On 12 December, the Indian government-appointed Lieutenant-Governor Manoj Sinha announced that his administration will establish a J & K Family ID database for all the families residing in India’s Union Territory of Jammu and Kashmir. A unique alphanumeric code – pehchan patra (identity card) – will identify family members through the head of the family.
The family pehchan patra will use a unique eight-digit alphanumeric code to identify each family and its members. The card will have information on all the family members including their employment status, names, ages, qualifications and so on. Additionally, this card is supposed to be linked to Aadhaar – the world’s largest biometric ID system – and the bank account number of the head of the family. The administration has said that the new database will help with better delivery of government schemes, including old-age pensions and scholarships.
Although some Indian states have built similar databases, the Indian government’s iron-hand militaristic policies in Kashmir have made people doubt the stated goals behind this database. The government has heavily securitised Jammu and Kashmir since the abrogation of Article 370 in August 2019. The article gave limited autonomy to the region and accorded exclusive domicile rights to its permanent residents. The abrogation of the special provision also accompanied the bifurcation of the state into two union territories – Jammu and Kashmir, and Ladakh – and its demotion to the status of a union territory controlled by the central government, instead of its own elected legislature.
Given this multi-level surveillance architecture in Kashmir, the Family ID will act as another layer of surveillance.
India currently does not have a data protection law, and a fourth iteration of a data bill, the Digital Personal Data Protection Bill (2022), was recently published for public feedback. Interestingly, it provides little to no safeguards against government surveillance. The bill grants broad exemptions to government agencies “in the interests of sovereignty and integrity of India, security of the State” and so on, without any procedural safeguards such as restrictions on the data collected, its retention and access to it. The bill is in line with India’s existing surveillance laws, which do not provide for universally accepted safeguards such as mandatory judicial and independent oversight. For example, the Information Technology Act provides for the formation of an oversight mechanism via a review committee. However, the review committee is entirely composed of government officers and does not have judicial officers, making its independence questionable. Similarly, while the Criminal Procedure Code enables both a court and a police officer to compel the production of data, it is more commonly used by police officers without securing a court order. The legal vacuum on data privacy and wild-west surveillance laws in India indicate that there will be no limitations on purpose or retention of the data collected for the Family ID. Linking individuals together using this database goes beyond Aadhaar, which primarily collects individual biometric data.
Collective punishment the norm
It has been eight years since assembly elections were held in Jammu and Kashmir, and this period has seen heightened surveillance, with police forces dedicating resources for social-media monitoring and real-time observation of public spaces and mobile phone traffic. According to an Intelligence Bureau official in Kashmir, a million phones were tapped by 2014. The transformation of Jammu and Kashmir into a police state, therefore, started years ago. But to understand the possible surveillance utility of this database, we have to look at how the Indian government in Kashmir has cracked down on dissent, especially in the last three years, since the abrogation of Article 370, employing collective punishment as a tactic.
The bill grants broad exemptions to government agencies “in the interests of sovereignty and integrity of India, security of the State” and so on, without any procedural safeguards such as restrictions on the data collected, its retention and access to it.
In September 2021, the Jammu and Kashmir government passed an order for its employees declaring that “Involvement of an individual’s immediate family, persons sharing residential space with the employee to whom he or she may be bound by affection, influence, or obligation” will result in that individual government employee being adversely reported. The order also said that if an employee fails to report on any family members of associates with hostile links, their promotion will be put on hold and further action will be taken, including possible termination from government service. This order is of particular importance for two reasons – first, it points to the government’s intention to punish family members for the acts of an individual; and second, it makes government employees liable for not conducting surveillance on behalf of the state. This order, in effect, will result in the government employees’ termination from service for the “sabotage, espionage, treason, terrorism, subversion, sedition” deemed to be committed by any of their own family members and associates. The Jammu and Kashmir administration handed out several termination letters after this order targeting relatives of both former and active Kashmiri militants. Notably, the government is the largest employer in Jammu and Kashmir, given the region’s insignificant number of private-sector industries. Clubbing collective allegiance to the Indian state with individual government employment is a sinister yet effective strategy to compel public loyalty.
With the new Family ID database, the government has said that it will ensure compliance with all the relevant laws and regulations and that the data will be collected with the consent of enrolled households. However, as mentioned above, India has no law for data protection. The government can easily repurpose the new database to streamline its collective punishment of the families and connections of so-called anti-nationals.
The Jammu and Kashmir administration handed out several termination letters after this order targeting relatives of both former and active Kashmiri militants.
As has been done with Aadhaar across India, the Family ID may be made effectively mandatory for accessing many critical government services, including subsidised rations, free medical treatment, old-age and widow pensions, family pensions, scholarships, and more. Making Aadhaar mandatory to access several government schemes – like cheap foodgrains under the government-run public distribution scheme – has led to numerous cases of otherwise eligible beneficiaries being excluded due to authentication errors. Multiple Aadhaar data breaches have also been reported since the inception of the digital ID program. Most of the Indian population has already registered for Aadhaar, in large part so as not to lose public benefits. In much the same way, linking the Family ID with government schemes will likely force people to consent to having their data collected for it. Several regional political parties in Jammu and Kashmir, like the People’s Democratic Party, have rightly expressed concerns over this database being possibly used as a surveillance tool.
Multi-level surveillance architecture
When receiving appointment letters, government employees in J & K are already subject to a three-stage verification by the local police, the CID and police counterintelligence. In addition, newly recruited government employees are investigated by the police’s Criminal Investigation Department. A new online system for verification and background checks was introduced last year, in lieu of the earlier practice of physical verification. In addition, government employees’ social media accounts are also monitored.
Various surveillance tools are employed to monitor the general population as well. Earlier in 2022, the government made it mandatory for business owners to install CCTV cameras outside their establishments. The Srinagar police warned of punitive action for those who did not comply with the order. The Jammu and Kashmir police, in September 2022, announced that they will be doing regular drone surveillance of “suspected localities” and installing CCTV surveillance systems across the region. In an interview published this January, Kashmir’s Additional Director General of Police declared that technical surveillance would increase in Kashmir given the G20 meetings hosted by India this year and the parliamentary elections due in 2024.
According to an Intelligence Bureau official in Kashmir, a million phones were tapped by 2014.
Given this multi-level surveillance architecture in Kashmir, the Family ID will act as another layer of surveillance. The same database may also be used to build stronger cases for penalising people when their friends and family are involved in ‘anti-national’ activities. In Kashmir, friends and relatives of pro-independence leaders and militants are often harassed and targeted by government forces to put pressure on such leaders and militants to surrender. The relatives are often denied passports and government employment. Government forces have also been accused of ransacking militants’ family homes and assaulting members of their families.
Privacy advocates in India emphasise the need for a data protection law and point towards the potential of data being misused in the absence of such a law. Prasanth Sugathan, the legal director of the Software Freedom Law Center, said that a data collection exercise such as the Family ID scheme, “in the absence of a law preventing misuse of this data, could result in infringement of the privacy rights of people.” Anushka Jain, an associate counsel at the Internet Freedom Foundation, also highlighted the surveillance risks posed by the database. “Jammu and Kashmir is a sensitive area and the information that they are collecting is also extremely sensitive,” Jain said. She added that there have been no limits placed on the interdepartmental sharing of data, which could lead to problems as any government authority could access data collected by other government authorities. The lack of checks and balances means that any security or intelligence agency could use the Family ID database for its own purposes without legal constraints.
In the absence of a data governance law, a police state such as the one operating in Jammu and Kashmir is almost bound to use the Family ID database to meet its ‘security’ and ‘intelligence’ needs. Mainland India has several civil society groups that have fought and successfully won battles on digital rights issues, like the right to privacy and net neutrality. However, it remains to be seen whether they will oppose the Family ID and if the Jammu and Kashmir administration will face legal challenges to implementing it.