Centre for Internet and Society

Can India Trust Its Government on Privacy?

pranesh — 2013-07-15T10:35:33Z

In response to criticisms of the Centralized Monitoring System, India’s new surveillance program, the government could contend that merely having the capability to engage in mass surveillance won’t mean that it will. Officials will argue that they will still abide by the law and will ensure that each instance of interception will be authorized.

Pranesh Prakash's article was published in the New York Times on July 11, 2013.

In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.

Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun noted that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.”

India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.

At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.

In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.

Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a spy when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.

India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently complained to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.

Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 article in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”

The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint reported last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.

In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.

India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government asked various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually turned in.

These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.

The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.

In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.

Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.

A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.

The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.

Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.

Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.

For more details visit https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy

How Surveillance Works in India

pranesh — 2013-07-15T10:20:45Z

When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention.

This article by Pranesh Prakash was published in the New York Times on July 10, 2013.

After a colleague at the Centre for Internet and Society wrote about the program and it was lambasted by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.

In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.

This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies. No intelligence agency in India has been created under an act of Parliament with clearly established roles and limitations on powers, and hence there is no public accountability whatsoever.

The absence of accountability has meant that the government has since 2006 been working on the C.M.S., which will integrate with the Telephone Call Interception System that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to vast quantities of raw data traversing the Internet across multiple cities, including the data going through the undersea cables that land in Mumbai.

With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.


A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. Image Credit: Anupam Nath/Associated Press

You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.

There are no laws that allow for mass surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.

Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.

Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.

Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to the cellphone records of Arun Jaitley, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).

To put the ridiculousness of the penalty in Sections 69 and 69 B of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets may be imprisoned up to three years. And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be up to one month’s imprisonment. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her constitutional right against self-incrimination. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.

As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)

Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”

Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)

In a landmark 1996 judgment, the Indian Supreme Court held that telephone tapping is a serious invasion of an individual’s privacy and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.

For more details visit https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit https://cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security

Moving Towards a Surveillance State

atreya — 2013-07-15T05:57:15Z

The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent.

Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems is attached as a zip folder.

As highlighted in the International Principles on the Application of Human Rights to Communications Surveillance, logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.[*] These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.

While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the Central Monitoring System (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.

Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the press release of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government press release and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT annual report 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. Media reports indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and wide gaps in procedure and law. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding the risks of the mass surveillance on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.

The architecture and working of a proposed Internet Monitoring System must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.

Internet Monitoring System: Setup and Working
Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police tender document for the procurement of an Internet Monitoring System.

Setup
The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.

The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.

Types of data
The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.

Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.

More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.

Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.

Types of Analysis
The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.

The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.

Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users.

Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.

Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.

Conclusion
It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act.

The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.

Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.

[*]. http://necessaryandproportionate.net/#_edn2

For more details visit https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state

RTI on Officials and Agencies Authorized to Intercept Telephone Messages in India

praskrishna — 2013-07-15T05:23:54Z

In an RTI mailed on April 17, 2013, the Centre for Internet and Society sought comprehensive information on the officials and agencies authorized to intercept telephone messages in India.

A portion of the RTI still awaits response, as it was redirected to the Department of Electronics and Information Technology. But on May 23, 2013 Rakesh Mittal of the Ministry of Home Affairs responded in brief and directed us to the 2007 Amendment to the 1885 Indian Telegraph Act.

Referring to rule 419-A of the amendment and the Ministry of Home Affairs website, we find that within central government the power to order communications surveillance is normally reserved for Union Home Secretary, a position held by Shir Anil Goswami as of June 30, 2013 (previously R.K. Singh). The amendment goes on to say, “In unavoidable circumstances,” however, such an order can be commanded by a Joint Secretary who has been authorized by Union Home Secretary Goswami. On the federal level, the Ministry of Home Affairs includes nearly 20 such Joint Secretaries able to be authorized for making interception commands.

A listing of the original question requests are given below:

Please provide a list containing name, rank and office address of the officers/agencies authorized by the Central Government to issue an order for interception under section 5(2) of the Telegraph Act, 1885
Please provide a list containing name, rank and office address of the officers authorized to issue interception orders under Rule 419A(1) of the Telegraph Rules, 1951 in unavoidable circumstances when such orders cannot be issued by the secretary to the Government of India, Ministry of Home Affairs.
Please provide a list containing the name, rank and office address of the officers/agencies designated as “competent authority” in terms of the Rule 419A(1) proviso of the Telegraph Rules, 1951.
Please provide a list of the agencies authorized by the Central Government to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under section 69(1) of the Information Technology Act, 2000.
Please provide a list of the agencies authorized by the Central Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource under section 69-B of the Information Technology Act, 2000.
Please provide a list containing name, rank and office address of the officers/agencies authorized to issue interception orders under Rule 3, first proviso, of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
Please provide a list of the agencies authorised to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.

For more details visit https://cis-india.org/internet-governance/resources/rti-on-officials-and-agencies-authorized-to-intercept-telephone-messages-in-india

Public Interest Litigation for Protection of Indian Internet Data, Action Against Foreign Internet Providers

praskrishna — 2013-07-15T04:19:26Z

For more details visit https://cis-india.org/internet-governance/blog/pil.pdf

India:Privacy in Peril

bhairav — 2013-09-25T09:56:22Z

The danger of mass surveillance in India is for real. The absence of a regulating law is damning for Indians who want to protect their privacy against the juggernaut of state and private surveillance.

The article was originally published in the Frontline on July 12, 2013.

At the concluding scene of his latest movie, Superman disdainfully flings a surveillance drone down to earth in front of a horrified general. “You can’t control me,” he tells his military minder. “You can’t find out where I hang up my cape.” This exchange goes to the crux of surveillance: control. Surveillance is the means by which nation-states exercise control over people. If the logical basis of the nation-state is the establishment and maintenance of homogeneity, it is necessary to detect and interdict dissent before it threatens the boundedness and continuity of the national imagination. This imagination often cannot encompass diversity, so it constructs categories of others that include dissenters and outsiders. Admittedly, this happens less in India because the foundation of the Indian nation-state imagined a diverse society expressing a plurality of ideas in a variety of languages secured by a syncretic and democratic government that protected individual freedoms. Unfortunately, this vision is still to be realised, and the foundational idea of India continues to be challenged by poor governance, poverty, insurgencies and rebellion. Consequently, surveillance is, for the modern nation-state, a condicio sine qua non—an essential element without which it will eventually cease to exist. The challenge for democratic nation-states is to find the optimal balance between surveillance and the duty to protect the freedoms of its citizens.

History of wiretaps

Some countries, such as the United States, have assembled a vast apparatus of surveillance to monitor the activities of their citizens and foreigners. Let us review the recent controversy revealed by the whistle-blower Edward Snowden. In 1967, the U.S. Supreme Court ruled in Katz vs United States that wiretaps had to be warranted, judicially sanctioned and supported by probable cause. This resulted in the passage of the Wiretap Act of 1968 that regulated domestic surveillance. Following revelations that Washington was engaging in unrestricted foreign surveillance in the context of the Vietnam war and anti-war protests, the U.S. Congress enacted the Foreign Intelligence Surveillance Act (FISA) in 1978. FISA gave the U.S. government the power to conduct, without judicial sanction, surveillance for foreign intelligence information; and, with judicial sanction from a secret FISA court, surveillance of anybody if the ultimate target was a foreign power. Paradoxically, even a U.S. citizen could be a foreign power in certain circumstances. Domestically, FISA enabled secret warrants for specific items of information such as library book borrowers and car rentals.

Following the 9/11 World Trade Centre attacks, Congress enacted the Patriot Act of 2001, Section 215 of which dramatically expanded the scope of FISA to allow secret warrants to conduct surveillance in respect of “any tangible thing” that was relevant to a national security investigation. In exercise of this power, a secret FISA court issued secret warrants ordering a number of U.S. companies to share, in real time, voice and data traffic with the National Security Agency (NSA). We may never know the full scope of the NSA’s surveillance, but we know this: (a) Verizon Communications, a telecommunications major, was ordered to provide metadata for all telephone calls within and without the U.S.; (b) the NSA runs a clandestine programme called PRISM that accesses Internet traffic, such as e-mails, web searches, forum comments and blogs, in real time; and (c) the NSA manages a comprehensive data analysis system called Boundless Informant that intercepts and analyses voice and data traffic around the world and subjects them to automated pattern recognition. The documents leaked by Snowden allege that Google, Facebook, Apple, Dropbox, Microsoft and Yahoo! participate in PRISM, but these companies have denied their involvement.

India fifth-most monitored

How does this affect India? The Snowden documents reveal that India is the NSA’s fifth-most monitored country after Iran, Pakistan, Jordan and Egypt. Interestingly, China is monitored less than India. Several billion pieces of data from India, such as e-mails and telephone metadata, were intercepted and monitored by the NSA. For Indians, it is not inconceivable that our e-mails, should they be sent using Gmail, Yahoo! Mail or Hotmail, or our documents, should we be subscribing to Dropbox, or our Facebook posts, are being accessed and read by the NSA. Incredibly, most Indian governmental communication, including that of Ministers and senior civil servants, use private U.S. e-mail services. We no longer enjoy privacy online. The question of suspicious activity, irrespective of the rubric under which suspicion is measured, is moot. Any use of U.S. service providers is potentially compromised since U.S. law permits intrusive dragnet surveillance against foreigners. This clearly reveals a dichotomy in U.S. constitutional law: the Fourth Amendment’s guarantees of privacy, repeatedly upheld by U.S. courts, protect U.S. citizens to a far greater extent than they do foreigners. It is natural for a nation-state to privilege the rights of its citizens over others. As Indians, therefore, we must clearly look out for ourselves.

Privacy and personal liberty

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around homes of suspects. In the latter case, the court found that some of the Fundamental Rights “could be described as contributing to the right to privacy”, which was subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the People’s Union for Civil Liberties (PUCL) case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made by the Delhi High Court in the Naz Foundation case (2011) that decriminalised consensual homosexual acts; however, there is an appeal against the judgment in the Supreme Court.

Legislative silence

Judicial vagueness has been compounded by legislative silence. India does not have a law to operationalise a right to privacy. Consequently, a multitude of laws permit daily infractions of privacy. These infractions have survived because they are diverse, dissipated and quite disorganised. However, the technocratic impulse to centralise and consolidate surveillance and data collection has, in recent years, alarmed many citizens. The state hopes to, through enterprises such as the Central Monitoring System (CMS), the Crime and Criminals Tracking Network and System (CCTNS), the National Intelligence Grid (NATGRID), the Telephone Call Interception System (TCIS) and the Unique Identification Number (UID), replicate the U.S. successes in surveillance and monitoring and profiling all its citizens. However, unlike the U.S., India proposes to achieve this without an enabling law. Let us consider the CMS. No documents have been made available that indicate the scope and size of the CMS.

From a variety of police tenders for private equipment, it appears that the Central government hopes to put in place a system that will intercept, in real time, all voice and data traffic originating or terminating in India or being carried by Indian service providers. This data will be subject to pattern recognition and other automated tests to detect emotional markers, such as hate, compassion or intent. The sheer scale of this enterprise is intimidating; all communications in India’s many languages will be subject to interception and testing designed to detect different forms of dissent. This mammoth exercise in monitoring is taking place—it is understood that some components of the CMS are already operational—without statutory sanction. No credible authorities exist to supervise this exercise, no avenues for redress have been identified and no consequences have been laid down for abuse.

Statutory Surveillance

In a recent interview, Milind Deora, Minister of State for Communications and Information Technology, dismissed public scepticism of the CMS saying that direct state access to private communications was better for privacy since it reduced dependence on the interception abilities of private service providers. This circular argument is both disingenuous and incorrect. No doubt, trusting private persons with the power to intercept and store the private data of citizens is flawed. The leaking of the Niira Radia tapes, which contain the private communications of Niira Radia taped on the orders of the Income Tax Department, testifies to this flaw. However, bypassing private players to enable direct state access to private communications will preclude leaks and, thereby, remove from public knowledge the fact of surveillance. This messy situation may be obviated by a regime of statutory regulation of warranted surveillance by an independent and impartial authority. This system is favoured by liberal democracies around the world but conspicuously resisted by the Indian government.

The question of privacy legislation was recently considered by a committee chaired by Justice Ajit Prakash Shah, a former judge of the Delhi High Court who sat on the Bench that delivered the Naz Foundation judgment. The Shah Committee was constituted by the Planning Commission for a different reason: the need to protect personal data that are outsourced to India for processing. The lack of credible privacy law, it is foreseen, will result in European and other foreign personal data being sent to other attractive processing destinations, such as Vietnam, Israel or the Philippines, resulting in the decline of India’s outsourcing industry. However, the Shah Committee also noted the absence of law sufficient to protect against surveillance abuses. Most importantly, the Shah Committee formulated nine national privacy principles to inform any future privacy legislation (see story on page 26). In 2011, the Department of Personnel and Training (DoPT) of the Ministry of Human Resource Development, the same Ministry entrusted with implementing the Right to Information Act, 2005, leaked a draft privacy Bill, marked ‘Secret’, on the Internet. The DoPT Bill received substantive criticism from the Attorney General and some government Secretaries for the clumsy drafting. A new version of the DoPT Bill is reported to have been drafted and sent to the Ministry of Law for consideration. This revised Bill, which presumably contains chapters to regulate surveillance, including the interception of communications, has not been made public.

The need for privacy legislation cannot be overstated. The Snowden affair reveals the extent of possible state surveillance of private communications. For Indians who must now explore ways to protect their privacy against the juggernaut of state and private surveillance, the absence of regulatory law is damning. Permitting, through public inaction, unwarranted and non-targetted dragnet surveillance by the Indian state without reasonable cause would be an act of surrender of far-reaching implications.

Information, they say, is power. Allowing governments to exercise this power over us without thought for the rule of law constitutes the ultimate submission possible in a democratic nation-state. And, since superheroes are escapist fantasies, without the prospect of good laws we will all be subordinate to a new national imagination of control and monitoring, surveillance and profiling. If allowed to come to pass, this will be a betrayal of the foundational idea of India as a free and democratic republic tolerant of dissent.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/frontline-cover-story-july-12-2013-bhairav-acharya-privacy-in-peril

The Difficult Balance of Transparent Surveillance

kovey — 2013-07-15T04:23:35Z

Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.

So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”[1]

So we must unpack the idea of transparency.

First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?

Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.[2]

But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.

Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.” [a] Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.[3]

Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook [a], Apple [b], Microsoft[c], and Google [d]) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14^th, “We have not received any national security orders of the type that Verizon was reported to have received.” [c] Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.

Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.

But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS[4] but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.[5]

Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the petition as an Indian agency is not involved.”[5][6]

The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.

For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.[7] India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.[8] It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.

The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.[5] If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.

Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of who citizens prefer spying over them.

Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.[9] Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”[c]

[1]. http://digitaldueprocess.org/

[2]. http://bit.ly/151Ue1H

[3]. http://bit.ly/12XDb1Z

[4]. http://ti.me/11Xh08V

[5]. Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh [attached]

[6]. http://bit.ly/1aXWdbU

[7]. http://1.usa.gov/qafcXe

[8]. http://bit.ly/114hcCX

[9]. http://bit.ly/156wspI

[a]. Facebook Statement: http://bit.ly/ZQDcn6

[b]. Apple Statement: http://bit.ly/1akaBuN

[c]. Microsoft Statement:http://bit.ly/1bFIt31

[d]. Google Statement: http://bit.ly/16QlaqB

For more details visit https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance

dna exclusive: Geeks have a solution to digital surveillance in India: Cryptography

praskrishna — 2013-07-15T06:24:40Z

While you were thinking of what next to post on Twitter, the government has stealthily put an ambitious surveillance programme in place that tracks your every move in the digital world — through voice calls, SMS and MMS, GPRS, fax communications on landlines, video calls and emails.

The article by Joanna Lobo was published in DNA on July 7, 2013. Pranesh Prakash is quoted.

The programme, conceived in 2011, has now been brought under one umbrella referred to as the centralised monitoring system (CMS). It is the death of privacy.

But as concerned citizens argue for the need to formulate policies and laws to protect privacy, there's a simpler solution in sight for now: a CryptoParty.

At this 'party', an informal gathering of people, non-geeks can learn how to legally encrypt their digital communications and how to store data without the fear of anyone snooping in. Encryption is a process of encoding messages so that it can only be read by authorised parties.

What is it?
"A CryptoParty educates people in the domain of cryptography. It's usually about the basics: how to send encrypted email, how to protect your hardware and how to use free and open source software," says Satyakam Goswami, a free software consultant associated with the Software Freedom Law Centre (SFLC), Delhi (remove this). Goswami was one of the 72 participants at the CryptoParty organised on Saturday at Institute of Informatics & Communication (IIC), Delhi University South Campus On June 30, a CryptoParty organised at the Centre for Internet and Society (CIS) in Bangalore had 30 people in attendance. "We were taught about the what, how and who is watching us. We were also taught how to encrypt emails, chat, video calls or instant messaging,” says Siddhart Prakash Rao, a computer science graduate and a free software and open source enthusiast who is about to pursue a Masters in Cryptography.

The topics may be a mouthful for non-geeks but CryptoParty advocates maintain that all this is taught in the simplest way possible. The choice of subject depends on the composition of the group — if it is a gathering of geeks, like at the Bangalore event, then the topics are more technical.

How can it help?
CryptoParties started in August 2012 by an Australian woman (who goes by the pseudonym Asher Wolf) after a conversation on Twitter about The Australian Parliament's new cybercrime bill that allowed law enforcement to ask Internet Service Providers to monitor and store data.
Attending a CryptoParty is a good way to learn how to overcome government snooping legally.

“Citizens should use encryption to safeguard their private communications against both corporations and the government. Encryption is one of the best ways to react to CMS along with increased civic vigilance and democratic questioning of our government and parliamentarians,” says Pranesh Prakash, policy director, CIS, and one of the frontrunners in the fight to formulate a policy to safeguard privacy in India.

"In India, people tend to be rather ignorant. They are not aware of the kind of surveillance they are subjected to once online. It's a lack of understanding," says Sumandro Chattapadhyay, a researcher with Sarai, a programme of the Centre for the Study of Developing Societies, Delhi.

Bernadette Langle, who also works at CIS has been instrumental in organising the handful of CryptoParties in the country. When dna spoke to her, she was on her way to Delhi after participating in the Bangalore event. Langle will also be part of a CryptoParty being planned for October in Mumbai. "Ten years ago, you had to be a geek to be able to encrypt and protect yourself online. Now, you need software and it's much easier," she says.

The advantage is that the privacy tactics taught at such parties is completely legal. All knowledge is in the public domain. “A government will only deny its citizens basic communications privacy if it is authoritarian,” says Pranesh. “So while it can try social engineering and other means to gain access to what you've encrypted, it simply cannot 'decode' it as long as you have chosen a strong pass phrase and keep that protected, or they create quantum computers capable of breaking your encryption.”

The CIS is currently working on revisions of the Privacy (Protection) Bill 2013 with the objective of contributing to privacy legislation in India. Till that bill becomes an Act and till there's a better way to overcome needless government surveillance, attending a CryptoParty could possibly be the wisest solution for those concerned about privacy.

(For more details on CryptoParties, visit www.cryptoparty.in)

How to encrypt:
SMS: Make content secure by using software like TextSecure (Android) or CryptoSMS (Symbian). However, SMS metadata (who you are sending the message to and at what time) can still be tracked.

Instead of Whatsapp, install Jabbir and add off the record encryption.

For email, you can use OpenPGP in conjunction with Thunderbird to encrypt mails you send from Gmail/Yahoo Mail/Live Mail accounts so that even Google, Yahoo and Microsoft can't read them

For web browsing, use a VPN (which will hide your traffic from your ISP), or Tor (which will help anonymise your traffic, but will slow down your connection slower).

For more details visit https://cis-india.org/news/report-dna-july-7-2013-joanna-lobo-geeks-have-a-solution-to-digital-surveillance-in-india-cryptography

Privacy (Protection) Bill, 2013

praskrishna — 2013-07-03T09:39:11Z

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit https://cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop

June 2013 Bulletin

praskrishna — 2013-07-27T09:48:16Z

Our newsletter for the month of June 2013 can be accessed below.

The Centre for Internet & Society (CIS) welcomes you to the sixth issue of its newsletter for 2013. Hivos published a White Paper by Nishant Shah titled Whose Change is it Anyway?, which attempts to reflect critically on existing patterns of making change and its implications for the future of citizen action in information and network societies. The Access to Knowledge team carried out a quantitative analysis to identify trends and growth patterns in Indian Language Wikipedias from September 2012 to April 2013. CIS drafted the Privacy Protection Bill and amended it as per feedback gained from the New Delhi, Bangalore, and Chennai Privacy Roundtable Events. CIS made closing statement on the Treaty for the Blind at the WIPO Diplomatic Conference which was concluded with the adoption of the Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired, or otherwise Print Disabled. In a research paper Nehaa Chaudhari gives an analysis of patent pools, Sameer Boray gives an analysis of video piracy and Pranav Menon gives an analysis of India-EU FTA and issues surrounding data protection and security. In this period we organised the Institute on Internet and Society with support from the Ford Foundation at Golden Palms, Bangalore from June 8 to 14, 2013.

Celebrating 5 Years of CIS
CIS is now 5 years old and we just celebrated this by holding an open exhibition in our offices in Bangalore and Delhi from May 20 to 23, showcasing our work and accomplishments over the period. We had about 170 visitors from the general public coming in to our office. Videos of the event are here.

Google Policy Fellowship
CIS has initiated processing of applications for the Google Policy Fellowship programme. Shortlisted candidates would be informed about their interview. However, as of now there will be a 20 days delay in announcing the list for the interview.

Jobs
CIS is inviting applications for the posts of Developer (NVDA Screen Reader Project) and Editor/Content Developer. To apply for these posts, send in your resume to Nirmita Narasimhan (nirmita@cis-india.org). CIS is also seeking applications for the post of Programme Officer (Internet Governance). To apply send your resume to Sunil Abraham (sunil@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org).

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another for developing a screen reader and text-to- speech synthesizer for Indian languages:

National Resource Kit for Persons with Disabilities
CIS and the Centre for Law and Policy Research (CLPR) are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapter on Jharkhand:

The Jharkhand Chapter (by CLPR, June 30, 2013).

Note: All the chapters published on the website are early drafts and will be reviewed and updated.

Award

Girls in ICT Day 2013 (organized by ITU-APT Foundation of India with support from CMAI - Association of India Communication and Infrastructure, FICCI Auditorium, Tansen Marg, New Delhi, May 7, 2013). Dr. Nirmita Narasimhan got a felicitation for her contribution and achievements in the field of Information and Communication Technology. The honour was conferred during the celebration of this event.

Media Coverage

A Treat for the Blind (by Chitra Narayanan, Business World, June 26, 2013). Pranesh Prakash was quoted.

Access to Knowledge and Openness

The Wikimedia Foundation has given a grant to CIS to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Access to Knowledge (Previously IP Reforms)

WIPO
Pranesh Prakash participated in the WIPO Diplomatic Conference to Conclude a Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities in Marrakesh, Morocco, June 17 to 28, 2013. The conference concluded with the adoption of the Marrakesh Treaty to facilitate access to published works by blind persons, persons with visual impairment, and other print disabled persons, by requiring mandatory exceptions in copyright law to enable conversions of books into accessible formats, and by enabling cross-border transfer of accessible format books. Click for:

CIS's Closing Statement at Marrakesh on the Treaty for the Blind (by Pranesh Prakash, June 28, 2013).
India's Closing Statement at Marrakesh on the Treaty for the Blind (June 29, 2013).

Pervasive Technologies

Pervasive Technologies: Patent Pools (by Nehaa Chaudhari, June 27, 2013).

Other (FTA, Piracy)

The Right Way to Fight Video Piracy? (by Sameer Boray, June 6, 2013).
India-EU Proposed Free Trade Agreement: Issues Surrounding Data Protection and Security (by Pranav Menon, June 8, 2013).
India- EU FTA: A Note on the Copyright Issues (by Nehaa Chaudhari, June 18, 2013).

Event Participated

Governance in the Age of the Internet and Free Trade Agreements (organized by Thai Netizen Network and co-hosted by the Ministry of Information and Communication and the National Science and Technology Development Agency, Queen Sirikit National Convention Center, June 8, 2013). Sunil Abraham was a speaker.

Access to Knowledge (Wikipedia)

The A2K team consists of three members based in Bangalore: T. Vishnu Vardhan, Dr. U.B. Pavanaja and Subhashish Panigrahi and one team member Nitika Tandon who is working from Delhi office.

Statistical Report

Indian Language Wikipedia Statistics (by Nitika Tandon, June 30, September 2012 – April 2013).

Event Organised

A 'Kannada' Wikipedia Workshop for Bloggers (Suchitra, Bengaluru, June 23, 2013). Dr. U.B. Pavanaja conducted the workshop.

Event Co-organised

Telugu Wikipedia Training Workshop (co-organised by A2K team and Theatre Outreach Unit, University of Hyderabad, Golden Threshold, Nampally, Hyderabad, March 8, 2013). T. Vishnu Vardhan conducted the workshop.

Upcoming Event

Digital Humanities for Indian Higher Education (co-organised by HEIRA-CSCS, Tumkur University, CILHE-TISS and CCS, Indian Institute of Science, July 13, 2013).

Blog Entries

My First Wikipedia Training Workshop – Theatre Outreach Unit, University of Hyderabad (by T. Vishnu Vardhan, June 26, 2013). The workshop was conducted in March but the report was published only in June.
Wikipedia Visual Editor (by Nitika Tandon, June 27, 2013).

Press Coverage (including videos)

A Feature on Wikipedia and Telegu Wikipedians (HMTV, May 30-31, 2013). Watch the video.
Wikipedia Live Phone-in Programme (HMTV, June 1, 2013). T. Vishnu Vardhan took part in a one hour live phone-in programme on Wikipedia.
Wiki donors (by Akhila Seetharaman, TimeOut Bengaluru, June 21, 2013). T. Vishnu Vardhan and Dr. U.B. Pavanaja are quoted.
Kannada Wikipedia Workshop at Hasan (Prajavani, June 5, 2013). Dr. U.B. Pavanaja conducted the workshop on June 4, 2013.
Kannada Wikipedia Workshop at Hasan (Samyukta Karnataka, June 5, 2013). Dr. U.B.Pavanaja conducted the workshop on June 4, 2013.
Kannada Wikipedia Workshop at Hasan (Vijaya Karnataka, June 5, 2013). Dr. U.B.Pavanaja conducted the workshop on June 4, 2013.
Wiki Rahasya: Panel Discussion (Suvarna News, June 13, 2013). Dr. U.B.Pavanaja participated in a panel discussion around Wikipedia in general and about Kannada Wikipedia in specific.

Openness

Column

Big Data, People's Lives, and the Importance of Openness (by Nishant Shah, DML Central, June 24, 2013).

Event Hosted

RHoK Global Event (Centre for Internet and Society, Bangalore, June 1 – 2, 2013). Yogesh Londhe shares with you a post-event report.

Internet Governance

CIS began two projects earlier this year. The first one on facilitating research and events on surveillance and freedom of expression is with Privacy International and support from the International Development Research Centre, Canada. The second one on mapping cyber security actors in South Asia and South East Asia is with the Citizen Lab, Munk School of Global Affairs, University of Toronto and support from the International Development Research Centre, Canada:

Cyber Stewards Project
Laird Brown, a strategic planner and writer with core competencies on brand analysis, public relations and resource management and Purba Sarkar who in the past worked as a strategic advisor in the field of SAP Retail are working in this project.

Video Interview

An Interview with Ram Mohan (June 30, 2013)

Event Organized

The Geopolitics of Information Controls: A Presentation by Masashi Crete-Nishihata (TERI, Bangalore, June 19, 2013). About 20 people participated in the event.

Privacy Research

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback) (by Elonnai Hickok, June 30, 2013): CIS drafted the Bill. Based on feedback received from the New Delhi, Bangalore, and Chennai Roundtables the Bill was amended.

Interviews

Interview with the Citizen Lab on Internet Filtering in India (June 24, 2013). Maria Xynou interviewed Masashi Crete-Nishihata and Jakub Dalek from the Citizen Lab on internet filtering in India.
Interview with Billy Hawkes (June 20, 2014). Maria Xynou interviewed Billy Hawkes, the Irish Data Protection Commissioner on recommendations for data protection in India.

Columns

Indian Surveillance Laws & Practices Far Worse than US (by Pranesh Prakash, Economic Times, June 13, 2013).
World Wide Rule (by Nishant Shah, Indian Express, June 14, 2013). Nishant Shah reviews Schmidt and Cohen's book “The New Digital Age”.
Way to Watch (by Chinmayi Arun, Indian Express, June 26, 2013).
The State is Snooping: Can You Escape? (by Snehashish Ghosh, India Together, June 26, 2013).

Blog Entries

India Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed (by Maria Xynou, June 13, 2013).
SEBI and Communication Surveillance: New Rules, New Responsibilities? (by Kovey Coles, June 27, 2013).
Open Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation (by Elonnai Hickok, June 19, 2013).
Open Letter to Prevent the Installation of RFID tags in Vehicles (by Maria Xynou, June 27, 2013).

Events Organised

Technology, Power, and Revolutions in the Arab Spring (CIS, July 2, 2013). Prof. Ramesh Srinivasan gave a talk.
Learn to Secure Your Online Communication! (CIS, Bangalore, June 30, 2013). A Crypto Party was organised.
Learn to Secure Your Online Communication! (IIC, Delhi University, South Campus, New Delhi, July 6, 2013). A Crypto Party was organised.

Event Co-organised

4^th Privacy Round Table Meeting (co-organised with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, Mumbai, June 15, 2013).

Upcoming / Ongoing Events

Digital Activism in Europe (The Sarai Programme, Centre for the Study of Developing Societies, New Delhi, July 8, 2013). Bernadette Längle will give a talk.
Privacy Round Table, Kolkata (co-organised with the Federation for Indian Chambers of Commerce and Industry, and the Data Security Council of India, Lytton Hotel, Sudder Street, Kolkata, July 13, 2013).

Event Participated In

Biometrics or bust? India's Identity Crisis (organized by the Oxford Internet Institute, July 2, 2013). Malavika Jayaram was a speaker.

Video

Pranesh Prakash on the US snooping into Indian cyber space (by Tehelka, June 2013).

Media Coverage

Indian student in Cornell University hacks into ICSE, ISC database (by Kim Arora, Times of India, June 6, 2013). Pranesh Prakash is quoted.
‘Hacking’ sparks row over exam evaluation (by Vasudha Venugopal and Karthik Subramanian, Hindu, June 7, 2013). Pranesh Prakash is quoted.
Internet firms deny existence of PRISM (by Javed Anwer and Ishan Srivastava, Times of India, June 8, 2013). Sunil Abraham and Pranesh Prakash are quoted.
Indian Government Quietly Brings In Its 'Central Monitoring System': Total Surveillance Of All Telecommunications (Tech Dirt, June 8, 2013). Pranesh Prakash is quoted.
Facebook, Google deny spying access (by Javed Anwer, Times of India, June 9, 2013). Pranesh Prakash is quoted.
Govt mulls advisory on privacy issues related to Google, Facebook (by Thomas K Thomas, Hindu Business Line, June 10, 2013). Sunil Abraham is quoted.
Cyber experts suggest using open source software to protect privacy (by Kim Arora, Times of India, June 22, 2013). Sunil Abraham is quoted.
Govt goes after porn, makes ISPs ban sites (by Javed Anwer, Times of India, June 26, 2013). Sunil Abraham is quoted.
Indian govt blocks 40 smut sites, forgets to give reason (by Phil Muncaster, The Register, June 27, 2013). Sunil Abraham is quoted.
Concerns over central snoop (by Aloke Tikku, Hindustan Times, June 28, 2013). Sunil Abraham is quoted.
Internet users enraged over US online spying (by Maitreyee Boruah, Times of India, June 29, 2013). Sunil Abraham is quoted.
Issue of duplication of identities of users under control: Nilekani (by Anirban Sen, Livemint, June 29, 2013). Sunil Abraham is quoted.
In India, Prism-like Surveillance Slips Under the Radar (by Anjan Trivedi, Time World, June 30, 2013). Sunil Abraham is quoted.

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project on Internet Access. It covers the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access. It will also touch upon various policies and regulations which has an impact on internet access and bodies and mechanism which are responsible for formulation of policies related to internet access. The blog posts and modules are being published in the Internet Institute website:

Event Organised

Institute on Internet and Society (supported by Ford Foundation, Golden Palms Resort, Bangalore, June 8 – 14, 2013). Pranesh Prakash, Bernadette Längle, Vir Kamal Chopra, AK Bhargava, Ananth Guruswamy, Archana Gulati, Chakshu Roy, Elonnai Hickok, Gaurab Raj Upadhaya, Helani Galpaya, Michael Ginguld, Dr. Nadeem Akhtar, C. Nandini, Dr. Nirmita Narasimhan, Dr. Nishant Shah, Parminder Jeet Singh, Ravikiran Annaswamy, Dr. Ravina Aggarwal, Satyen Gupta, Dr. Subbiah Arunachalam, Sunil Abraham, Tulika Pandey and T. Vishnu Vardhan were speakers at the event. The presentations can be accessed here.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Law & Order through Traffic Systems (by Shyam Ponappa, Business Standard, June 5, 2013 and cross-posted in Organizing India Blogspot).

Digital Natives

Digital Natives with a Cause? examines the changing landscape of social change and political participation in light of the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who critically engage with discourse on youth, technology and social change, and look at alternative practices and ideas in the Global South:

White Paper

Whose Change is it Anyway? (by Nishant Shah, Hivos, June 18, 2013).

Digital Humanities

We are building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia.

Blog Entries

Mapping the Field of Digital Humanities (by Sara Morais, June 11, 2013).
A Suggested Set of Values for the Digital Humanities (by Sara Morais, June 12, 2013).
Archive Practice and Digital Humanities (by Sara Morais, June 24, 2013).

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/june-2013-bulletin

In India, Prism-like Surveillance Slips Under the Radar

praskrishna — 2013-07-03T09:31:18Z

Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.

The article by Anjan Trivedi was published in Time World on June 30, 2013. Sunil Abraham is quoted.

However, it turns out India, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi announced its intentions to watch over its citizens, however mutedly, in 2011, and rollout is slated for August. And while reports that the American system collected 6.3 billion intelligence reports in India led to a lawsuit at the nation’s Supreme Court, comparable indignation has been conspicuously lacking with the domestic equivalent.

CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s Centre for Development of Telematics (C-DOT), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ annual report. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government set aside approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.

Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.

Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. report stated.

India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up 52% from two years back, and removal requests from the government increased by 90% over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”

There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent editorial noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.

With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, according to a recent report. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.

India’s junior minister for telecommunications attempted to explain the benefits of this system during a recent Google+ Hangout session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does not have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the jurisdiction of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”

The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.

National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase operational efficiency. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.

The government has been cagey about details on implementation and extent. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.

For more details visit https://cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar