act, prescribes punishment for identity theft and provides that anyone who fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person shall be punished. The term 'unique identification feature' includes the identity recognised by face of an individual. Moreover, UIDAI[16] has implemented the face recognition feature as an additional mode of Aadhaar authentication.[17]

In addition, rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to:

1. password;
2. financial information such as bank account or credit card or debit card or other payment instrument details;
3. physical, physiological and mental health condition;
4. sexual orientation;
5. medical records and history;
6. Biometric information;
7. any detail relating to the above clauses as provided to body corporate for providing service; and
8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Moreover, acc. to sec. Rule 2(1)(i)[18] of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) the term "Personal information" means any information that relates to a natural person, which, either directly or indirectly, is capable of identifying such person.

In K.S.Puttaswamy V. Union Of India[19] it was stated that "privacy also includes the right to control dissemination of personal information, preventing awkward social situations and reducing social frictions. On information being shared voluntarily, the same may be said to be in confidence and any breach of confidentiality is a breach of the data and trust. Also, it is but essential that the individual knows as to what the data is being used."[20]

Right to Privacy

The right to privacy is inherent to the liberties guaranteed by the Constitution and is an element of human dignity.[21] The citizen has the right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matter and no one can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical.[22]

The right to self-preservation and reputation also falls within the ambit of art 21[23]. The wrongful disclosure of private information is considered as invasion of privacy[24]. A proper degree of privacy is essential for the well-being and development of an individual." [25]

Sec. 72[26] of the IT Act states the penalty for Breach of confidentiality and privacy. It provides for a criminal penalty where a government official discloses records and information accessed in the course of his or her duties without the consent of the concerned person, unless permitted by other laws. Such unauthorized disclosure is punishable "with imprisonment for a term which may extend to 2 years, or with fine which may extend to 1 lakh rupees, or both."[27]

In the legal parlance the issue of confidentiality comes up where an obligation of confidence arises between a data collector and a data subject. An obligation of confidence gives the data subject the right not to have his information used for other purposes or disclosed without his permission.[28] However, personal data is protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence.[29]

In a landmark judgment[30], the SC has recognised the right to privacy as a fundamental right u/a 21 of the Constitution as a part of the right to "life" and "personal liberty". "Informational privacy" has been recognised as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy.[31]

The SC has expressly recognised the right of individuals over their personal data and stated that the "right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone" emanates from this right.[32]

While keeping in mind that a private conversation is a conversation which is made under circumstances creating a reasonable expectation of privacy,[33] whereas use of spyware which intrudes in the personal system of an individual may lead to breach of reasonable expectation of privacy of an individual.

The Information Technology Act, 2000, was put in place by the Indian government to restrict these actions that infringe Internet users' rights. Here are some of its sections that empower Internet users and attempt to safeguard the cyberspace.

• Section 65 - Tampering with computer Source Documents

  A person who intentionally conceals, destroys or alters any computer source code (such as programmes, computer commands, design and layout), when it is required to be maintained by law commits an offence and can be punished with 3 years' imprisonment or a fine of 2 Lakhs INR or both.[34]
   

• Section 66- Using password of another person

  If a person fraudulently uses the password, digital signature or other unique identification of another person, he/she can face imprisonment up to 3 years or/and a fine of 1 Lakh INR.[35]
   

• Section 66D- Cheating using computer resource

  If a person cheats someone using a computer resource or a communication device, he/she could face imprisonment up to 3 years or/and fine up to 1 Lakh INR[36]
   

• Section 66E - Publishing private images of others

  If a person captures, transmits or publishes images of a person's private parts without his/her consent or knowledge, the person is entitled to imprisonment up to 3 years of fine up to 2 Lakhs INR or both [37]
   

• Section 66F - Acts of cyber terrorism

  A person can face life imprisonment if he/she denies an authorized person the access to the computer resource or attempts to penetrate/access a computer resource without authorization, with an aim to threaten the unity, integrity, security or sovereignty of the nation. This is a non-bailable offence.[38]
   

• Section 67 - Publishing Child Porn or predating children online

  If a person captures, publishes or transmits images of a child in a sexually explicit act or induces anyone under the age of 18 into a sexual act, then the person can face imprisonment up to 7 years or fine up to 10 lakhs INR or both.[39]
   

• Section 69 - Government Power to block website

  If the government feel it necessary in the interest of sovereignty and integrity of India, it can intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource. The power is subject to compliance of procedure. Under section 69A, the central government can also block any information from public access.[40]
   

• Section 43A - Data Protection at corporate level

  If a body corporate is negligent in implementing reasonable security practices which causes wrongful loss or gain to any person, such body corporate shall be liable to pay damages to the affection person.[41]

Misuse Of Spy Software Is A Cybercrime

Cyber spying is a cybercrime and is sometimes referred to as cyber espionage. It occurs when hackers target computers or IT networks in an effort to get information that could be sensitive or personal. This data is often in digital form, and the hacker can make profit out of it.[42]

Webopedia refers to cybercrime as:
"Any criminal act dealing with computers and networks"[43]

Hackers use a variety of techniques and Malware Programmes to evade their detection. Social media networks can potentially be used by cyber spies for harassment or other purposes. Hackers that engage in cyber spying may have harmless or detrimental intentions. Cyber spying is a threat to both individual safety and national security. It may be used to gain more information about individuals, groups, and governmental institutions.[44]

Cyberspying has advanced in recent years to include the use of social media platforms like Twitter and Facebook. Spying may take many different forms, from businesses tracking your interests to create effective advertisements to identity theft. Social media has grown to play a significant role in online stalking. Cyberstalking is the practice of repeatedly harassing or frightening someone using electronic means, such as sending threatening emails. Such activities of cyber stalking and identity theft does fall within the ambit of cyber crime.[45]

Cyber spying has become one of the most essential subject as a threat to the national security and individual privacy. If we understand it by the way of an example,-

"President Obama has identified cyber security as one of the most serious economic and national security challenges we face as a nation". According to Jun Isomura," a senior fellow at the Hudson Institute, a Washington think tank, China divides cyber into two target areas: political and military."[46] As on the military side, China's "targets include the entire US defense community, including US intelligence and the defense industry."[47] In February 2013, the US claimed that "China's People's Liberation Army had stolen data from 115 U.S. companies over a seven-year period."[48]

There are many such cyber security instances that has occurred in past. Hence infringement of such security is a matter of national security now a days.

Reasonable Restriction On Right To Privacy

Art. 19(2)[49] of the Constitution provides that this right is not absolute and 'reasonable restrictions' may be imposed on the exercise of this right in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, public order, decency and morality and contempt of court, defamation and incitement to an offence.

In Chintaman Rao v/s State Of Madhya Pradesh [50] & Express Newspaper v/s Union Of India [51], the SC opined that "a restriction in order to be referred to as reasonable shall not be arbitrary and shall not be beyond what is required in the interest of the public. The reasonable implies intelligent care and deliberation Legislation which arbitrarily or excessively invades the right can't be said to contain the quality of reasonableness and unless it strikes a proper balance between the freedom guaranteed. In addition to this, the restriction imposed shall have a direct or proximate nexus with the object sought to be achieved by the law."

Moreover, the principle on which the power of the state to impose restriction is based is that all individual rights of a person are held subject to such reasonable limitation and regulations as may be necessary or expedient for the protection of the rights of others, generally expressed as the social or public interest.

Hence national security is one of the most essential exception to right to privacy and thus is a reasonable restriction over a person's privacy.

Country	Regime Type	Commercial Spyware Vendor(S)	Description
Hungary	EA	Hacking Team, Black Cube, NSO Group/Pegasus	Black Cube involvement in a campaign to discredit nongovernmental organizations ahead of Hungary's April election; more than 300 phone numbers for journalists, lawyers, business executives, and activists found on the Pegasus spying list
India	ED	NSO Group/Pegasus	Spyware targeting hundreds of journalists, activists, opposition politicians, government officials, and business executives
Iran	EA	Blue Coat	Numerous high-profile incidents of surveillance and targeted malware attacks
Mexico	ED	Hacking Team, NSO Group/Pegasus, FinFisher, NSO Group/Circles	Malware to track civil society, opposition, groups, and journalists
Morocco	CA	Hacking Team, NSO Group/Pegasus, FinFisher, Decision Group, NSO Group/Circles	Abusive use of spyware to target civil society
Rwanda	EA	NSO Group/Pegasus	Security officials authorized to tap online communications; Pegasus software targeting Rwandan dissidents at the behest of the government
Saudi Arabia	CA	Hacking Team, NSO Group/Pegasus, FinFisher	Extensive documented abuse of spyware to target political opponents and civil society
Spain	LD	NSO Group	Catalan politicians targeted by government
Thailand	CA	Hacking Team, Blue Coat, NSO Group/Circles	Targeted surveillance against civil society and regime opponents
Turkey	EA	Hacking Team, FinFisher, NSO Group	Extensive spyware links; most forms of telecommunication tapped and intercepted

Note: The regime types listed here refer to close autocracy (CA), electoral autocracy (EA), electoral democracy (ED), and liberal democracy (LD).[53]

Does the government's use of spyware constitute a cybercrime by violating the right to privacy or is justified on the ground of national security?

Right to privacy is fundamental right of an individual granted by the supreme law of the nation, i.e. the constitution of India. However fundamental rights are not absolute in nature hence reasonable restriction can be imposed. Hon'ble Supreme Court held that the unnecessary interruption on people's lives through surveillance is an infringement of the right to privacy.

While examining the Constitutional validity of section 5(2)[54] of the Telegraph Act, a two-judges bench of the Supreme Court held in People's Union of Civil Liberties v. Union of India[55] held that telephone tapping is an invasion of a person's privacy.

The Court observed:
"it is no doubt correct that every Government, howsoever democratic, exercises some degree of Subrosa operation as a part of its intelligence out-fit but at the same time citizen's right to privacy has to be protected from being abused by the authorities of the day". The Court further issued certain guidelines to be followed while phone tapping and electronic surveillance.

Article 17 of the International Covenant on Civil and Political Rights [56] also upholds a person's privacy, and provides that "no one shall be subject to arbitrary or unlawful interference with his privacy, family, human or correspondence, nor to lawful attacks on his honor and reputation".

A similar provision can also be found in article 12 of the Universal Declaration of Human Rights[57]; "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks." As India is bound by these international treaties, it must apply the latter and protect the privacy of its citizens by respecting these provisions.[58]

In this context, the Personal Data Protection Bill (PDB), 2019[59] was introduced but has not been enacted yet. The proposed legislation aims to safeguard citizen's personal information and data and prohibits the data fiduciary from misusing data and compels the data processor to maintain transparency.

Conclusion
Privacy forms an essential part of one's life. A breach of privacy is attempted when software like spyware or Pegasus is used indiscriminately. The use of spyware is worrisome and alarming and therefore demands immediate attention. The use of such software is a clear violation of an individual's right to privacy, which is now a widely acknowledged fundamental right.

However, the use of such spyware by government agencies is on reasonable grounds of national security. There must be a proper balance between the nation's security interest and individual freedom and privacy.

To prevent the further misuse of any similar spyware, significant action must be taken, and the Government must step up and resolve all related concerns. For instance, creating law that particularly addresses electronic surveillance and personal privacy would be a big step forward given that the laws now in place regarding electronic monitoring don't adequately safeguard people' privacy.

End-Notes:

1. Aditya Verma, Central Information Commission Right to Privacy by Aditya Verma (2019), https://cic.gov.in/node/4628 (last visited July 1, 2022)
2. Government Hacking, Privacy International, https://privacyinternational.org/learn/government-hacking.
3. Spy: Meaning & definition for UK English, Lexico Dictionaries | English, https://www.lexico.com/definition/spy (last visited Jul 1, 2022).
4. Espionage, Legal Information Institute, https://www.law.cornell.edu/wex/espionage (last visited Jul 1, 2022).
5. Alexander S. Gillis, Kate Brush & Taina Teravainen, What is spyware? SearchSecurity (2021), https://www.techtarget.com/searchsecurity/definition/spyware
6. What is spyware?, Veracode, https://www.veracode.com/security/spyware (last visited Jul 1, 2022).
7. Tom Stafford and Andrew Urbaczewski , Spyware: The Ghost in the Machine, RESEARCH GATE (Aug. 6-8, 2004), https://www.researchgate.net/publication/220892580_Spyware_The_Ghost_in_the_Machine.
8. Telegraph act 1885 § 5.
9. Information Technology Act 2000 § 2, cl. 1(o).
10. Information Technology Act 2000 § 2, cl. v.
11. Privacy and Data Protection in India: A Critical Assessment, 53 JILI (2011) 663.
12. Information Technology Act 2000 § 72.
13. Data Breach, Trend Micro (Aug. 27, 2021, 3 :30 PM), https://www.trendmicro.com/vinfo/us/security/definition/data-breach.
14. Id.
15. Information Technology Act 2000 § 66C.
16. Unique Identification Authority of India
17. Aadhaar card linking: UIDAI makes face recognition feature mandatory, Business Today (Aug. 24, 2018, 6:20 PM), https://www.businesstoday.in/latest/economy-politics/story/uidai-makes-face-recognition-feature-mandatory-for-aadhaar-authentication-109112-2018-08-24.
18. Ministry Of Communications And Information Technology (Department of Information Technology) Notification, New Delhi, the 11th April, 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.
19. K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., (2017) 10 SCC 1.
20. Daniel J. Solove, 10 Reasons Why Privacy Matters, TECH PRIVACY (Jan. 20, 2014), https://teachprivacy.com/10-reasons-privacy-matters/.
21. Surveillance, Privacy and Technology: A Comparative Critique of the Laws of USA and India, 57 JILI (2015) 550.
22. R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632.
23. Surjit singh v. State of Punjab (1996) 2 SCC 336.
24. R v. Dyment, SCC OnLine Can SC ¶ 17.
25. Id.
26. Information Technology Act 2000 § 72.
27. Prashant Iyengar, Privacy and the Information Technology Act - Do we have the Safeguards for Electronic Privacy?, CIS-INDIA (Apr. 7, 2011), https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy.
28. Nimitha Salim, Breach of privacy and Confidentiality under information Technology Act, 2000, LEGAL SERVICE INDIA (Aug. 27, 2021, 8 :15 PM), https://www.legalserviceindia.com/article/l288-Breach-of-privacy-&-Confidentiality-.html.
29. Kunal Thakore & Deepa Christopher, Data Protected - India, Linklaters (Mar., 2020), https://www.linklaters.com/en/insights/data-protected/data-protected---india.
30. Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., (2017) 10 SCC 1.
31. Id.
32. Id
33. Public vs. Private Communications, Message Net Systems (Aug. 27, 2021, 8:30 PM), http://www.messagenetsystems.com/public-vs-private-communication-systems/.
34. Information Technology Act 2000 § 65.
35. Information Technology Act 2000 § 66.
36. Information Technology Act 2000 § 66D.
37. Information Technology Act 2000 § 66E.
38. Information Technology Act 2000 § 66F.
39. Information Technology Act 2000 § 67.
40. Information Technology Act 2000 § 69.
41. Information Technology Act 2000 § 43A.
42. Techopedia, What is cyberspying? - definition from Techopedia Techopedia.com (2011), https://www.techopedia.com/definition/27101/cyberspying (last visited Jul 3, 2022).
43. Vangie Beal, What is cyber crime? Webopedia (2021), https://www.webopedia.com/definitions/cyber-crime/ (last visited Jul 3, 2022).
44. Auletha Jones, Jack Bagby, Jenny Mazac, Kelsey Harper, Kreshnik Shena, Michael Harris, Stephanie Crowe, Cyber Spying, Old Domain University (2013), https://www.cs.odu.edu/~tkennedy/cs300/development/Public/M11-17970Week11-Ethics/index.html.
45. Graham D. Glancy & Alan W. Newman, Cyberstalking Oxford Scholarship Online, https://oxford.universitypressscholarship.com/view/10.1093/oso/9780195189841.001.0001/isbn-9780195189841-book-part-18 (last visited Jul 3, 2022).
46. Minnick, Wendell. "Experts: Chinese Cyber Threat to US Is Growing." Defense News. Gannett Government Media Corporation, 09 Jul 2013. Web. 7 Nov 2013. http://www.defensenews.com/article/20130709/DEFREG03/307090009/.
47. Id
48. Barnini Chakrabory, US officials addressing cyber threat at 'highest levels' with China, on heels of hacker report, FOX NEWS (Jan. 12, 2017), http://www.foxnews.com/politics/2013/02/19/us-raising-highest-levels-cyber/.
49. Supra Note 1.
50. Chintaman rao v. State of madhya pradesh (1950) SCR 759.
51. Express Newspaper v. Union of India (1985) SCR (2) 287.
52. Steven Feldstein, Commercial Spyware Global Inventory, version 2, Mendeley Data (Dec. 22, 2020), https://data.mendeley.com/datasets/csvhpkt8tm/2.
53. Sneha Dawda and Alexander Babuta, WhatsApp Hack Calls into Question Government Use of Commercial Spyware, RUSI (June 17, 2019), https://rusi.org/explore-our-research/publications/commentary/whatsapp-hack-calls-question-government-use-commercial-spyware.
54. Telegraph act 1885 § 5.
55. People's Union of Civil Liberties v. Union of India, AIR (1997) SC 568.
56. International Covenant on Civil and Political Rights 1976 art. 17.
57. Universal Declaration of Human Rights 1948 art. 12.
58. Dheeraj Diwakar, The Indiscriminate Use Of The Pegasus Spyware As An Infringement On The Right To Privacy, Human Rights Pulse (Oct. 14, 2021), https://www.humanrightspulse.com/mastercontentblog/the-indiscriminate-use-of-the-pegasus-spyware-as-an-infringement-on-the-right-to-privacy.
59. Personal Data Protection Bill 2019.