Is Kashmir ramping up its surveillance campaign?

In December 2021, 'A', a 28-year-old independent journalist based in Kashmir who requested to conceal his identity, woke up to a distressing call from one of the anonymous sources he interviewed for a story.

"I was summoned last night by the J&K [Jammu and Kashmir] Police and they had access to all our WhatsApp conversations that we spoke in confidentiality," the source told A over the phone. 

It was the moment when A, who had been covering stories on human rights violations in Kashmir, got paranoid. He immediately deleted all his messaging apps and did not re-downloaded them for several months. "The paranoia was real," A told FairPlanet. "I was concerned about my sources who entrusted me with information - and all of that was at risk of being no longer private conversations." 

On 5 August, 2019, the Indian government abrogated Article 370 of the Indian Constitution, which granted the state of Jammu and Kashmir a semi-autonomous status. The move was followed by the deployment of thousands of troops, a blockade of communication channels and an internet shutdown that lasted nearly one and a half years. Since then, a growing mass surveillance system has been built in the region, which is one of the world's largest militarised zones.

"[Surveillance] is not a new thing. My childhood has been spent with troops suspecting and interrogating us at every nook and corner of the valley. But what has changed though is how the surveillance state is aided by the modern-day technology of the Indian state and the database exercise is a new one in the list," A said, referring to the Jammu and Kashmir administration's recent development of family databases.

Rising criticism

On 26 November, 2022, Jammu and Kashmir's Lieutenant Governor announced that the government would create a personal database of all the families in the Union territory as a part of the Jammu and Kashmir digital vision document.

As per the document, "Each family will be provided with a unique alpha-numeric code called JK Family ID. The data available in the family database would be used to determine eligibility through the automatic selection of beneficiaries for receiving social benefits."

The database will contain the information of every family member in the region, including their name, age, qualifications, employment status and marital status, among other details. The Jammu and Kashmir government claims that the unique family ID will facilitate citizens' access to various social welfare programmes and benefits.

But some opposition parties and digital rights advocates have condemned the move as yet another surveillance tactic employed by the Jammu and Kashmir government.

Speaking to FairPlanet, Mohit Bhan, a spokesperson of the People's Democratic Party (a prominent opposition party in the region) said, "There is already Aadhar linked for direct beneficiary transfer. What is the purpose of spending time and energy on collecting sensitive personal data?"

In 2018, India's huge Aadhar database was reportedly breached, which affected over one billion ID holders. 

A report published by the Netherlands-based cybersecurity firm Surfshark VPN revealed that India ranked sixth among countries vulnerable to digital attacks since such attacks were first recorded in 2004.

Any possible breach of sensitive personal details in a conflict-hit region, particularly in the absence of a national data protection law, constitutes a major data security concern , as pointed out by human rights activists. 

Old story, new forms of storytelling

As per the reports, the government has been exercising surveillance over the region of Jammu and Kashmir citing its vulnerability to security threats and conflict.

Previously, it subjected new government employees to a three-stage verification process by the local police, the CID, and police counter intelligence, upon their appointment, which included monitoring their social media history.

Anushka Jain, a policy counsel (Surveillance and Transparency) at Internet Freedom Foundation, told FairPlanet: "There's a high-level of control by the government in Jammu and Kashmir. Until there are no safeguards preventing the misuse of private information, the database in question is likely to become a surveillance tool."

As per a report published by Medianama, Jammu and Kashmir police asked for the e-tenders for the supply, installation and commissioning of CCTV cameras at Raj Bhawan Jammu and Srinagar. Recently, the government has passed several such orders which gradually cover the entire region of Jammu and Kashmir with surveillance cameras.

The report also mentions how the police plans to introduce a Facial Recognition System (FRTs) with a database that can store details of more than 10,000 people, after installing CCTVs.

The mass survelliance structure in Kashmir has resulted in the censorship and curbing of dissenting voices - including those of political opposition members, journalists and civil society.

According to Amnesty International's report on Jammu and Kashmir after the revocation of Article 370, there were several instances where journalists were not only spied on but also detained, interrogated and harassed into revealing their sources.

Maknoon Wani, a tech and policy researcher at the Council for Strategic and Defense Research, stated that the purported purpose of the database is but a facade for its true function: tightening the authorities' scrutiny over civilians.

"The family ID database will not help in expediting the delivery of benefits to the citizens," he told FairPlanet. "[The government] already have Aadhar and ration card information for providing citizen benefits."

Contesting the government’s claim of obtaining the consent of families who participate in the database exercise, Wani said, "If you mandate the family ID for availing health services or ration, you're not leaving them much choice but to comply with the database procedure."

Privacy vs Public security

The Jammu and Kashmir digital vision document itself concedes that in the absence of data protection laws in India, the digitisation of data is at the risk of being breached in cyber-attacks.

Compared to the European Union's General Data Protection Regulation (GDPR), which is considered the most stringent framework on data protection and privacy rights in the world, India struggles to formulate a distinct data protection law for its citizens.

My Kichloo, a senior police superintendent for security, told PTI news agency: "We will face the same problems in Jammu and Kashmir which are faced across the country vis-a-vis data."

He added that a notification under Section 70 of the Information Technology (IT) Act will be issued soon by the Jammu and Kashmir government and declare that all information structures of government offices and public sector companies are to be protected.

Jammu and Kashmir's IT department, which is responsible for the database exercise, refused to comment when asked about potential privacy breaches. 

"If the government designated a system as 'protected,' it is entitled to additional safeguards and protection under the law," Divyam Nandrajog, a cybersecurity researcher and lawyer at the Delhi High Court, told FairPlanet. "However, there's still no law that explicitly says that if the data is compromised, they can sue the government for it."

India's Digital Personal Data Protection Bill of 2022 is expected to be discussed in parliament this year. The bill, initially introduced in 2018, was withdrawn due to strong opposition on exempting the central government and its agencies from its provisions. 

"I believe that a balance must be struck between both - privacy and public security," Nandrajog added. "The database must be created only after a data protection law is implemented, which also provides for a citizen to hold the government accountable for any misuse of their personal data."

Image by Parker Coffman.