How the world’s largest democracy is preparing to snoop on its citizens
Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data
Leslie D’Monte Mail Me | Joji Thomas Philip Mail Me
First Published: Wed, Jul 03 2013. 11 56 PM IST
Updated: Thu, Jul 04 2013. 09 26 AM IST
Mumbai: Nothing will be secret or private.
Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.
By December, when the Nanny State goes live, it will be fact.
Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.
The process began more than a couple of years ago.
On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.
The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.
The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).
A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.
Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.
In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.
The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.
How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.
Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.
No known safeguards
But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.
“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.
He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activistLawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”
That has become the subject of much debate following the leaks by whistleblower Edward Snowdenabout the US National Security Agency’s surveillance programme.
Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.
Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.
For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.
To be sure, some of this information is already being tracked by Internet companies.
Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”
She has since stopped uploading personal details such as videos, pictures or telephone numbers.
Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.
“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”
In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking siteFacebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.
Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.
Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.
With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.
Need for a privacy law
Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”
Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.
The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.
“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.
“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.
Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.
N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”
The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.
On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.
While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.
The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.
In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”
This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.
On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.
Despite the report being given to the Planning Commission, the government has continued with its plans.
Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.
CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.
Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”
The way ahead
Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.
According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.
YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.
European Union countries have strong privacy laws as is evident from the Schrems case.
Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.
Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.
Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.