Author: Rishika Choudhary, Indore institute of law
To the Point
Indian cybercrime and surveillance laws give the State sweeping powers to intercept, monitor and decrypt digital communications, including encrypted traffic and dark-web activity. After K.S. Puttaswamy, every such intrusion must satisfy a structured proportionality test grounded in legality, legitimate aim, necessity and balancing. This article argues that while India has moved towards recognising privacy, its cyber-surveillance architecture still falls short of the Puttaswamy standard on necessity, least-restrictive means and independent oversight, especially in the context of strong encryption and borderless cyber-operations.
Use of legal jargon
India’s cyber-surveillance regime rests on a fragmented normative framework comprising the Information Technology Act, 2000 (notably section 69), the Telegraph Act, 1885, the Code of Criminal Procedure, 1973 / Bharatiya Nagarik Suraksha Sanhita, and executive rules authorising lawful interception, monitoring and decryption. These provisions enable intrusive investigatory powers, ostensibly for compelling State interests such as national security, public order and prevention of incitement to the commission of cognisable offences.
The nine-judge bench in K.S. Puttaswamy v. Union of India constitutionalised privacy as a facet of Article 21 and articulated a multi-pronged proportionality standard requiring legality (existence of law), legitimate aim, rational nexus, necessity / least-restrictive means and a proper balancing of competing interests. In practice, however, Indian cyber-surveillance remains characterised by executive dominance, opaque bulk and targeted surveillance programmes, limited ex ante judicial scrutiny, and weak institutional safeguards, raising serious concerns of overbreadth, mission creep and chilling effect on fundamental rights, particularly where encryption and dark-web investigations are involved.
The Proof
First, the statutory design of surveillance powers tilts heavily towards the executive. Section 69 IT Act authorises the Central or State Government (or their agencies) to direct “interception, monitoring or decryption” of “any” information through “any” computer resource on broad grounds, with compliance enforced through criminal sanctions on intermediaries. Authorisation and review are handled by executive committees rather than independent courts, meaning the legality limb is formally met, but institutional safeguards and independent oversight—core to proportionality—are missing.
Secondly, large-scale digital surveillance infrastructure such as the Central Monitoring System and NATGRID enables near-real-time access to telecom and internet traffic, but operates in secrecy, with minimal transparency around targeting standards, retention limits or ex post remedies for wrongful surveillance. Scholars mapping the “surveillance law landscape in India” after Puttaswamy conclude that many programmes would likely fail the conjunctive proportionality test, especially on necessity and procedural safeguards, because they permit extensive data access without showing why less intrusive alternatives would be inadequate.
Thirdly, developments around encryption and traceability show an explicit attempt to weaken privacy-enhancing technologies without a clear proportionality analysis. The 2021 Intermediary Rules’ traceability mandate for messaging platforms has been criticised for undermining end-to-end encryption and failing the necessity and narrow-tailoring prongs of Puttaswamy, as there is scant evidence that systemic backdoors are the least-restrictive way to obtain digital evidence. Research on encryption, dark web use and cyber-terrorism in India notes that while law-enforcement faces genuine attribution and jurisdiction challenges, proposals to dilute encryption often ignore the countervailing risks to cybersecurity, economic interests and constitutional privacy.
Abstract
This article examines whether India’s cybercrime and surveillance legislation, as applied to encrypted communications and dark-web investigations, satisfies the proportionality standard laid down in K.S. Puttaswamy v. Union of India. It maps the statutory and institutional framework governing interception, monitoring and decryption—principally section 69 of the Information Technology Act, allied rules, legacy telegraph-based interception provisions, and emerging data-protection norms—and evaluates them against the four-fold test of legality, legitimate aim, rational connection, and necessity with proper balancing.
Drawing on doctrinal commentary and policy reports on India’s surveillance landscape, the article argues that most current arrangements meet the legality and legitimate aim limbs only in a formal sense. They falter on necessity and narrow tailoring, because vague grounds such as “public order” enable broad, potentially indiscriminate surveillance; technical architectures allow de facto bulk access; and encryption-weakening measures like traceability mandates disproportionately infringe privacy without robust evidence of effectiveness. The absence of independent authorisation, robust ex post remedies and transparency further undermines the required balancing between security and individual rights. The article concludes that a Puttaswamy-compliant regime for cybercrime and dark-web policing would require statutory overhaul: embedding judicial or independent oversight, strict necessity standards for decryption orders, encryption-preserving investigative techniques, and a rights-respecting cross-border cooperation framework.
Case Laws
K.S. Puttaswamy (Privacy-9J) v. Union of India, (2017) 10 SCC 1
The Supreme Court recognised privacy as a fundamental right under Articles 14, 19 and 21, and adopted a structured proportionality test for privacy-infringing State action, including surveillance.
K.S. Puttaswamy (Aadhaar-5J) v. Union of India, (2019) 1 SCC 1
The Court upheld parts of the Aadhaar scheme but struck down aspects that lacked a clear legal framework or failed proportionality, underscoring the need for statutory backing, data-minimisation and safeguards when the State aggregates personal data at scale.
People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301
Though pre-Puttaswamy, PUCL invalidated unregulated telephone tapping and laid down procedural guidelines, which have since been critiqued as inadequate in the age of mass digital surveillance but remain a reference point for assessing interception orders.
Anuradha Bhasin v. Union of India, (2020) 3 SCC 637
In the context of internet shutdowns, the Court applied proportionality and insisted on necessity, temporality and reasoned orders, signalling that digital restrictions must be narrowly tailored and periodically reviewed; this reasoning is relevant to broad online surveillance measures.
Subsequent High Court and policy analyses post-Puttaswamy
Academic and policy work assessing section 69 IT Act and allied rules finds serious tension with Puttaswamy because surveillance orders are executive-controlled, lack independent authorisation, and do not consistently apply a necessity and least-intrusive-means test.
Conclusion
India’s cybercrime and surveillance laws have evolved in a piecemeal fashion, layering expansive executive powers for interception, monitoring and decryption over an ageing telegraph-era architecture, with only limited adaptation to the demands of a rights-based digital constitutionalism. The recognition of privacy in Puttaswamy, and the adoption of a structured proportionality test, provides a powerful doctrinal lens through which to interrogate these frameworks, especially as law-enforcement struggles with encrypted communications, dark-web marketplaces and extra-territorial cyber-operations.
On that test, India’s present regime is only partially defensible. It clearly pursues legitimate aims and rests on laws enacted by Parliament, but fails to demonstrate that intrusive measures—such as decryption mandates, traceability requirements and secretive monitoring systems—are strictly necessary and the least-restrictive means of achieving those aims, or that they are embedded in a matrix of independent oversight, transparency and effective remedies. A genuinely Puttaswamy-compliant cyber-surveillance framework would recalibrate this balance by: codifying clear targeting thresholds; reserving decryption orders for narrowly defined, serious offences; preserving strong encryption as a default; requiring prior or prompt judicial authorisation; and ensuring robust accountability mechanisms for abuse. Until such reforms are undertaken, India’s attempt to secure “encrypted shadows” will remain constitutionally vulnerable, with privacy and civil liberties bearing a disproportionate share of the burden.
FAQS
Q1. What is the Puttaswamy proportionality standard in simple terms?
It is a multi-step test requiring that any State action infringing privacy must: be backed by valid law (legality); pursue a legitimate aim; bear a rational connection to that aim; and be necessary and proportionate, meaning no less-intrusive measure would suffice and adequate safeguards exist.
Q2. Which laws currently govern India’s cyber-surveillance powers?
Key provisions include section 69 of the Information Technology Act, 2000 and its rules, telegraph-based interception and monitoring rules, criminal-procedure powers to access digital evidence, and sector-specific frameworks that interact with emerging data-protection legislation.
Q3. Why is encryption such a big issue in this debate?
Strong end-to-end encryption protects privacy, security and commerce, but complicates real-time interception and decryption for law-enforcement, prompting demands for traceability or backdoors that many experts say would systemically weaken security and fail proportionality.
Q4. Does Puttaswamy completely prohibit mass or bulk surveillance?
Puttaswamy does not explicitly ban all forms of bulk collection, but its emphasis on necessity, narrow tailoring and safeguards makes indiscriminate or open-ended bulk surveillance programmes very difficult to justify constitutionally.
Q5. What reforms are commonly suggested to make India’s framework proportional?
Proposals include enacting a dedicated, comprehensive surveillance law; mandating independent (preferably judicial) authorisation and review; publishing aggregate transparency data; limiting retention and secondary use; and prioritising encryption-preserving investigative tools such as targeted hacking and improved international cooperation mechanisms.
