KEYWORDS: Right to Privacy, Puttaswamy Judgment, Mass Surveillance, Data Protection, Aadhaar, Pegasus Spyware, Facial Recognition, Digital Personal Data Protection Act 2023, Surveillance Capitalism, Panopticon, CCTV Networks, Predictive Policing, Telephone Tapping, Section 69 IT Act, Proportionality Doctrine, Informational Privacy, Chilling Effect, Digital Authoritarianism, GDPR, Data Localisation
👑Audio Reader (LOCKED)
Unlock with PROIntroduction
In July 2021, a consortium of seventeen media organisations across the world published the findings of the Pegasus Project, a year-long forensic investigation into the use of spyware developed by the Israeli firm NSO Group. Pegasus, when successfully deployed against a smartphone, could extract every message, every photograph, every contact, every location data point, and could activate the phone's microphone and camera remotely without the user's knowledge. The investigation identified over 50,000 phone numbers on a leaked target list across 50 countries. In India, the list included the numbers of opposition politicians, sitting cabinet ministers, journalists, Supreme Court staff connected to a sexual harassment case against a former Chief Justice, and human rights activists.
The Indian government neither confirmed nor denied that it had purchased or deployed Pegasus. The Supreme Court of India, in October 2021, constituted a technical committee to investigate, observing that the right to privacy and freedom of the press cannot be left "fully unregulated" and that the state cannot, "in every case, get a free pass merely by raising national security concerns." The committee's findings, submitted in 2022, were never made fully public.
This single episode contains within it almost every tension this essay will examine. A technology capable of total surveillance. A state unwilling to account for its use. A judiciary asserting that privacy is a constitutional right but constrained in its ability to enforce that assertion against the security apparatus of the state itself. And a citizenry left to wonder whether the device in their pocket, the instrument through which they conduct nearly every dimension of modern life, is also the instrument through which they are watched.
Mass surveillance is no longer the stuff of dystopian fiction. It is the operating condition of contemporary life. The question this essay examines is not whether surveillance exists. It does, comprehensively, and growing. The question is what mass surveillance does to the human beings subjected to it, what it does to the societies that normalise it, and what private rights, painstakingly built across centuries of political philosophy and constitutional law, remain meaningful in an age when the technical capacity to watch everyone, always, has become not merely possible but cheap.
ADDITIONAL INFORMATION — ALTERNATIVE OPENINGS
Alternative Opening 1 — Book-Based George Orwell wrote in 1984 (1949) of a society in which the telescreen could never be turned off, in which the possibility of being watched at any moment was sufficient to make every citizen their own censor. Orwell imagined this as a totalitarian nightmare, requiring an all-powerful state apparatus to implement. Seventy-five years later, the infrastructure of total surveillance exists not because any single government built Orwell's telescreen, but because billions of people voluntarily carry a more capable version of it in their pockets, manufactured by private companies, funded by advertising revenue, and increasingly accessed by states through legal process, illegal hacking, or simple purchase of commercially available data. Orwell got the mechanism wrong. He did not get the outcome wrong.
ADDITIONAL INFORMATION — ALTERNATIVE OPENINGS
Alternative Opening 2 — Quote-Based Michel Foucault, in Discipline and Punish (1975), analysed Jeremy Bentham's 18th-century design for the Panopticon, a prison architecture in which a single guard could observe all inmates without the inmates ever knowing whether they were being watched at any given moment. Foucault's insight was that the Panopticon's power did not lie in constant actual observation. It lay in the possibility of observation, internalised by the watched until they policed themselves. "Visibility is a trap," Foucault wrote. "He who is subjected to a field of visibility, and who knows it, assumes responsibility for the constraints of power." The mass surveillance architecture of the 21st century, CCTV networks, facial recognition, data retention, and communications interception, is the Panopticon realised at civilisational scale, with every citizen as both potential inmate and, through their own devices, unwitting guard.
ADDITIONAL INFORMATION — ALTERNATIVE OPENINGS
Alternative Opening 3 — Anecdote-Based In August 2017, Justice K.S. Puttaswamy, a 91-year-old retired judge of the Karnataka High Court, won what may be the single most consequential privacy judgment in Indian constitutional history. His petition had challenged the Aadhaar scheme on the grounds that mandatory biometric collection violated citizens' fundamental rights. A nine-judge bench of the Supreme Court of India unanimously declared that the right to privacy is a fundamental right, intrinsic to the right to life and personal liberty under Article 21. The judgment ran to 547 pages across six separate opinions, the longest in the Court's history. It took 70 years after the Constitution's adoption for the Court to formally recognise a right that the framers, in the words of Justice D.Y. Chandrachud's leading opinion, had always implicitly protected. A 91-year-old man's challenge to a fingerprint database became the foundation on which India's entire digital rights architecture would subsequently be built.
Thesis Statement
Mass surveillance and private rights exist in a relationship of structural tension that technology has dramatically intensified but did not create. This essay examines that tension through five dimensions: the philosophical and constitutional foundations of privacy as a right, the architecture of state surveillance in India and globally, the rise of corporate surveillance and surveillance capitalism, the specific implications of surveillance for democracy and dissent, and the legal and institutional frameworks, existing and needed, that can reconcile legitimate security and commercial interests with the preservation of private rights. Together, these dimensions reveal that the question is not whether surveillance capability should exist, but who controls it, under what oversight, for what purposes, and with what consequences for the citizen who is its object.
DIMENSION I: THE PHILOSOPHY AND CONSTITUTIONAL FOUNDATION OF PRIVACY
Privacy is among the most philosophically contested rights in modern jurisprudence, precisely because it is not a single right but a bundle of related interests: the interest in being free from unwanted observation, the interest in controlling information about oneself, the interest in making intimate decisions without external interference, and the interest in maintaining spaces, physical and mental, into which the state and others cannot intrude without justification.
Samuel Warren and Louis Brandeis, in their landmark 1890 Harvard Law Review article The Right to Privacy, were responding to the invention of a new technology: the portable camera, which for the first time allowed photographs to be taken of people without their consent or even knowledge, and reproduced in newspapers. They argued for "the right to be let alone", recognising that new technology had created a capacity for intrusion that existing law had no framework to address. The pattern Warren and Brandeis identified, technology outpacing the law's capacity to protect established rights, has repeated with every subsequent surveillance technology: the telephone, the wiretap, the database, the internet, the smartphone, and now artificial intelligence-driven analysis of all of these simultaneously.
India's constitutional journey toward recognising privacy is instructive precisely because of its delay. The framers of the Constitution did not include an explicit right to privacy, a deliberate choice influenced by the American Constitution's similar silence and by post-colonial anxieties about excessive individual rights constraining the developmental state. For decades, the Supreme Court oscillated: Kharak Singh v. State of UP (1962) rejected privacy as a fundamental right while permitting police domiciliary visits; Govind v. State of MP (1975) recognised a limited privacy interest; but no definitive ruling existed.
The Puttaswamy judgment of 2017 ended this ambiguity decisively. The Court held that privacy is intrinsic to Article 21's guarantee of life and personal liberty, that it encompasses bodily integrity, informational self-determination, and decisional autonomy, and crucially, that any state action infringing privacy must satisfy a three-fold test of proportionality: it must be backed by law, must serve a legitimate state aim, and the means adopted must be proportionate to the aim pursued and the least restrictive alternative available. This proportionality doctrine, borrowed from European constitutional jurisprudence, is now the central legal standard against which every Indian surveillance practice, from Aadhaar to telephone tapping to facial recognition deployment, must be measured.
The philosophical stakes of this recognition are profound. Justice Chandrachud's opinion in Puttaswamy explicitly linked privacy to dignity, drawing on the Kantian principle that human beings must be treated as ends in themselves, never merely as means. A surveillance state that treats its citizens as objects to be monitored, predicted, and managed violates this principle regardless of whether the monitoring ever produces an adverse consequence for any individual citizen. The violation lies in the relationship itself, not merely in its outcomes.
DIMENSION II: STATE SURVEILLANCE — THE ARCHITECTURE OF WATCHING
The Indian state's surveillance architecture has expanded dramatically across the past two decades, driven by legitimate security concerns, technological capability, and an institutional culture that has historically prioritised executive discretion over judicial or legislative oversight.
Telephone interception under Section 5(2) of the Indian Telegraph Act, 1885, and Section 69 of the Information Technology Act, 2000, permits government agencies to intercept communications on grounds including national security, public order, and prevention of crime. The PUCL v. Union of India (1996) judgment established procedural safeguards: interception orders must be issued by the Home Secretary, reviewed by a committee, and limited to 60 days with renewal possibilities up to 180 days. In practice, RTI responses obtained by civil society organisations have revealed that the Union Home Ministry alone issues approximately 7,500 to 9,000 interception orders monthly, a scale that makes the individualised review contemplated by the procedural safeguards practically impossible.
Facial Recognition Technology (FRT) represents the newest frontier of state surveillance infrastructure. The National Automated Facial Recognition System (NAFRS), approved by the Ministry of Home Affairs, aims to create a nationwide database linking facial images from passport records, criminal records, and CCTV feeds for law enforcement matching. Delhi Police's FRT deployment, used during the 2020 Delhi riots investigations and at protest sites, has been criticised by the Internet Freedom Foundation for operating without any specific legal framework, without published accuracy audits, and with documented higher error rates for women and individuals with darker skin tones, replicating globally documented FRT bias.
CCTV proliferation has transformed Indian cities into some of the most surveilled urban spaces on Earth. Comparitech's 2021 global surveillance index ranked Hyderabad, Chennai, and Delhi among the top ten most surveilled cities globally by camera density per capita, with Hyderabad's ratio exceeding that of many Chinese cities. The Safe City projects under the Nirbhaya Fund, intended to enhance women's safety, have been the primary driver of this camera proliferation, but the data governance framework, who can access footage, for what purposes, and with what retention limits, remains largely unspecified at the municipal level across most Indian cities.
The Central Monitoring System (CMS), operational since 2013, is designed to give security agencies direct access to all telecommunications traffic in India without requiring telecom operators to be informed of specific interception requests. Combined with the National Intelligence Grid (NATGRID), which aims to integrate databases from banking, telecom, immigration, tax, and other sources into a single searchable system accessible to intelligence agencies, India's state surveillance architecture is approaching the technical capability for comprehensive, real-time tracking of any individual's communications, movements, and transactions, constrained currently more by implementation gaps than by legal limits.
Globally, the Snowden disclosures of 2013 revealed that the US National Security Agency's PRISM and XKeyscore programmes had access to data from major technology companies and the capacity to search global internet traffic for any selector, email address, phone number, or IP address, virtually in real time. China's social credit system and the Xinjiang surveillance apparatus, documented extensively by Human Rights Watch, represents the most comprehensive integration of facial recognition, mobile phone monitoring, and predictive policing deployed against an ethnic minority population, the Uyghurs, in human history.
DIMENSION III: SURVEILLANCE CAPITALISM — WHEN THE WATCHER IS THE MARKET
Shoshana Zuboff, in The Age of Surveillance Capitalism (2019), identifies a transformation in the economic logic of digital technology companies that has occurred largely outside public awareness: the discovery that human behaviour itself, extracted through continuous observation, could be the raw material of an entirely new market. Every search query, every click, every location ping, every pause before scrolling past a post, generates "behavioural surplus": data that, aggregated across billions of users and analysed by machine learning, can predict and influence future behaviour with commercial value far exceeding the value of the service that generated the data in the first place.
The business model of surveillance capitalism is structurally different from traditional commerce. A traditional business sells a product or service to a customer in a transaction both parties understand. Surveillance capitalism's product, predictions about user behaviour sold to advertisers, is invisible to the user whose behaviour generates it. The user experiences a "free" service. The actual customer, the advertiser purchasing behavioural predictions, never interacts with the user at all. The user is not the customer. The user is the source of raw material.
The implications for private rights are profound precisely because this surveillance operates through manufactured consent. Terms of service agreements, which research by the Norwegian Consumer Council (2016) found would take the average person 76 working days per year to read in full across all the digital services they use, function as legal cover for data collection practices that few users meaningfully understand or could meaningfully refuse, given the near-impossibility of participating in modern economic and social life without using these services.
Data breaches translate this surveillance infrastructure into direct harm. The 2021 breach of the Air India passenger database exposed the personal data of 4.5 million customers including passport and credit card details. The 2023 breach reportedly affecting the Indian Council of Medical Research's COVID testing database allegedly exposed Aadhaar and passport details of over 800 million Indians, though the scale and verification of this breach remain disputed. Each breach demonstrates that data collected for one purpose, in this case public health, becomes a permanent liability, a honeypot for malicious actors, regardless of the benign intentions of the original collector.
The Cambridge Analytica scandal (2018), in which the personal data of 87 million Facebook users was harvested without consent and used to build psychological profiles for political microtargeting, demonstrated the convergence of surveillance capitalism and political manipulation. The data extracted for commercial advertising purposes became the raw material for influencing democratic elections in the United States, the United Kingdom's Brexit referendum, and elections across the Global South.
DIMENSION IV: SURVEILLANCE, DISSENT, AND THE DEMOCRATIC CHILLING EFFECT
The chilling effect is the term legal scholars use to describe the phenomenon by which the mere possibility of surveillance, regardless of whether surveillance is actually occurring, changes behaviour. Jon Penney's 2016 empirical study, examining Wikipedia traffic patterns before and after the Snowden revelations, found a statistically significant decline in traffic to articles on topics like terrorism, surveillance, and extremism in the months following the disclosures, despite no change in the legal status of accessing such information. People who learned that mass surveillance existed changed their information-seeking behaviour, even though nothing about their legal rights had changed. The chilling effect operates on knowledge of surveillance, not on surveillance itself.
For journalism and press freedom, this chilling effect is existential. The Pegasus Project's targeting of Indian journalists, combined with the 2021 amendments to the IT Rules requiring intermediaries to enable traceability of message originators, creates an environment in which sources, whistleblowers, and journalists must assume that their communications may be monitored. The Committee to Protect Journalists has documented that journalists in multiple countries, including India, now routinely use air-gapped devices, encrypted communication tools, and physical meetings to communicate with sensitive sources, a return to pre-digital communication security practices necessitated by the surveillance capabilities of digital ones.
For political dissent and civil society, mass surveillance has specific and documented effects on organisational capacity. The Bhima Koregaon case, in which several activists, academics, and lawyers were arrested under the Unlawful Activities Prevention Act based partly on digital evidence that forensic analysis by Arsenal Consulting (commissioned by the Washington Post and Boston-based forensic firm) found had been planted on their devices through malware, demonstrates the most severe form of surveillance abuse: not merely watching dissidents but using surveillance access to fabricate evidence against them. Several of the accused spent years in pre-trial detention before this forensic evidence emerged.
The Citizenship Amendment Act protests of 2019-2020 saw extensive use of facial recognition technology by Delhi Police to identify and track protest participants, raising concerns documented by Amnesty International and the Internet Freedom Foundation about the use of surveillance technology specifically to deter participation in lawful protest, a direct chilling effect on the constitutional right to assembly under Article 19.
Globally, the pattern of digital authoritarianism, documented annually by Freedom House's Freedom on the Net report, shows a consistent global trend: governments across the political spectrum, not only authoritarian ones, increasingly use internet shutdowns, surveillance technology, and content removal demands to manage dissent. India led the world in internet shutdowns for the sixth consecutive year in 2023, according to Access Now's #KeepItOn coalition, with over 116 shutdowns recorded, predominantly in Jammu and Kashmir and Manipur during periods of unrest. Internet shutdowns are surveillance's blunter cousin: where surveillance monitors communication, shutdowns prevent it entirely, achieving a similar suppressive effect through cruder means.
DIMENSION V: LEGAL FRAMEWORKS AND THE PATH TO RECONCILIATION
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation, arriving six years after Puttaswamy mandated such a framework. Its core provisions establish consent as the primary legal basis for data processing, create rights for individuals to access, correct, and erase their data, and establish a Data Protection Board with enforcement powers including penalties up to Rs 250 crore for significant violations.
However, the Act's most significant limitation is Section 17(2)(a), which exempts processing by government agencies "in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order" from most of the Act's protections, without the safeguards, judicial oversight, or sunset clauses that comparable exemptions in other jurisdictions typically require. Critics including the Internet Freedom Foundation and the Software Freedom Law Centre have argued that this exemption potentially places the state's own surveillance activities largely outside the framework the Act otherwise establishes, replicating the central tension that Puttaswamy's proportionality test was designed to resolve, but without the procedural mechanisms Puttaswamy contemplated.
The European Union's General Data Protection Regulation (GDPR, 2018) remains the global benchmark for data protection law, distinguished by its extraterritorial application (applying to any entity processing EU citizens' data regardless of location), its data protection impact assessment requirements for high-risk processing, and its enforcement record, including fines exceeding EUR 1.2 billion against Meta in 2023 for unlawful data transfers. GDPR's "privacy by design and default" principle, requiring privacy protections to be built into systems from inception rather than added retroactively, represents the design philosophy that surveillance reform in India and elsewhere has yet to fully embrace.
Judicial oversight of surveillance remains India's most significant institutional gap. Unlike the United States' Foreign Intelligence Surveillance Court (FISC), which, despite its own well-documented limitations, provides at least a judicial review mechanism for surveillance warrants, India's interception approval process remains entirely within the executive branch, reviewed by a committee of bureaucrats rather than judges. The Justice B.N. Srikrishna Committee Report (2018), which formed the basis for India's data protection legislative process, explicitly recommended judicial or quasi-judicial oversight of surveillance requests. This recommendation was not incorporated into the final DPDP Act.
The proportionality framework established in Puttaswamy provides the judicial tools for reform even without new legislation. The Anuradha Bhasin v. Union of India (2020) judgment, addressing the Kashmir internet shutdown, applied proportionality analysis to internet restrictions, holding that indefinite shutdowns were disproportionate and that the government must publish orders and conduct periodic review. The judgment's principles, publication of surveillance orders, periodic review, and necessity and proportionality assessment, provide a template that could be extended to telephone interception, FRT deployment, and data sharing between state agencies, through judicial decisions even in the absence of comprehensive legislative reform.
Penultimate Analysis
Mass surveillance capability cannot be uninvented. The question is not whether such capability will exist but whether it will operate within an architecture of accountability that preserves the private rights Puttaswamy recognised as constitutional core. Five reforms can build this architecture.
First, establish judicial oversight of surveillance authorisation. Every interception order, every FRT deployment for law enforcement purposes, and every request for data from private companies above a defined threshold should require prior authorisation from a designated judicial officer, not merely executive committee review. This is not a novel proposal. It is the standard already applied to physical searches under the Criminal Procedure Code. Digital searches of a person's entire life, contained in their phone, deserve at least the judicial scrutiny applied to a physical search of their home.
Second, mandate transparency reporting and sunset clauses. Every surveillance programme, NATGRID, CMS, FRT deployments, should be subject to mandatory periodic transparency reports to Parliament, disclosing aggregate statistics on usage, and sunset clauses requiring legislative reauthorisation. The US USA FREEDOM Act (2015), which ended the NSA's bulk telephone metadata collection programme through mandatory reauthorisation review, demonstrates that even powerful security establishments can be brought within periodic legislative accountability.
Third, close the Section 17(2)(a) exemption gap in the DPDP Act. Government processing of personal data for security purposes should remain subject to the proportionality test, with the Data Protection Board empowered to review government data processing under a confidential but judicially supervised process, analogous to the FISC model, rather than being exempted from the Act's framework entirely.
Fourth, regulate facial recognition and biometric surveillance through dedicated legislation. The absence of any specific legal framework for FRT in India means that one of the most intrusive surveillance technologies operates entirely outside legislative scrutiny. Mandatory accuracy audits, bias testing across demographic groups, use-case restrictions, and judicial authorisation requirements for FRT deployment, modelled on emerging frameworks in the EU's AI Act, should be enacted as dedicated legislation before further deployment expansion.
Fifth, build digital literacy and rights awareness as civic infrastructure. The DPDP Act's consent-based framework is only meaningful if citizens understand what they are consenting to. The Data Protection Board, in partnership with consumer protection bodies and civil society organisations, should fund large-scale public education campaigns, available in regional languages, explaining data rights, surveillance realities, and practical digital security measures. A right that citizens do not know they have is a right that exists only on paper.
Conclusion
Justice K.S. Puttaswamy did not live to see the full consequences of the judgment that bears his name. He passed away in 2019, two years after the Supreme Court vindicated his challenge. But the principle his case established, that privacy is the constitutional core of human dignity, not an elitist construct but inherent in the personality of every individual, has become the foundation against which every subsequent expansion of surveillance capability in India must, in principle, be measured.
Across the five dimensions of this essay, a consistent pattern has emerged. The philosophy is settled: privacy is a fundamental right, and any infringement must satisfy proportionality. The state's surveillance architecture has expanded faster than the institutional oversight required to keep it accountable to that philosophy. Corporate surveillance operates through a consent architecture so attenuated that it provides little genuine protection, while generating the behavioural data that increasingly merges with state surveillance capability. The chilling effect on dissent, journalism, and civil society demonstrates that the stakes of mass surveillance extend far beyond individual privacy to the conditions democratic society requires to function. And the legal and institutional tools for reconciliation exist, but remain incomplete, fragmented, and in the case of the DPDP Act's most significant provisions, deliberately limited where the state's own conduct is concerned.
Edward Snowden wrote that privacy is not merely an entitlement but an absolute prerequisite for the flourishing of any meaningful relationship between an individual and a state. This is the deepest stake of the mass surveillance question. A citizen who knows they may be watched at any moment, whose every communication may be intercepted, whose face may be matched against a database at any public gathering, does not relate to their state as a free citizen relates to a government of their own making. They relate to it as a subject relates to a sovereign. The entire architecture of democratic accountability, the assumption that citizens can criticise, organise, dissent, and vote without fear, depends on the absence of this surveillance relationship, or at minimum, on its operation within visible, accountable, and legally bounded limits.
Dr. B.R. Ambedkar's insistence that liberty, equality, and fraternity form a union of trinity, inseparable from each other, applies with particular force to the privacy question. A surveillance architecture that operates without judicial oversight, without transparency, and without proportionality is not merely a privacy violation. It is a liberty violation, because the watched citizen self-censors. It is an equality violation, because surveillance has historically and currently falls disproportionately on minorities, dissidents, and the politically inconvenient. And it is a fraternity violation, because a society in which citizens cannot trust that their communications with each other are free from state intrusion cannot build the mutual trust that democratic fraternity requires.
The technology of watching has reached a point that no previous generation could have imagined. The Constitution's commitment to dignity, recognised seventy years late but recognised nonetheless, has not. The task of this generation is to ensure that the gap between what surveillance technology can do and what constitutional principle permits does not become the space in which Indian democracy quietly loses what makes it democratic.
"They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." — Benjamin Franklin, 1755
Practice makes perfect! This model answer was structurally evaluated and crafted using NibandhAI. Practice writing your own essays, get instant AI-evaluated feedback, and master the art of UPSC Mains Answer Writing with Drona Studio. Start drafting your essay now.
This essay addresses the RPSC Mains Essay Paper (GS Paper — Essay), Year 2023. Relevant to: UPSC, RPSC, UPPSC, UKPSC, and all State Services Essay Papers. Dimensions covered: Right to Privacy, Mass Surveillance, Data Protection, Proportionality, Democratic Freedom. Estimated length: 10 to 11 pages.
Unlock Solved Essay (Free Account)
Log in or create a free account to read the complete solved essay and play the audio narration.