Why the Central Monitoring System (CMS) is not India’s PRISM.
Read almost any article on India’s soon to be implemented Central Monitoring System (CMS), and you’ll see references and attempts to draw parallels between the CMS and the (until recently) secret U.S. surveillance and data-collection program, PRISM. Some articles have drawn comparisons between the two programs in an attempt to amplify threat perceptions, while other equations, curiously, seem to have been drawn with a sense of national pride.
Except the CMS is not India’s PRISM. The only similarity between the two programs appears to be the objective — an apparent attempt to implement a program for the legal interception of data. But that’s where all comparisons should end. Both programs differ on general approach, operate under very different legal environments, and are dissimilar in terms of checks-and-balances and technical capabilities.
Interestingly, while the Indian government publicly announced its intention to establish a program for the legal interception of citizens’ data, it did not put into place any of the checks-and-balances needed (that we know of, anyway) for such an intrusive program. Electronic data under the CMS, for example, can be legally intercepted by dozens of government agencies without the knowledge or cooperation of telecommunications and Internet service providers. Indian citizens know little else about the program, apart from the fact that it apparently exists.
On the other hand, although the establishment of PRISM was a much more clandestine affair, the U.S. put into place mechanisms to regulate surveillance and circumscribed Executive authority. Surveillance without the acquiescence of service providers was made difficult. Only the U.S. Attorney General and the Director of National Intelligence could authorize surveillance through a formal order obtained through a Foreign Intelligence Surveillance Act (FISA) court; service providers were provided the ability to challenge the order to grant access to surveillance in a FISA court.
The legal environment matters too. Strong privacy and data retention regulation in the U.S. have allowed groups to sue U.S. government agencies involved in PRISM on the grounds that it violated the rights of citizens to “reasonable expectations of privacy.” Similar laws do not exist in India and it is unclear as to what recourse an Indian citizen would have vs. the Government of India should his or her privacy be unreasonably breached (or personal data disclosed) through electronic surveillance.
But perhaps most importantly, the differences are stark with regard to technical capabilities. For all intents and purposes, the Internet as we know it today is a culmination of research conducted by the U.S.’s armed forces and educational institutions. Mechanisms to secure data, in storage and in transit, were also developed by institutions in the U.S. The AES encryption algorithm (in its various avatars) for instance, is now widely used to encrypt data worldwide.
The AES itself owes its mass acceptance to a detailed assessment and approval by a body of the U.S. government. Which one? Oh, a tiny little agency known as the NSA. Indeed, the same NSA in charge of PRISM. How many countries and agencies would you suppose understand the intricacies and vulnerabilities of the AES algorithm better than the NSA?
India, on the other hand, benefits from no such advantages. Its public and private institutions are not net-contributors to mass acceptance Internet and telecommunications technologies. Most services consumed by Internet users in India (e.g., Google, Gmail, Facebook) are not physically based in India and employ encryption technologies that the Indian government cannot breach (at least, not without the active assistance of foreign governments). Thus, even with the CMS, the Indian government will be at the mercy of foreign service providers to gain access to data published on popular and secure Internet platforms.
The Indian government could, of course, intercept land-based and mobile communication. Indeed, the recent announcement by Research in Motion (the makers of BlackBerry mobile devices) means that the Indian government will have the ability to intercept voice and data communicated through all non-Corporate BlackBerry devices in India. These capabilities, will no doubt, be rolled into the CMS. But the use of open-source mobile operating systems coupled with encryption technology could still frustrate attempts to intercept mobile communication.
Effectively, this means that the Indian government is attempting to build a program whose extensive Executive mandate does not match its limited and imbalanced technical capabilities. Such a system will, I fear, be inept or worse, vulnerable to misuse.
Ultimately, the Indian government must engage its citizens in a dialog on the need for a system for legal surveillance, and build trust among its citizens. Ordinary, law-abiding citizens are not the only mass consumers of Internet and telecommunications technologies; terrorists and enemies of the state are too. You could make a fairly solid argument, particularly given the challenges India continues to face with regard to national security, in favor of a system for legal surveillance. Unfortunately, the Indian government has chosen silence instead of dialog. This is no way to assuage the anxieties of citizens in a liberal democracy such as ours.
[S]uch an inherently pervasive and intrusive program cannot be deployed in a liberal democracy without an adequate level of trust between the government and its citizens and an appropriate framework of checks-and-balances to ensure that entrusted agencies do not overstep their jurisdiction.
Thus, it is imperative that the Indian government take its citizens into confidence on the necessity for such a program, evolve an appropriate framework of laws, including those pertaining to privacy and data retention, and establish a system of checks-and-balances to ensure against systemic overreach prior to the implementation of the CMS. [Takshashila Institution]