Your telco could help spy on you

The article by Joji Thomas Philip, Leslie D'Monte and Shauvik Ghosh was originally published in Livemint on July 30, 2013. Sunil Abraham is quoted.

Telecom companies and Internet service providers will soon help the government monitor every call made, every email sent and every website visited, with the Centre deciding to connect their networks to its automated surveillance platform known as the Centralised Monitoring System (CMS).

Communications minister Kapil Sibal has approved changes in existing rules and new clauses to be inserted in mobile licences for enabling such mass surveillance, copies of documents reviewed by Mint reveal.

“The automated process of the CMS will be subjected to the same regulatory scrutiny as is available in the present manual system under Section 5(2) of Indian Telegraph Act and Rules 419-A thereunder, with the added advantage of having a safeguard against any illegal provisioning by the telecom service providers in the present system, however, remote it may be,” DoT said in an email reply to a questionnaire with a brief on CMS.

“Safeguard has also been built against any unauthorized provisioning by having a different interception provisioning agency than the interception requisitioning and monitoring agencies thus having an inbuilt system of checks and balances. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” DoT said.

The CMS was approved by the cabinet committee on security (CCS) on 16 June 2011, with government funding of Rs.400 crore. It is expected to enable the government to monitor all forms of communication, from emails to online activity to phone calls, text messages and faxes by automating the existing process of interception and monitoring. The government completed a pilot project in September 2011 under which the Centre for Development of Telematics (C-DoT) installed two ISF servers, one of them for MTNL.

“The interception services have been integrated and tested successfully for these two telecom services providers (TSPs),” the note said, referring to MTNL and Tata Communications Ltd. MTNL officials declined to comment. There was no response to queries by Tata Communications.

It added that training had been imparted to six law enforcement agencies—the Intelligence Bureau, the Central Bureau of Investigation, the Directorate of Revenue Intelligence, the Research and Analysis Wing, the Delhi Police and the National Investigation Agency.

However, the documents also reveal that the CMS project is getting delayed over technical issues such as lawful interception systems sending the intercept-related information (IRI) in “their own proprietary format”; difficulty in tracing the movement of “the target from the home network to the roaming network”; and how to independently provision voice and data interception of mobile users.

The government is simultaneously devising a strategy to counter criticism from the media and privacy lobby groups that this surveillance platform has no privacy safeguards. Mint reported on 13 July that fresh questions were raised on the CMS infringing on the rights of individuals, especially in the wake of the US government’s PRISM surveillance project.

In an internal note on 16 July to help Sibal brief the media, DoT said even as the CMS will automate the existing process of interception and monitoring “... all safeguards that are currently in place in the manual mode of interception will continue”.

The note argued that implementation of the CMS “will rather enhance the privacy of the citizens” since it will not be necessary to take the authorization (for tapping) to the nodal officer of the telecom service providers “who comes to know whose or which phone is being intercepted”. The note added that after the CMS is implemented, provisioning of interception will be done by a CMS authority, who would be different from the law enforcement agency authorities.

“The law enforcement agency (LEA) cannot provision for interception and monitoring and the CMS authority cannot see the content but would be able to provision the request from the LEA.Hence, complete check and balance will be ensured. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” added the department’s note briefing the minister.

Also, acknowledging that “questions were being asked about the practices of Indian agencies and the privacy and rights of its citizens”, national security adviser Shivshankar Menon in a 23 June note to the ministries of home, external affairs and telecom, the department of electronics and information technology, and the cabinet secretary said: “Only home secretaries of the Centre and states can authorize such monitoring; orders are valid for two months, are not extendable beyond six months; records are to be maintained, use of storage is limited and a review committee of cabinet secretary, law secretary and secretary of the telecom department regularly screens all cases.”

Menon also admitted that when it came to individual privacy rights, there were “larger issues that needed serious consideration and wider consultation with industry, advocacy groups and NGOs (non-governmental organizations) as has been the case so far in the draft privacy Bill... For data protection and retention in India, however, there may be a need to consider legislation or strengthening existing legislation, as the march of technology has made most present laws irrelevant.”

Privacy experts are convinced that safeguards are needed, especially since India does not have a privacy law.

“To safeguard public interest, the government should also draft a law that will make it a criminal offence if a CMS authority is found in possession of any personal information culled through the CMS. That will prove to be a deterrent,” said Sunil Abraham, executive director of the Centre for Internet and Society, a privacy lobby body. “Also, the government must build an audit trail using PKI (public key encryption) and people as an additional safeguard.”

“As I understand it, there is also no clear statutory backing for the CMS,” said Apar Gupta, a partner at law firm Advani and Co. that specializes in information technology (IT) law. “What is important is that every tapping order should be backed by a reason. This was the case with the manual process. Will this be possible in an automated surveillance system such as the CMS?”

“What is disturbing is that there is no transparency with regard to the CMS. Everything is happening under the radar with media reports periodically giving us glimpses into the project,” he said. “A state should protect its interests but should do so in a manner that safeguards privacy and limits abuse.”

According to the Freedom on the Net 2012 report by Freedom House, an independent privacy watchdog body, of the 47 countries analysed, 19 had introduced new laws or other directives since January 2011 that could affect free speech online, violate users’ privacy, or punish individuals who post certain types of content. India, which scored 39 points out of 100 (score achieved out of 100 for censoring the Internet), was termed partly free by the report, which was released on 24 September.

Globally, 79% of the respondents in another study said they were concerned about their privacy online, with India (94%), Brazil (90%) and Spain (90%) showing the highest level of concern, according to a June survey undertaken by research firm ComRes, and commissioned by Big Brother Watch, an online privacy campaign.