Social Media Surveillance in India: What You Need to Know

India is a country that proudly protects free speech under Article 19(1)(a) of its Constitution, yet has simultaneously built one of the most aggressive social media surveillance apparatuses among democratic nations. That contradiction isn't accidental. It's structural, and understanding it requires looking past the press releases and into the machinery itself.

The Scale of Content Removal

Consider a number: between January and June 2025, the Indian government sent over 28,000 content removal requests to Meta alone, according to the company's transparency report. That placed India among the top three countries globally for takedown demands. X (formerly Twitter) reported similar volumes. These aren't requests to remove child exploitation material or obvious terrorist recruitment content -- many targeted political speech, satire, and criticism of government policies. The platforms complied with a significant majority of them, often without publicly disclosing which posts were removed or why.

Now, content removal is one thing. It's visible -- a post disappears, a user gets notified. What's less visible, and arguably more concerning, is the surveillance that happens before any takedown request is ever made. This is the part most people don't think about when they open Instagram or type something on X.

The Legal Framework and Its Oversight Gaps

Section 69 of the Information Technology Act, 2000 gives the central government and state governments the power to intercept, monitor, or decrypt any information transmitted through any computer resource. The grounds are broad: sovereignty and integrity of India, defence of the state, friendly relations with foreign states, public order, prevention of incitement to cognizable offences, and -- here's the catch-all -- "investigation of any offence." That last phrase is elastic enough to cover almost anything. A 2009 set of rules (the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules) outlines the procedure, but the entire process happens in secret. There's no judicial oversight. The Home Secretary at the central level, or a Secretary-rank officer at the state level, authorizes surveillance. No court reviews the order beforehand. No independent body audits it afterward.

Compare that to, say, the United States, where law enforcement typically needs a warrant signed by a judge to intercept electronic communications. Or Germany, where surveillance orders must be approved by a parliamentary committee. India's system relies entirely on executive self-authorization. The government watches itself and decides it's behaving properly. I'm skeptical that this is sufficient, and the Supreme Court's own Puttaswamy judgment from 2017 -- which established privacy as a fundamental right -- suggested it probably isn't. But years later, the surveillance framework remains unchanged. Even the Parliamentary Standing Committee on Information Technology, which could in theory provide legislative oversight, has no formal role in reviewing surveillance orders. Individual members have raised questions during committee sessions, but the committee doesn't receive reports on surveillance activity and can't veto or modify interception orders. The oversight gap isn't just about missing laws -- it's about missing institutions.

The Pegasus Scandal and Culture of Opacity

The Pegasus controversy in 2021 threw some of this into sharp relief. An investigation by a consortium of media organizations found that phone numbers belonging to Indian journalists, opposition politicians, lawyers, and activists appeared on a leaked list of potential targets for the Pegasus spyware, built by Israel's NSO Group. Pegasus doesn't just monitor social media -- it turns your phone into a surveillance device, accessing your camera, microphone, messages, emails, and encrypted chats. The Indian government neither confirmed nor denied purchasing it. A Supreme Court-appointed committee investigated but its full findings were never made public. The government's position, essentially, was: we can't tell you whether we used it because that would affect national security.

That non-answer is itself an answer, and it reveals a pattern. In Indian surveillance, opacity isn't a bug. It's a feature. There are no annual transparency reports from Indian intelligence agencies. No declassified statistics on how many surveillance orders were issued in a given year. A 2024 RTI filing asking the Ministry of Home Affairs how many interception orders were authorized under Section 69 in the previous five years was denied on grounds of national security. We don't know the scale. We're asked to trust that it's proportionate.

State-Level Monitoring Operations

At the state level, things get even more interesting. Multiple state police forces have set up dedicated social media monitoring cells. Maharashtra's cyber police, Uttar Pradesh's Special Task Force, and Telangana's cyber crime wing all run active operations that scan social media platforms for content they consider problematic. What counts as "problematic" varies. During the farmer protests of 2020-2021, police in several states reportedly monitored protest-related hashtags and identified individuals for questioning based on their social media activity. During communal tensions, posts that are deemed likely to "disturb public order" get flagged. The definition of what might disturb public order is left to the officer running the monitoring cell.

There's also the technological dimension. India isn't just relying on officers manually scrolling through Twitter feeds. Multiple state governments have procured or are in the process of procuring automated social media monitoring tools. These tools use keyword tracking, sentiment analysis, network mapping, and in some cases facial recognition cross-referenced with social media profile pictures. A few of these systems have been built by Israeli companies, others by domestic firms. Contracts are often signed under provisions that exclude them from public disclosure. What we know tends to come from tender documents that surface through RTI requests or investigative journalism, not from official announcements.

The IT Rules and Platform Compliance

The IT Rules of 2021, amended in 2023, added another layer. They require "significant social media intermediaries" -- platforms with more than 5 million users in India -- to appoint a Chief Compliance Officer, a Nodal Contact Person, and a Resident Grievance Officer, all based in India. Platforms must also enable "identification of the first originator of the information" when ordered by a court or a government authority. This traceability requirement has been fiercely contested. WhatsApp challenged it in the Delhi High Court, arguing that traceability would require breaking end-to-end encryption. The case, as of early 2026, remains undecided. If the government prevails, every encrypted message sent by India's 500 million-plus WhatsApp users could potentially be traced back to its originator. That's not hypothetical. It's pending.

Platform compliance data tells its own story. Meta's transparency reports show that India consistently accounts for more government requests for user data than almost any other country. Google's transparency report reflects similar patterns. Between the second half of 2024 and the first half of 2025, Indian government agencies made tens of thousands of requests for user information from these platforms. The compliance rate hovered around 70-80%, meaning the platforms handed over user data in the majority of cases. Each of those numbers represents a person whose account information -- IP addresses, login times, contact details, and sometimes content -- was shared with the government.

The Chilling Effect on Free Expression

What does this do to people? There's a growing body of research on what political scientists call the "chilling effect" -- the phenomenon where people self-censor because they believe they might be watched. A 2024 survey by a digital rights organization found that nearly 40% of Indian social media users said they had refrained from posting about a political topic because they feared government reprisal. Among journalists, the number was higher. Among users in states with active communal tensions, higher still. You don't need to actually surveil everyone to achieve the chilling effect. You just need people to believe you might be surveilling them. The ambiguity is the tool.

I talk to people who've experienced this firsthand. A journalist in Karnataka told me she stopped tweeting about local political corruption after two police officers showed up at her door "for a friendly conversation" about a tweet she'd posted. She wasn't arrested. She wasn't charged with anything. They just came, asked questions, and left. She hasn't posted anything critical since. That's the chilling effect in action -- no law was broken, no right was formally violated, but the message was received.

Self-censorship isn't evenly distributed. If you're a tech professional in Bangalore posting about JavaScript frameworks, nobody's monitoring you. But if you're a student activist in Kashmir, a Dalit rights organizer in UP, a journalist covering military operations in the Northeast, or a minority community member in a state with recent communal violence -- your social media activity might very well be on someone's screen. The surveillance burden falls disproportionately on those who are already marginalized. That's not speculation; it tracks with every documented case of surveillance targeting in India over the past decade.

Legal Protections and Their Practical Limitations

There are some legal guardrails, thin as they are. The Puttaswamy judgment established that any invasion of privacy must meet three tests: legality (there must be a law authorizing it), necessity (it must serve a legitimate aim that can't be achieved by less intrusive means), and proportionality (the extent of the intrusion must be proportionate to the need). On paper, this sounds protective. In practice, it has yet to result in a single surveillance operation being struck down. Courts move slowly. Surveillance operates in real time. By the time a legal challenge reaches hearing, the data has already been collected, analyzed, and acted upon.

The Digital Personal Data Protection Act of 2023 was supposed to address some of these concerns. It did establish consent requirements and purpose limitation principles for data processing. But it also carved out sweeping exemptions for the state. Section 17(2) allows the central government to exempt any government agency from the entire Act in the interest of sovereignty, integrity, security of the state, public order, or friendly relations with foreign states. That's not a narrow exception. It's a trapdoor. An agency conducting social media surveillance could potentially be exempted from every data protection obligation in the law, with no requirement for judicial approval and no obligation to inform the people whose data is being processed.

What Individuals Can Actually Do

What can an individual do? Honestly, the protections are limited when the surveillance apparatus is this large. Tightening your privacy settings on social media helps against random scraping by monitoring tools. Using encrypted messaging for sensitive conversations helps against interception, though the traceability rules could undermine that. Being careful about what you post publicly is prudent, though it shouldn't be necessary in a democracy. VPNs add a layer of obscurity, though India has been tightening VPN regulations too -- CERT-In's 2022 directive requires VPN providers operating in India to maintain user logs for five years. Several major VPN providers pulled their servers out of India rather than comply. The ones that remain may or may not be keeping logs as required.

There's a dimension to all this that rarely gets discussed: the role of private companies as intermediaries in government surveillance. When police request user data from Meta or Google, the platforms don't just hand over a name and address. They can provide IP logs, login timestamps, device identifiers, location history, ad interaction data, contact lists, and in some cases, the content of posts and messages (excluding E2EE content). Each compliance response creates a detailed dossier that goes far beyond what a traditional wiretap would reveal. And the platforms face an uncomfortable incentive structure: refuse government requests too often, and they risk regulatory retaliation in a market of 500+ million users that no company wants to lose. Comply too readily, and they become extensions of the surveillance apparatus. Meta's transparency reports show they push back on some requests -- asking for narrower scope, rejecting overly broad demands -- but the overall compliance rate remains high. The companies aren't villains in this story, but they're not neutral either. Their business models, which depend on collecting as much user data as possible for advertising purposes, mean the data exists in the first place for governments to request.

Corporate surveillance deserves its own mention, because government monitoring is only half the picture. Indian companies -- from e-commerce platforms to fintech apps to ride-hailing services -- also monitor social media for brand sentiment, competitive intelligence, and customer profiling. When you post a complaint about a product on Twitter, a social media monitoring tool flags it, a customer service team responds, and that interaction gets logged against your profile. That's the benign version. The less benign version: some companies reportedly monitor employees' social media accounts, and hiring managers have admitted to checking candidates' social media activity before making offers. A 2024 survey by a recruitment platform found that 38% of HR professionals in Indian tech companies said they'd rejected a candidate at least once based on social media posts. This isn't government surveillance, but it's surveillance nonetheless, and it operates with even fewer guardrails.

The academic research on this is still catching up, but early findings from Indian universities studying digital behavior suggest that the awareness of being watched changes how people use the internet in measurable ways. Students in a 2025 study at JNU reported using pseudonymous accounts for political discussions while keeping their real-name accounts strictly apolitical. Young professionals described maintaining two versions of themselves online -- a "safe" public persona and a more honest private one, shared only through encrypted group chats. That kind of digital code-switching is rational behavior in a surveillance environment, but it comes at a psychological cost. Living with the constant awareness that the wrong post could bring police to your door, or cost you a job, or flag you for investigation, creates a low-grade anxiety that shapes how freely people participate in democratic discourse. The damage isn't always dramatic. Sometimes it's just... quieter. Fewer opinions shared. Fewer questions asked. Fewer challenges to power.

I want to be careful here not to sound conspiratorial. Not every social media monitoring operation is sinister. Some are legitimate law enforcement activities -- tracking terrorist recruitment, identifying child exploitation networks, preventing incitement to violence during communal tensions. These are real problems that require real tools. The issue isn't that monitoring exists. The issue is that it exists without meaningful oversight, without transparency, without proportionality checks, and without an independent body that can say "no, this specific operation goes too far." Every surveillance power in a democracy needs a counterweight. India's counterweight, right now, is largely theoretical.

Where does this leave us? Probably in the same place it leaves most Indians who think about this -- somewhere between resigned and angry, scrolling through feeds while vaguely aware that someone, somewhere, might be scrolling through the same feed looking for something to flag. The Supreme Court could intervene more forcefully. Parliament could pass surveillance reform legislation with real teeth. An independent oversight body could be established. None of these things have happened yet, and the political incentives for whoever is in power to limit their own surveillance capabilities are, shall we say, modest.

The most honest thing I can tell you is this: the space for free expression on Indian social media is shrinking, and the machinery for watching what's said in that space is expanding. Those two trends are related. Whether they continue depends less on any individual's privacy settings and more on whether enough people decide this trajectory isn't acceptable. The right to privacy, the Supreme Court told us in 2017, is a fundamental right. Fundamental rights don't enforce themselves. Someone has to insist on them, publicly, even when -- especially when -- insisting carries risk. The irony is that the very platforms where that insistence would be most visible are the ones being watched most closely.