Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament… No intelligence agency in India has been created under an act of Parliament with clearly established roles and limitations on powers, and hence there is no public accountability whatsoever… With the Centralized Monitoring System (C.M.S.), the Government will getcentralised access to all communications metadata and content traversing through all telecom networks in India. This means that the Government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted… the Government has surreptitiously granted itself powers — powers that Parliament hasn’t authorised it to exercise…
When the Indian Government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the Government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention. After a colleague at the Centre for Internet and Society wrote about the program and it was lambasted by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own Government’s surveillance programs.
In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament. This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies. No intelligence agency in India has been created under an act of Parliament withclearly established roles and limitations on powers, and hence there is no public accountability whatsoever.
The absence of accountability has meant that the Government has since 2006 been working on the C.M.S., which will integrate with the Telephone CallInterception System that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the Government direct access to all communications passing through them. However, this currently happens in a decentralised fashion, and the Government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the Government. Apart from this, the Government uses equipment to gain access to vast quantities of raw data traversing the Internet across multiple cities, including the data going through the undersea cables that land in Mumbai.
With the C.M.S., the Government will get centralised access to all communications metadata and content traversing through all telecom networks in India. This means that the Government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted. You might ask: Why is this a problem when the Government already had the same access, albeit in a decentralised fashion? To answer that question, one has to first examine the law. There are no laws that allow for mass surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorisation by either the home secretary or the secretary of the department of information technology.
Interestingly, the colonial Government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the Government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the Government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping. Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such. Unauthorised access to communications data is not punishable per se, which is why a private detective who gained access to the cellphone records of Arun Jaitley, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).
To put the ridiculousness of the penalty in Sections 69 and 69B of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secretsmay be imprisoned up to three years. And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be up to one month’s imprisonment. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her constitutional right against self-incrimination. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.
As bad as the IT Act is, legally the Government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the Government — can use off-the-air interception techniques to listen to your calls.)
Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with Government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.” Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to Government agencies legally authorised for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by Government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)
In a landmark 1996 judgment, the Indian Supreme Court held that telephone tapping is a serious invasion of an individual’s privacy and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly Governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the Government has surreptitiously granted itself powers — powers that Parliament hasn’t authorised it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.
Pranesh Prakash is Policy Director, The Centre for Internet and Society, Bangalore.
– NYT: How Surveillance Works in India
Early Election Signals?
Six spacious bungalows in central Delhi have been rented recently by Congress poll managers. A party general secretary visited these bungalows to hold candidate selections and stock pamphlets and such other material, as well as to strategise for the 2014 polls. A little early for all this? Does this mean the elections are being advanced?
Although the official line maintained by party spokespersons is that the Lok Sabha poll will be held as scheduled, the discussion about the forthcoming polls has gained momentum after virtually all the recent election surveys have yielded discouraging statistics vis-a-vis the ruling Congress-led United Progressive Alliance Government. Internal surveys have also not been particularly encouraging for the Congress and the UPA.
Consequently, many in the Congress are increasingly feeling that it would be advisable to hold the Lok Sabha and Assembly polls simultaneously. They argue that the coming period may see a further downslide in the party’s popularity ratings. With inflation, corruption charges, a weakening rupee and a major industrial slump threatening the party’s electoral prospects, the number of ‘yes’ answers for a November/December general election is growing amongst Congress leaders. It is also being pointed out that preponing the election will take the opposition camp, mainly the Bharatiya Janata Party by surprise and give them less time to prepare for the polls.
Those who are against early elections argue that that the UPA needs time for its new flagship programmes like the Food Security Bill and the Direct Benefits Transfer scheme to make an impact on voters. Besides, a good monsoon promises a bumper kharif crop and excellent rabi sowing. All these factors, they say, will work in favour of the Congress if the elections are held as scheduled in 2014.
Although no decision has yet been taken, the Government and the party are keeping their options open for an early poll. It was for this reason that the UPA Government took the ordinance route for the Food Security Bill and is pushing other reforms. The Congress is also trying to neutralise contentious issues on political front. After a long period of dilly dallying, the party eventually decided to accept the demand for the formation of Telangana as it could not afford to pay the political cost of ignoring it. Despite its assertions to the contrary, it is common knowledge that the Congress was compelled to this decision largely for political reasons.