Digital Surveillance

This page elaborates Digital Surveillance for the definition.

1.What is Digital Surveillance?

Digital surveillance is the systematic monitoring, collection, and analysis of digital data, including online communications, biometrics, and geolocation, by governments, corporations, or other entities. Unlike traditional observation, it relies on automation, algorithms, and vast computational power to aggregate data streams from millions of subjects simultaneously, often without their direct knowledge. This practice drives modern economic models such as "surveillance capitalism", where personal experience is commodified for behavioural prediction.^[1] The term "surveillance" itself is borrowed from the French surveillance ("oversight"), derived from the prefix sur ("over") and the root veiller ("to watch"), traceable to the Latin vigilare ("to be watchful"). While the word entered the English language in the late 18th century, it gained political weight during the French Revolution, particularly with the "Surveillance Committees" established in 1793 to monitor citizens for treason.^[2]

The history of government surveillance long predates the digital age. Ancient states used administrative mechanisms like the census, such as the Census of Quirinius in the Roman Empire (c. 6 AD), to maintain military and tax records. Modern state espionage evolved with communication networks; a notable scandal occurred in Britain in 1844 when the government admitted to opening the private mail of Italian exile Giuseppe Mazzini.^[3] The invention of the telephone led to the first recorded police wiretapping by the New York City Police Department in 1895.^[4] The transition toward electronic monitoring began in 1927, when Russian inventor Léon Theremin installed a manual scanning-transmitting camera (an analog precursor to CCTV) at the Moscow Kremlin.^[5] However, the shift to true digital surveillance is marked by two distinct milestones: the ECHELON signals intelligence network (formalised in the early 1970s), which used computers to automate the filtering of satellite communications,^[6] and the release of the Axis NetEye 200 in 1996, recognized as the first network (IP) camera to transmit digital video data over the internet.^[7] The intellectual framework for this era was established in 1986 by computer scientist Roger Clarke, who coined the term "dataveillance" to describe the systematic use of personal data systems to monitor actions, a concept that underpins modern digital tracking.^[8]

2. The Legal Understanding of Digital Surveillance:

In India, "digital surveillance" is not defined by a single, distinct clause in any statute. Instead, the term is a legal construct derived from the operative statutory powers of "interception," "monitoring," and "decryption" of electronic information. The functional definition used by state agencies is primarily there in Section 69 of the Information Technology Act, 2000. According to this provision, digital surveillance is understood as the direction by the Central or State Government to any agency to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any "computer resource."

The discourse surrounding these terms relies on specific technical definitions found in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. Under these rules, “decryption” means the process of conversion of information in non-intelligible form (cipher text) to an intelligible form (plain text) via a mathematical formula, code, password or algorithm or a combination thereof;” “intercept” with its grammatical variations and cognate expressions, means the aural or other acquisition of the contents of any information through the use of any means, including an interception device, so as to make some or all of the contents of an information available to a person other than the sender or recipient or intended recipient of that communication, and includes-“monitor” with its grammatical variations and cognate expressions, includes to view or to inspect or listen to or record information by means of a monitoring device. Thus, officially, digital surveillance is the composite of these three actions performed by the state.

3. Types and forms of Digital Surveillance:

The legal and functional understanding of digital surveillance in India is not monolithic; it is categorized based on the method of acquisition, the scale of operation, and the relationship between the watcher and the watched. These distinctions are critical as they determine the applicable statutory framework and the constitutional threshold for validity.

3.1. Targeted Interception (Content-Based Surveillance)

This forms the traditional core of surveillance law, evolving from telephone wiretapping to digital message interception. Targeted interception is predicated on the specific identification of a subject, an individual or a specific device, under a valid legal order. In the Indian context, this is governed by Section 69 of the Information Technology Act, 2000, which authorizes the state to access the actual content of the communication, such as the text of an email, the audio of a VoIP call, or the body of a message. Legal jurisprudence, specifically the PUCL Guidelines, mandates that this type of surveillance must be "event-based" and time-bound, ensuring it does not become a perpetual state of observation. It is distinct because it requires a high threshold of justification, such as an imminent threat to public order or national security, to override the individual's expectation of privacy.

3.2. Mass Surveillance and Bulk Acquisition

Mass surveillance involves the indiscriminate collection of data from a large number of people, often without suspicion of specific criminal activity. This typology relies on "dragnet" technologies that filter vast amounts of internet traffic to identify patterns or keywords. In India, this is institutionally represented by the Central Monitoring System (CMS) and NETRA (Network Traffic Analysis). The CMS acts as a centralized command center that automates the interception of telecommunications, allowing law enforcement to bypass service providers and intercept communications directly.

The rationale for this scale of dominion is historically traced to Section 9 of the Indian Telegraph Act, 1885, which empowers the government to regulate the conduct of telegraphs and establishes the administrative logic of state management. The state proclaims to employ these technologies for maintaining order in society, ensuring compliance with the law, and better administration. However, legal scholars and the Justice B.N. Srikrishna Committee have flagged this form of surveillance as legally precarious. Without the procedural safeguard of individual review, it creates a "panoptic" infrastructure where the mere existence of the system exerts control over the population. Critics argue that such unchecked power can mutate into nefarious forms, utilized for controlling dissent, manipulating electoral behaviour, and ensuring conformity to a specific notion of "ideal citizenry" by targeting groups deemed incongruous with the state's objectives.

3.3. Dataveillance (Metadata and Traffic Data Monitoring)

Dataveillance refers to the systematic monitoring of "traffic data" or metadata, the information about a communication rather than the communication itself. This includes logs of who called whom, the duration of calls, location coordinates (cell tower triangulation), and internet browsing history. Legally, this is treated with a lower threshold of protection than content surveillance. Under Section 69B of the Information Technology Act, 2000, the government can authorize the Computer Emergency Response Team (CERT-In) to collect this data to enhance cyber security and prevent computer contaminants. However, as noted in the Puttaswamy judgment, the aggregation of metadata can reveal intimate details of an individual's life, political preferences, and associations, making it a potent form of surveillance that constructs a "digital mosaic" of the citizen without technically listening to their words.

3.4. Commercial and Economic Surveillance (Surveillance Capitalism)

This typology operates on a purely economic logic, distinct from state security. For the private sector, surveillance aims to capture personal information for profiling consumer behaviour. Under the Digital Personal Data Protection Act, 2023, "Personal Data" is defined as any data about an individual who is identifiable by such data. In this regime, people’s data becomes a commodity harvested by data mining agencies to be sold to companies for curating marketing strategies per users’ preferences. This ever-increasing monitoring by the private sector has led to what philosopher Shoshana Zuboff terms "Surveillance Capitalism," where human experience is extracted and modified for profit. While the state monitors for control, the market monitors for prediction, though the two often intersect when the state purchases these commercial datasets for its own use.

3.5. Lateral and Domestic Surveillance (Horizontal Monitoring)

While traditional surveillance is vertical (State watching Citizen), the digital age has entrenched "lateral surveillance," where private individuals monitor each other. This encompasses the use of commercial CCTV systems, stalkerware, and social media tracking by private entities. The legal framework handles this delicately. On one hand, Section 3(c) of the Digital Personal Data Protection Act, 2023 exempts personal data processed by an individual for any "personal or domestic purpose" from regulatory compliance. On the other hand, the judiciary has set strict constitutional limits on this exemption. In the landmark case of Indranil Mullick & Ors. vs. Shuvendra Mullick (2025), the Supreme Court acknowledged that digital monitoring tools installed by one private party against another within a shared domestic space constitute a violation of the constitutional right to privacy. Thus, while the statute may exempt domestic surveillance from bureaucratic regulation, the courts recognize it as an actionable violation of rights.

3.6. Intrusive Surveillance (Hacking and Spyware)

This represents the most aggressive form of digital surveillance, evolving beyond passive interception to active intrusion. It involves the use of malware or spyware (such as Pegasus) to infiltrate a digital device, gaining control over its microphone, camera, and stored files. Unlike standard interception, which catches data in transit, intrusive surveillance accesses data at rest. The Supreme Court's engagement with this typology in Manohar Lal Sharma v Union of India (Pegasus Case) highlighted that such methods are qualitatively different because they violate the sanctity of the device itself. Indian law currently lacks a specific statutory provision explicitly authorizing "hacking" by the state, creating a legal grey area where such actions are challenged as being ultra vires (beyond the powers of) the existing provisions of the IT Act.

4. Legal provision(s):

The statutory architecture for surveillance in India is divided between the regulation of the internet and the regulation of telecommunications, with additional powers granted under criminal procedure laws.

4.1. The Information Technology Act, 2000

This is the parent statute for digital surveillance. Section 69 is the most critical provision, and it reads as follows:

69. Power to issue directions for interception or monitoring or decryption of any information through any computer resource.--(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

(2) The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

(c) provide information stored in computer resource.

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Complementing this is Section 69B, which empowers the government to authorize the Computer Emergency Response Team (CERT-In) to monitor and collect "traffic data" or information generated, transmitted, received, or stored in any computer resource to enhance cyber security and for identification, analysis, and prevention of intrusion or spread of computer contaminants. Unlike Section 69, this section deals with metadata rather than content.

69B. Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security.--(1) The Central Government may, to enhance cyber security and for identification, analysis and prevention of intrusion or spread of computer contaminant in the country, by notification in the Official Gazette, authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The intermediary or any person in-charge or the computer resource shall, when called upon by the agency which has been authorised under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which any extend to 2[one year or shall be liable to fine which may extend to one crore rupees, or with both].

Explanation.--For the purposes of this section,--

(i) "computer contaminant" shall have the meaning assigned to it in section 43;

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, data, size, duration or type of underlying service and any other information.

4.2. The Telecommunications Act, 2023

This Act replaced the colonial Indian Telegraph Act, 1885. Section 20(2) of the Telecommunications Act allows the Central or State Government to intercept, detain, or disclose messages if it is satisfied that it is necessary or expedient to do so in the interest of the sovereignty and integrity of India, defence and security of the State, friendly relations with foreign States, public order, or for preventing incitement to the commission of an offence. Crucially, the definition of "message" under this Act has been expanded to potentially include data sent through internet-based communication services like WhatsApp, thereby bringing Over-The-Top (OTT) platforms within the ambit of telecommunication surveillance.

4.3. Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS)

The BNSS, which replaced the Code of Criminal Procedure (CrPC), has introduced procedural forms of surveillance. Section 2(1)(l) of the BNSS expands the definition of "document" to explicitly include "electronic communication" and digital devices. Furthermore, Section 94 empowers a court or an officer in charge of a police station to compel the production of any document or "other thing" necessary for the purposes of any investigation, inquiry, trial, or other proceeding. This provision effectively allows law enforcement to seize digital devices (smartphones, laptops) and access their data, functioning as a form of seizure-based surveillance.

4.4. The Digital Personal Data Protection Act, 2023 (DPDP Act)

This Act establishes the overarching regime for the processing of digital data, thereby defining the subject matter that is liable to be surveilled.

• Applicability and Scope (Section 3): The Act codifies the specific types of data processing that fall under legal regulation. It applies to the processing of digital personal data within the territory of India where the personal data is collected:
  • In digital form; or
  • In non-digital form and digitized subsequently.
  • It also applies to processing outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within India.
• The Surveillance Exemption (Section 17): While the Act protects personal data, it creates a significant "carve-out" for digital surveillance. Under Section 17(2)(a), the Central Government may exempt any instrumentality of the State from the application of the Act (including the requirement to obtain consent). These exemptions are granted on grounds identical to the reasonable restrictions on free speech under Article 19(2) of the Constitution:
  • Sovereignty and integrity of India;
  • Security of the State;
  • Friendly relations with foreign States;
  • Maintenance of public order; or
  • Preventing incitement to the commission of any cognizable offence.
• Distinction from Condition Precedents: It is significant to note that unlike Section 5(2) of the Indian Telegraph Act, 1885, which mandates a "condition precedent" of a "public emergency" or "public safety" for interception, the exemptions under the DPDP Act do not require the existence of an emergency. The government can activate these exemptions based on the broader administrative satisfaction regarding national security or public order.

5. Case Laws:

While the term digital surveillance in itself is not explicitly defined, the Indian judiciary has played a pivotal role in defining the constitutional limits of digital surveillance, establishing that it is not an absolute power of the state but one subject to the fundamental right to privacy.

People’s Union for Civil Liberties (PUCL) v Union of India (1997):

This case laid down the foundations of the legal framework around surveillance. The Supreme Court in this 1997 case was dealing with telephone tapping. The Court defined wiretapping, the precursor to digital surveillance, as a "serious invasion of an individual’s privacy." It laid down the PUCL guidelines against illegal and excessive surveillance by the state, and created safeguards against arbitrariness in the exercise of the state's surveillance powers. The guidelines created a procedural mechanism where surveillance orders must be issued by high-ranking bureaucrats (such as the Home Secretary) and reviewed by a Review Committee.

Vinit Kumar vs CBI, 2019:

The Bombay High Court ruled that the interception of a businessman’s telephone calls was an infringement of his right to privacy. The Indian Home Ministry had ordered the interception of a businessman’s communications after he was accused of bribing a public servant. The businessman challenged the interception orders, arguing that they were unlawful and infringed his right to privacy. The Court held that there was no lawful justification for intercepting the businessman’s communications, set aside the orders and instructed that all information obtained through the interception be destroyed.^[9] The Bombay High Court ruled that the state cannot order interception merely because it is "expedient"; there must be a specific public safety concern, applying the Puttaswamy test strictly to surveillance orders.

Manohar Lal Sharma v. Union of India:

In Manohar Lal Sharma v Union of India (2021), commonly known as the Pegasus case, the Supreme Court addressed the alleged use of military-grade spyware on civilians. The Court held that the state cannot simply use "National Security" as a shield to evade accountability. It defined unauthorized digital surveillance as having a potential "chilling effect" on free speech and press freedom, thereby necessitating an independent inquiry into the government's surveillance capabilities.^[10] The Court held that:

- The violation of privacy with regard to arbitrary state action would be subject to the “reasonableness” test under Art.

- Privacy invasions that implicate Art. 19 freedoms would have to fall under the restrictions of public order, obscenity etc.

- Intrusion of one’s life and personal liberty under Art. 21 will attract the just, fair and reasonable threshold.

- Phone tapping not only infringes Art. 21 but also contravenes Art. 19 freedoms. Such a law would have to be justifiable under one of the permissible restrictions in Article 19(2), in addition to being “fair, just and reasonable” as required by Article 21, and as was held in the PUCL Case. It would also need to be subject to a higher threshold of “compelling state interest”.

Right to Privacy: The Puttaswamy Case ^[11]-   

 In August 2017, a nine judge bench of the Supreme Court in the Puttaswamy Case gave legitimacy to the ‘right to privacy’ under the Constitution of India and overruled the M.P Sharma case and the Kharak Singh case in relation to the guarantee of the right to privacy under the Constitution, and, therefore, made its derogation subject to the highest level of judicial scrutiny.

Premised on the principle that “Privacy is the ultimate expression of the sanctity of the individual”, the Supreme Court affirmed the reasoning and judgment given in the PUCL Case and held that: Privacy” is the “condition or state of being free from public attention to intrusion into or interference with one’s acts or decisions”. The right to be in this condition has been described as the “right to be let alone”. What seems to be essential to privacy is the power to seclude oneself and keep others from intruding on it in any way. These intrusions may take any of several forms, including peeping over one’s shoulder to eavesdropping directly or through instruments, devices, or technological aids.

The Supreme Court recognized that digital surveillance, particularly through data aggregation, creates a detailed "profile" of the citizen. The Court established a "Tripod Test" for legality: any instance of surveillance must have a legislative basis (Legality), serve a legitimate state aim (Necessity), and be proportionate to the objective (Proportionality). It is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:

i. The state action must be sanctioned by law.

ii. In a democratic society there must be a legitimate aim for action.

iii. Action must be proportionate to the need for such interference.

iv. And it must be subject to procedural guarantees against abuse of the power to interfere.

Indranil Mullick & Ors. vs. Shuvendra Mullick (2025):

Most recently, the scope of digital surveillance has been expanded to include private-party monitoring in the landmark case of Indranil Mullick & Ors. vs. Shuvendra Mullick (2025). This case arose from a domestic dispute in Kolkata where one brother installed CCTV cameras in the common areas of a shared ancestral home ("Mullick Bhaban"), which arguably monitored the private entrance and living quarters of the other brother without consent. The Calcutta High Court held that the installation of CCTV cameras inside a residential dwelling without the consent of co-occupants violates the Right to Privacy under Article 21.

The Supreme Court of India, in dismissing the Special Leave Petition against this order, upheld the principle that security concerns (such as protecting family heirlooms) cannot override the fundamental right to privacy within a home. This judgment is significant as it defines "digital surveillance" not just as a vertical relationship between State and Citizen, but also as a horizontal violation between private individuals, ruling that constant digital monitoring in a domestic setting is an actionable infringement of constitutional rights.

6. Official Documents and Government Reports:

Several high-level committees have analyzed the scope of digital surveillance in India, often offering critical perspectives on the lack of oversight.

The Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (2018) provides the most detailed critique. This report, titled A Free and Fair Digital Economy, noted that the Indian surveillance regime is characterized by a "lack of judicial oversight" as it operates solely on executive authorization. It specifically highlighted the Central Monitoring System (CMS), a mass surveillance project that automates the interception of telecommunications, allowing the state to bypass service providers. The report argued that this creates a "panoptic" infrastructure that lacks adequate procedural safeguards.

Prior to this, the Report of the Group of Experts on Privacy (Justice A.P. Shah Committee), 2012, defined surveillance not merely as interception but as "any monitoring of the activities of a person." It recommended a shift in policy where surveillance must not be undertaken merely because it is useful to the state, but only when it is strictly "necessary and proportionate" to the aim. More recently, the Parliamentary Standing Committee on Communications and Information Technology (2023), in its report on Citizens’ Data Security and Privacy, acknowledged official submissions suggesting that the traditional distinction between "content" (what you say) and "metadata" (who you speak to) is blurring, implying that the lower threshold for monitoring metadata under Section 69B of the IT Act constitutes significant surveillance and requires tighter regulation.

International experience^[12]

India is a signatory to several international instruments that frame the boundaries of surveillance through the right to privacy. Article 12 of the Universal Declaration of Human Rights states that "Everyone has the right to the protection of the law against arbitrary interference with his privacy, family, home or correspondence." Similarly, Article 17 of the International Covenant on Civil and Political Rights (ICCPR), 1966, provides protection against "arbitrary or unlawful interference" with privacy. The Office of the UN High Commissioner for Human Rights has explicitly interpreted "interference" in the digital age to include the interception of digital communications and the collection of metadata, thereby categorizing digital surveillance as an act that requires strict legal justification to avoid violating international human rights law. In December 2013, the United Nations adopted a resolution titled "The right to privacy in the digital age," which recognized the potential for surveillance and data collection to infringe on privacy and other human rights. The resolution emphasized the need for national legislation, oversight mechanisms, and transparency to protect privacy both online and offline(report)

National Experience ^[13]

Currently, legal recourse against illegal surveillance by individuals or private companies exists, including the ability to file an FIR or approach the Magistrate court. However, legal protections against state surveillance are limited, and there is a lack of adequate national legislation and oversight. The UN Office of the High Commissioner has noted that weak procedural safeguards and ineffective oversight contribute to reduced accountability and that mass surveillance by governments is becoming a dangerous habit. The need for national legislation, oversight mechanisms, and transparency to protect privacy both online and offline is crucial in India. There are legal remedies available to victims of illegal surveillance by individuals or private companies.

The Cyber Cells of state police forces can be approached to report such incidents, and victims of cybercrime can file an FIR under Section 154 of the Criminal Procedure Code, 1973. If the police officer or cell refuses to investigate the complaint, a private complaint can be filed under Section 156 (3) read with Section 190 of the Criminal Procedure Code, 1973, seeking a direction to the police station concerned to investigate the matter.

At the micro-level, the state is empowered to perform targeted surveillance in the form of interception. There are various lawful interception systems available in the Indian market which are installed into the networks of telecom services and internet services by the government through the license agreement. Though interception is legal in India under specific legal grounds, hacking is a punishable offence under the Information Technology (Amendment) Act, 2008 (Section 43 and 66).

Database

Data for the world's most surveilled cities shows that India's capital city New Delhi ranks first with 1,826.6 cameras per square mile, while Chennai which has 609.9 cameras per square miles ranks third; London is second (1,138.5 cameras) and Mumbai at 18 (157.4 cameras) ,By Forbes India^[14]

Apperance of term in database.

It does not appear at all.

Fear it Causes

research worldwide suggests that the presence of CCTV cameras has little to no impact on crimes , Bhopal police launched a mobile application called ‘Bhopal Eye,’ which allows the police to access live feeds from private users’ CCTV cameras (Chandran, 2023)

Creates panopticon fear that we are being watch ( jeremy bentham’s concept of prison)