"Right to privacy v. Infringement of cyber laws
The right to privacy is one of the most essential element of several legal
systems that aim to restrain governmental and private actions that infringe or
threaten individual's right to privacy.
Whereas on the other hand Government organisations including the NSA, CIA, R&AW,
and GCHQ have conducted extensive global monitoring in an effort to combat
national and international terrorism.
Government hacking or surveillance pose serious risks to individual's security
and privacy. With the ability to remotely and covertly access our personal
gadgets and all the personal data they store, it has the potential to be much
more intrusive than any other surveillance method.
The threat to users' privacy and security is evolving and getting more serious.
This threat comes from indirect infiltration, such as monitoring software that
has been covertly installed on computers, rather than direct attacks by viruses
or hackers. These monitoring applications are called spyware, and serve to
record and transmit a user's computer uses and behaviors to third parties.
Frequently used by marketers to harvest customer data for segmentation and
Henceforth the key question that follows is whether or not the right to privacy
needs to be forfeited as a condition of the social compact in order to
strengthen and bolster defence against alleged terrorist threats. Threats of
terrorism and national security might also be a pretext for spying on the
Elucidation of the term SPY
The literal interpretation or dictionary meaning of the term SPY is a person
employed by a government or other organization to secretly obtain information on
an enemy or competitor. In other terms, SPY means to work for a government or
other organization by secretly obtaining information about enemies or any other
Espionage is the crime of spying on or secretly monitoring a person, business,
government, or other entity with the intention of acquiring sensitive
information or detecting wrongdoing and transferring such information to another
entity or state. Industrial espionage, which is the obtaining of a company's
confidential information for the advantage of another company, is a separate
crime in many jurisdictions.
Meaning of Spyware
Spyware is a type of malicious software that is placed on a computer without the
knowledge of the end user. It intrudes into the system, takes personal,
sensitive and internet usage data, and then transmits it to other parties like
advertising, data companies, or other users. Any software that is downloaded
without the user's consent can be considered as a spyware.
One of the most
prevalent threats to internet users is spyware. Once installed, it keeps
track of login details, spies on confidential data, and monitors internet
activities. Spyware's main objective is often to collect passwords, banking
information, and credit card numbers - an insidious prerequisite for cybercrime.
However, spyware, such as stalkerware, can also be used to track a person's
location. It can track the victim's physical location, intercept emails and
texts, listen in on phone calls and record conversations, and access personal
information like photos and videos.
Spyware can be used to send computers specialised advertisements. Since installs
can be approved as a part of the licensed "clickwrap" agreement that users agree
to when installing free utility and file-sharing apps from the Internet, spyware
is frequently used legally. In certain circumstances, spyware is installed as
a component of legitimate computer software that companies sell to their
customers in order to give application users update and communication features.
It appears that the ability to monitor remotely and connect with computers is
alluring enough to draw the attention of third parties with nefarious and
Spyware is controversial because, even when it is deployed for comparatively
innocent purposes, it has the potential to be exploited and to breach the
privacy, breach and theft of data of the end user.
Relevant Laws: Cyber-Crime and Right to Privacy
The Telegraph Act, 1885 and the Information Technology (IT) Act, 2000 contain
several electronic surveillance related provisions. For example, section 5 of
the Telegraph Act, 1885 empowers the Government to intercept messages only
where the main concern is public safety, sovereignty, friendly relations with
foreign States, or public order and integrity of India. The Act further provides
that the interception cannot be used as a tool for securing political advantage
or personal benefits, and that it should only be temporary. The section also
restricts the interception of press communications unless that has been
prohibited by the law.
Further the term "Data" is defined u/s 2(1)(o) of IT Act 2000, as a
formalised representation of information, knowledge, facts, concepts, or
instructions that is processed in a computer system/network, and may take any
form, including computer printouts, magnetic or optical storage media, etc.
Moreover, the term "information" has been defined u/s 2(v) of the IT Act. It
includes data, message, text, images, sound, voice, codes, computer programmes,
software and data bases or micro film or computer-generated micro fiche.
Data protection consists of a technical framework of security measures designed
to guarantee that data are handled in such a manner as to ensure that they are
safe from unforeseen, unintended, unwanted or malevolent use.
Breach of Data
Sec. 72 of the IT Act provides for a criminal penalty where a government
official discloses records and information accessed in the course of his or her
duties without the consent of the concerned person, unless permitted by other
laws. Hence, it is can be stated that a breach of data specifically means
stealing of data that may involve sensitive, proprietary, or any other
information, without the permission of its owner. Hence is can be stated
that a breach of data specifically means stealing of data that may involve
sensitive, proprietary, or any other information, without the permission of its
Moreover, sec. 66C of IT Act, prescribes punishment for identity theft and
provides that anyone who fraudulently or dishonestly makes use of the electronic
signature, password or any other unique identification feature of any other
person shall be punished. The term 'unique identification feature' includes the
identity recognised by face of an individual. Moreover, UIDAI has
implemented the face recognition feature as an additional mode of Aadhaar
In addition, rule 3 of the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules provides an
aggregated definition of sensitive personal data as follows:
Sensitive personal data or information of a person means such personal
information which consists of information relating to:
- financial information such as bank account or credit card or debit card
or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- Biometric information;
- any detail relating to the above clauses as provided to body corporate
for providing service; and
- any of the information received under above clauses by body corporate
for processing, stored or processed under lawful contract or otherwise.
Provided that, any information that is freely available or accessible in public
domain or furnished under the Right to Information Act, 2005 or any other law
for the time being in force shall not be regarded as sensitive personal data or
information for the purposes of these rules.
Moreover, acc. to sec. Rule 2(1)(i) of the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) the term "Personal information" means any information that relates
to a natural person, which, either directly or indirectly, is capable of
identifying such person.
In K.S.Puttaswamy V. Union Of India
 it was stated that "privacy also
includes the right to control dissemination of personal information, preventing
awkward social situations and reducing social frictions. On information being
shared voluntarily, the same may be said to be in confidence and any breach of
confidentiality is a breach of the data and trust. Also, it is but essential
that the individual knows as to what the data is being used."
Right to Privacy
The right to privacy is inherent to the liberties guaranteed by the Constitution
and is an element of human dignity. The citizen has the right to safeguard
the privacy of his own, his family, marriage, procreation, motherhood,
child-bearing and education among other matter and no one can publish anything
concerning the above matters without his consent whether truthful or otherwise
and whether laudatory or critical.
The right to self-preservation and
reputation also falls within the ambit of art 21. The wrongful disclosure of
private information is considered as invasion of privacy. A proper degree of
privacy is essential for the well-being and development of an individual." 
Sec. 72 of the IT Act states the penalty for Breach of confidentiality and
privacy. It provides for a criminal penalty where a government official
discloses records and information accessed in the course of his or her duties
without the consent of the concerned person, unless permitted by other laws.
Such unauthorized disclosure is punishable "with imprisonment for a term which
may extend to 2 years, or with fine which may extend to 1 lakh rupees, or
In the legal parlance the issue of confidentiality comes up where an obligation
of confidence arises between a data collector and a data subject. An obligation
of confidence gives the data subject the right not to have his information used
for other purposes or disclosed without his permission. However, personal
data is protected through indirect safeguards developed by the courts under
common law, principles of equity and the law of breach of confidence.
landmark judgment, the SC has recognised the right to privacy as a
fundamental right u/a 21 of the Constitution as a part of the right to "life"
and "personal liberty". "Informational privacy" has been recognised as being a
facet of the right to privacy and the court held that information about a person
and the right to access that information also needs to be given the protection
The SC has expressly recognised the right of individuals over their personal
data and stated that the "right of individuals to exclusively commercially
exploit their identity and personal information, to control the information that
is available about them on the internet and to disseminate certain personal
information for limited purposes alone" emanates from this right.
While keeping in mind that a private conversation is a conversation which is
made under circumstances creating a reasonable expectation of privacy,
whereas use of spyware which intrudes in the personal system of an individual
may lead to breach of reasonable expectation of privacy of an individual.
The Information Technology Act, 2000, was put in place by the Indian government
to restrict these actions that infringe Internet users' rights. Here are some of
its sections that empower Internet users and attempt to safeguard the
Section 65 - Tampering with computer Source DocumentsA person who intentionally conceals, destroys or alters any computer source code
(such as programmes, computer commands, design and layout), when it is required
to be maintained by law commits an offence and can be punished with 3 years'
imprisonment or a fine of 2 Lakhs INR or both.
Section 66- Using password of another personIf a person fraudulently uses the password, digital signature or other unique
identification of another person, he/she can face imprisonment up to 3 years
or/and a fine of 1 Lakh INR.
Section 66D- Cheating using computer resourceIf a person cheats someone using a computer resource or a communication device,
he/she could face imprisonment up to 3 years or/and fine up to 1 Lakh INR
Section 66E - Publishing private images of othersIf a person captures, transmits or publishes images of a person's private parts
without his/her consent or knowledge, the person is entitled to imprisonment up
to 3 years of fine up to 2 Lakhs INR or both 
Section 66F - Acts of cyber terrorismA person can face life imprisonment if he/she denies an authorized person the
access to the computer resource or attempts to penetrate/access a computer
resource without authorization, with an aim to threaten the unity, integrity,
security or sovereignty of the nation. This is a non-bailable offence.
Section 67 - Publishing Child Porn or predating children onlineIf a person captures, publishes or transmits images of a child in a sexually
explicit act or induces anyone under the age of 18 into a sexual act, then the
person can face imprisonment up to 7 years or fine up to 10 lakhs INR or
Section 69 - Government Power to block websiteIf the government feel it necessary in the interest of sovereignty and integrity
of India, it can intercept, monitor or decrypt any information generated,
transmitted, received or stored in any computer resource. The power is subject
to compliance of procedure. Under section 69A, the central government can also
block any information from public access.
Section 43A - Data Protection at corporate levelIf a body corporate is negligent in implementing reasonable security practices
which causes wrongful loss or gain to any person, such body corporate shall be
liable to pay damages to the affection person.
Misuse Of Spy Software Is A Cybercrime
Cyber spying is a cybercrime and is sometimes referred to as cyber espionage. It
occurs when hackers target computers or IT networks in an effort to get
information that could be sensitive or personal. This data is often in digital
form, and the hacker can make profit out of it.
Webopedia refers to cybercrime as:
"Any criminal act dealing with computers and
Hackers use a variety of techniques and Malware Programmes to
evade their detection. Social media networks can potentially be used by cyber
spies for harassment or other purposes. Hackers that engage in cyber spying may
have harmless or detrimental intentions. Cyber spying is a threat to both
individual safety and national security. It may be used to gain more information
about individuals, groups, and governmental institutions.
Cyberspying has advanced in recent years to include the use of social media
platforms like Twitter and Facebook. Spying may take many different forms, from
businesses tracking your interests to create effective advertisements to
identity theft. Social media has grown to play a significant role in online
stalking. Cyberstalking is the practice of repeatedly harassing or frightening
someone using electronic means, such as sending threatening emails. Such
activities of cyber stalking and identity theft does fall within the ambit of
Cyber spying has become one of the most essential subject as a threat to the
national security and individual privacy. If we understand it by the way of an
"President Obama has identified cyber security as one of the most serious
economic and national security challenges we face as a nation". According to Jun
Isomura," a senior fellow at the Hudson Institute, a Washington think tank,
China divides cyber into two target areas: political and military." As on
the military side, China's "targets include the entire US defense community,
including US intelligence and the defense industry." In February 2013, the
US claimed that "China's People's Liberation Army had stolen data from 115 U.S.
companies over a seven-year period."
There are many such cyber security instances that has occurred in past. Hence
infringement of such security is a matter of national security now a days.
Reasonable Restriction On Right To Privacy
Art. 19(2) of the Constitution provides that this right is not absolute and
'reasonable restrictions' may be imposed on the exercise of this right in the
interest of sovereignty and integrity of India, security of the state, friendly
relations with foreign states, public order, decency and morality and contempt
of court, defamation and incitement to an offence.
In Chintaman Rao v/s State Of Madhya Pradesh  & Express Newspaper v/s
Union Of India 
, the SC opined that "a restriction in order to be referred to as
reasonable shall not be arbitrary and shall not be beyond what is required in
the interest of the public. The reasonable implies intelligent care and
deliberation Legislation which arbitrarily or excessively invades the right
can't be said to contain the quality of reasonableness and unless it strikes a
proper balance between the freedom guaranteed. In addition to this, the
restriction imposed shall have a direct or proximate nexus with the object
sought to be achieved by the law."
Moreover, the principle on which the power of the state to impose restriction is
based is that all individual rights of a person are held subject to such
reasonable limitation and regulations as may be necessary or expedient for the
protection of the rights of others, generally expressed as the social or public
Hence national security is one of the most essential exception to right to
privacy and thus is a reasonable restriction over a person's privacy.
||Commercial Spyware Vendor(S)
||Hacking Team, Black Cube, NSO Group/Pegasus
||Black Cube involvement in a campaign to
discredit nongovernmental organizations ahead of Hungary's April
election; more than 300 phone numbers for journalists, lawyers, business
executives, and activists found on the Pegasus spying list
||Spyware targeting hundreds of journalists,
activists, opposition politicians, government officials, and business
||Numerous high-profile incidents of
surveillance and targeted malware attacks
||Hacking Team, NSO Group/Pegasus, FinFisher,
||Malware to track civil society, opposition,
groups, and journalists
||Hacking Team, NSO Group/Pegasus, FinFisher,
Decision Group, NSO Group/Circles
||Abusive use of spyware to target civil
||Security officials authorized to tap online
communications; Pegasus software targeting Rwandan dissidents at the
behest of the government
||Hacking Team, NSO Group/Pegasus, FinFisher
||Extensive documented abuse of spyware to
target political opponents and civil society
||Catalan politicians targeted by government
||Hacking Team, Blue Coat, NSO Group/Circles
|Targeted surveillance against civil
society and regime opponents
||Hacking Team, FinFisher, NSO Group
||Extensive spyware links; most forms of
telecommunication tapped and intercepted
The regime types listed here refer to close autocracy (CA), electoral
autocracy (EA), electoral democracy (ED), and liberal democracy (LD).
Does the government's use of spyware constitute a cybercrime by violating the
right to privacy or is justified on the ground of national security?
Right to privacy is fundamental right of an individual granted by the supreme
law of the nation, i.e. the constitution of India. However fundamental rights
are not absolute in nature hence reasonable restriction can be imposed. Hon'ble
Supreme Court held that the unnecessary interruption on people's lives through
surveillance is an infringement of the right to privacy.
While examining the
Constitutional validity of section 5(2) of the Telegraph Act, a two-judges
bench of the Supreme Court held in People's Union of Civil Liberties v. Union of
 held that telephone tapping is an invasion of a person's privacy.
"it is no doubt correct that every Government, howsoever
democratic, exercises some degree of Subrosa operation as a part of its
intelligence out-fit but at the same time citizen's right to privacy has to be
protected from being abused by the authorities of the day". The Court further
issued certain guidelines to be followed while phone tapping and electronic
Article 17 of the International Covenant on Civil and Political Rights  also
upholds a person's privacy, and provides that "no one shall be subject to
arbitrary or unlawful interference with his privacy, family, human or
correspondence, nor to lawful attacks on his honor and reputation".
provision can also be found in article 12 of the Universal Declaration of Human
Rights; "no one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his honor and
reputation. Everyone has the right to the protection of the law against such
interference or attacks." As India is bound by these international treaties, it
must apply the latter and protect the privacy of its citizens by respecting
In this context, the Personal Data Protection Bill (PDB), 2019 was
introduced but has not been enacted yet. The proposed legislation aims to
safeguard citizen's personal information and data and prohibits the data
fiduciary from misusing data and compels the data processor to maintain
Privacy forms an essential part of one's life. A breach of privacy is attempted
when software like spyware or Pegasus is used indiscriminately. The use of
spyware is worrisome and alarming and therefore demands immediate attention. The
use of such software is a clear violation of an individual's right to privacy,
which is now a widely acknowledged fundamental right.
However, the use of such spyware by government agencies is on reasonable grounds
of national security. There must be a proper balance between the nation's
security interest and individual freedom and privacy.
To prevent the further misuse of any similar spyware, significant action must be
taken, and the Government must step up and resolve all related concerns. For
instance, creating law that particularly addresses electronic surveillance and
personal privacy would be a big step forward given that the laws now in place
regarding electronic monitoring don't adequately safeguard people' privacy.
- Aditya Verma, Central Information Commission Right to Privacy by Aditya Verma
(2019), https://cic.gov.in/node/4628 (last visited July 1, 2022)
- Government Hacking, Privacy International, https://privacyinternational.org/learn/government-hacking.
- Spy: Meaning & definition for UK English, Lexico Dictionaries | English,
https://www.lexico.com/definition/spy (last visited Jul 1, 2022).
- Espionage, Legal Information Institute, https://www.law.cornell.edu/wex/espionage (last visited Jul 1, 2022).
- Alexander S. Gillis, Kate Brush & Taina Teravainen, What is spyware?
- What is spyware?, Veracode, https://www.veracode.com/security/spyware (last
visited Jul 1, 2022).
- Tom Stafford and Andrew Urbaczewski , Spyware: The Ghost in the Machine,
RESEARCH GATE (Aug. 6-8, 2004),
- Telegraph act 1885 § 5.
- Information Technology Act 2000 § 2, cl. 1(o).
- Information Technology Act 2000 § 2, cl. v.
- Privacy and Data Protection in India: A Critical Assessment, 53 JILI (2011)
- Information Technology Act 2000 § 72.
- Data Breach, Trend Micro (Aug. 27, 2021, 3 :30 PM), https://www.trendmicro.com/vinfo/us/security/definition/data-breach.
- Information Technology Act 2000 § 66C.
- Unique Identification Authority of India
- Aadhaar card linking: UIDAI makes face recognition feature mandatory,
Business Today (Aug. 24, 2018, 6:20 PM), https://www.businesstoday.in/latest/economy-politics/story/uidai-makes-face-recognition-feature-mandatory-for-aadhaar-authentication-109112-2018-08-24.
- Ministry Of Communications And Information Technology (Department of
Information Technology) Notification, New Delhi, the 11th April, 2011,
- K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., (2017) 10 SCC
- Daniel J. Solove, 10 Reasons Why Privacy Matters, TECH PRIVACY (Jan. 20,
- Surveillance, Privacy and Technology: A Comparative Critique of the Laws
of USA and India, 57 JILI (2015) 550.
- R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632.
- Surjit singh v. State of Punjab (1996) 2 SCC 336.
- R v. Dyment, SCC OnLine Can SC ¶ 17.
- Information Technology Act 2000 § 72.
- Prashant Iyengar, Privacy and the Information Technology Act - Do we have
the Safeguards for Electronic Privacy?, CIS-INDIA (Apr. 7, 2011),
- Nimitha Salim, Breach of privacy and Confidentiality under information
Technology Act, 2000, LEGAL SERVICE INDIA (Aug. 27, 2021, 8 :15 PM),
- Kunal Thakore & Deepa Christopher, Data Protected - India,
- Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors.,
(2017) 10 SCC 1.
- Public vs. Private Communications, Message Net Systems (Aug. 27, 2021, 8:30
- Information Technology Act 2000 § 65.
- Information Technology Act 2000 § 66.
- Information Technology Act 2000 § 66D.
- Information Technology Act 2000 § 66E.
- Information Technology Act 2000 § 66F.
- Information Technology Act 2000 § 67.
- Information Technology Act 2000 § 69.
- Information Technology Act 2000 § 43A.
- Techopedia, What is cyberspying? - definition from Techopedia Techopedia.com
(2011), https://www.techopedia.com/definition/27101/cyberspying (last visited
Jul 3, 2022).
- Vangie Beal, What is cyber crime? Webopedia (2021),
https://www.webopedia.com/definitions/cyber-crime/ (last visited Jul 3, 2022).
- Auletha Jones, Jack Bagby, Jenny Mazac, Kelsey Harper, Kreshnik Shena,
Michael Harris, Stephanie Crowe, Cyber Spying, Old Domain University (2013),
- Graham D. Glancy & Alan W. Newman, Cyberstalking Oxford Scholarship Online,
(last visited Jul 3, 2022).
- Minnick, Wendell. "Experts: Chinese Cyber Threat to US Is Growing."
Defense News. Gannett Government Media Corporation, 09 Jul 2013. Web. 7 Nov
- Barnini Chakrabory, US officials addressing cyber threat at 'highest
levels' with China, on heels of hacker report, FOX NEWS (Jan. 12, 2017),
- Supra Note 1.
- Chintaman rao v. State of madhya pradesh (1950) SCR 759.
- Express Newspaper v. Union of India (1985) SCR (2) 287.
- Steven Feldstein, Commercial Spyware Global Inventory, version 2,
Mendeley Data (Dec. 22, 2020), https://data.mendeley.com/datasets/csvhpkt8tm/2.
- Sneha Dawda and Alexander Babuta, WhatsApp Hack Calls into Question
Government Use of Commercial Spyware, RUSI (June 17, 2019),
- Telegraph act 1885 § 5.
- People's Union of Civil Liberties v. Union of India, AIR (1997) SC 568.
- International Covenant on Civil and Political Rights 1976 art. 17.
- Universal Declaration of Human Rights 1948 art. 12.
- Dheeraj Diwakar, The Indiscriminate Use Of The Pegasus Spyware As An
Infringement On The Right To Privacy, Human Rights Pulse (Oct. 14, 2021),
- Personal Data Protection Bill 2019.