Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Personal data isn’t collected: Home Ministry on security agencies using open-source intelligence from public sources

March 31, 2026 6 min read Polity & Governance Internal Security GS2 (Polity & Governance) GS3 (Internal Security)
On This Page

What Happened

  • The Union Ministry of Home Affairs told the Parliamentary Standing Committee on Communications and Information Technology (chaired by Lok Sabha MP Nishikant Dubey) that security agencies rely exclusively on Open-Source Intelligence (OSINT) — publicly available information — for intelligence gathering, and do not collect private or personal data from social media.
  • The MHA stated: "Publicly available information on the internet and social media platforms is used for intelligence gathering. No private or personal information is gathered from social media. Hence, privacy is never violated."
  • Security agencies use web scraping to automatically extract data from public sources including public tweets, Facebook posts, YouTube videos, Telegram channels, deepfakes, morphed media, fake news, and misinformation.
  • Applications include monitoring scam websites, online gambling, fake investment schemes, cryptocurrency transactions on dark web marketplaces, extremist propaganda, and honeytrap schemes on dating platforms.
  • The MHA disclosed that Artificial Intelligence is deployed for face recognition, social media parsing, network analysis, natural language processing across multiple languages, and entity resolution — the accurate identification and correlation of individuals across multiple data sources.
  • The CRPF specifically uses AI for sentiment analysis on open-source platforms, with an intelligence fusion centre in final stages of deployment.
  • The Committee's report, tabled on March 30, 2026, provides the first detailed parliamentary-level accounting of how Indian security agencies operationalise OSINT at scale.

Static Topic Bridges

Open-Source Intelligence (OSINT) — Concept and Methodology

OSINT refers to intelligence collected from publicly available sources — distinct from signals intelligence (SIGINT), human intelligence (HUMINT), or covert surveillance. Sources include news media, social media platforms, government publications, academic papers, online forums, satellite imagery, and domain records. OSINT's defining legal characteristic is that no covert access to private systems or data is involved. However, the scale and automated nature of web scraping — using bots to systematically extract public content — raises questions about the aggregation problem: individually public data points, when combined at scale, can reveal private patterns about individuals.

  • OSINT ≠ surveillance: No interception of private communications
  • Web scraping: Automated extraction of publicly visible content (legal for public data)
  • Aggregation problem: Combining public data at scale can profile individuals without explicit consent
  • AI tools deployed: Face recognition, NLP, network analysis, entity resolution
  • Global parallel: US IC OSINT Strategy 2024–2026 also formalises OSINT as a priority intelligence discipline

Connection to this news: The MHA's distinction between "public data" (OSINT) and "private data" (covert surveillance) is legally significant — it positions security agency web scraping within the bounds of existing IT law while sidestepping DPDP Act consent requirements that apply to personal data.

Digital Personal Data Protection (DPDP) Act, 2023 — Key Provisions and Exemptions

India's Digital Personal Data Protection Act, 2023 is the country's first standalone data protection legislation. It establishes rights for data principals (individuals) and obligations for data fiduciaries (entities processing data). Seven core principles govern the Act: consent, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. Crucially, Section 7(d) permits processing of personal data without explicit consent to fulfil legal obligations to disclose information to the State. Additionally, Section 17 grants the Central Government broad powers to exempt its own agencies from most provisions of the Act on national security grounds — a significant carve-out that has drawn criticism.

  • DPDP Act enacted: 2023 (rules yet to be fully operationalised as of early 2026)
  • Data Protection Board: 4-member government-appointed body (not independent)
  • Section 7(d): State-directed disclosure exemption from consent requirement
  • Section 17: Central Government can exempt its agencies for national security/public order
  • Criticism: Broad government exemptions undermine the Act's privacy guarantees for citizens

Connection to this news: The MHA's claim that OSINT involves no "private data" and therefore raises no privacy concerns implicitly relies on the public/private data distinction — but under the DPDP framework, AI-driven entity resolution that links public data to identify specific individuals could still engage privacy norms, a tension Parliament's committee has begun to probe.

Surveillance and Right to Privacy — Constitutional Dimension

The Supreme Court's nine-judge bench judgment in K.S. Puttaswamy v. Union of India (2017) recognised the Right to Privacy as a fundamental right under Article 21. The Court held that any state interference with privacy must satisfy the triple test: legality (backed by law), legitimate aim, and proportionality. India's current legal framework for surveillance — the Indian Telegraph Act, 1885, IT Act Section 69 (interception orders) — was designed for a pre-social-media era. The IT Act Section 69A enables blocking of public access to online content, while the Telecommunications Act, 2023 Section 20 allows temporary takeover of telecom networks for public safety. However, no dedicated statutory framework governs AI-based OSINT at scale.

  • Puttaswamy judgment: 2017 — privacy is a fundamental right under Article 21
  • Triple test: Legality + Legitimate aim + Proportionality
  • IT Act Section 69: Government can order interception/monitoring of electronic communications
  • IT Act Section 69A: Blocking of online content
  • Gap: No dedicated OSINT regulatory framework; security agencies operate under broad national security exemptions

Connection to this news: The MHA's assurance that OSINT "never violates privacy" relies on the premise that public information cannot engage privacy rights — a position that may be legally tested as AI-driven profiling becomes more sophisticated and as the DPDP Act rules are finalised.

Parliamentary Standing Committees — Role in Executive Oversight

Parliamentary Standing Committees are permanent departmental committees that scrutinise the work of government ministries between sessions of Parliament. The Standing Committee on Communications and IT (Lok Sabha) examines policies, legislation, and administrative activities of the Ministry of Electronics and IT, Ministry of Communications, and the Department of Telecom. Committees can summon ministers, officials, and experts, and table reports that trigger government responses. While their recommendations are not binding, they serve as a critical accountability mechanism — the committee's questioning of MHA on OSINT represents Parliament exercising oversight over executive surveillance practices.

  • 24 Departmental Standing Committees in Parliament (post-2004 reform)
  • Communications and IT Committee: Lok Sabha, currently chaired by Nishikant Dubey (MP)
  • Powers: Examine demands for grants, scrutinise bills referred to them, study ministry policies
  • Reports: Tabled in Parliament; government must provide action-taken reports within 6 months
  • Significance: First parliamentary-level record of AI and OSINT use by Indian security agencies

Connection to this news: The MHA's submission to the Standing Committee creates an official parliamentary record of OSINT practices — making future departures from the stated "public data only" position politically and legally accountable.

Key Facts & Data

  • Committee: Standing Committee on Communications and IT, Lok Sabha — chaired by Nishikant Dubey
  • MHA position: Security agencies use only publicly available data; no private information collected
  • AI tools deployed: Face recognition, NLP, network analysis, entity resolution, sentiment analysis
  • CRPF: Deploys AI for sentiment analysis; intelligence fusion centre in final deployment stages
  • Monitored content: Public tweets, Facebook posts, YouTube, Telegram, deepfakes, dark web crypto transactions
  • Legal basis: IT Act 2000, Telecommunications Act 2023, national security exemptions in DPDP Act 2023
  • DPDP Act 2023: First standalone data protection law in India; Section 17 exempts government agencies on national security grounds
  • Puttaswamy judgment (2017): Right to Privacy = fundamental right under Article 21