Warning: Creating default object from empty value in /nfs/c03/h07/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | Cyber Security RSS feed for this section

Namaste, India

Implications to India of Britain’s alleged telecommunications spy base.

The Register reports on Britain’s covert cyber surveillance program in the Middle East.  The report is unconfirmed and there’s really no way to verify the veracity of any of the Register‘s claims, but it does make for interesting reading.  The report claims that Britain’s submarine Internet cable surveillance program is based out of Muscat, Oman (at Seeb station).  It further claims that “probes” are installed on optical cable networks belonging to two British telecommunications heavyweights — BT and Vodafone, thus allowing snooped data to be accessed by cyber-surveillance personnel in the UK.

According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers’ data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT. [The Register]

This is particularly interesting because two of the four eastbound submarine cables from Seeb station in Muscat (GIBS and FLAG FALCON), provide backbone connectivity to western India via Mumbai (wild guess, probably at Prabhadevi).  This map will better illustrate the route of the eastern half of Seeb station’s connectivity.  The report alleges that BT and Vodafone are two top earners of secret payments from Britain’s SIGINT organization, GCHQ.   Lest we forget, India represents Vodafone’s largest customer base and the company’s second-largest country in terms of data traffic.

This begs the question: if any of this is true, just how badly compromised is India’s Internet and telecommunications data if the integrity of two of its ingress and egress points is in question?  The Luddites among us, I’m sure, look on with barely-concealed glee.

 

Read full story · Comments { 0 }

Guestpost: Privacy laws and legal interception in India

India needs to evolve comprehensive privacy laws that protect individual rights before implementing a framework for legal interception, argues Ranjeet Rane, who works with the Public Affairs team at Edelman India and is a Research Assistant at Takshashila Institution.

In my previous post, I had stressed on the need for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System (CMS). A counter agreement being presented is that the CMS will be a better option for  the Indian citizen as it provides a legal framework for lawful interception, against the current practice of content monitoring and filtering through unregulated, ad-hoc processes involving intermediaries such as telecom companies and ISPs.

The CMS is intended to ensure that each interception request is tracked and the recorded content duly destroyed within six months as required under law.   In this post, however, I will try to present a case against the implementation of the CMS by looking at the existing provisions in the Information Technology Act 2000 (and subsequent amendments) that make an effort to address issues of privacy.

Section 72 of the Information Technology Act 2000 in its original form penalized the breaches of confidentiality and privacy of data. Essentially, the scope of the provision covered those empowered by the Act to gain access to any electronic record, book, register, correspondence, information document or other material seized for investigation. It was aimed at preventing accidental leaks of such information during the course of investigations.

This was later amended to include Section 72A to penalize “any person” (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss.

When this clause is read together with Section 69B of the Act, it squarely puts the responsibility of securing personal data on the intermediary, which in this case could be a wide spectrum of actors from cyber cafes to telecom companies and ISPs. Indeed, if this Act is used to justify the implementation of CMS, it would need significant amendments to clearly identify those central and state agencies authorized to access such information. The recent case of National Technical Research Organization being at the forefront of snooping activities is still fresh in public memory.

The next set of amendments came into force by the addition Section 43A which obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain “reasonable security practices,” failing which they would be liable for disclosure.  The Act defines “corporate bodies” as those involved in “commercial or professional activities.”

The definitions of “sensitive personal data” and “reasonable security practices” are narrow and hence prevents courts from interpreting a contextual definition.  Most importantly, government agencies and non-profit organizations are entirely excluded from the ambit of this section.

The act further lays down the Rules for:

  • Privacy Policy
  • Collection of Information
  • Transfer of Information
  • Reasonable Security Practices and Procedures

Elaborate rules to address the points above are still only in draft phrase.

It is only in the Section 66E (Violation of Privacy) that we find privacy concerns addressed.  The euphoria doesn’t last long as this section only covers electronic voyeurism and penalizes acts of capturing, publishing and transmission of images of the “private area” of any person without their consent, “under circumstances violating the privacy” of that person.

This section falls short of acknowledging the importance of protecting personally identifiable information (name, passport number, date of birth, biometric information, etc.) and deals only with disclosure of potentially compromising photographs.

It is clear that the status of a legal framework to protect the privacy of citizens in India is inadequate. The Information Technology Act does not have any provision for penalizing government agencies for overreach. Implementing any program like the CMS in the absence of clauses on privacy, regulation and oversight over government conduct will be concerning.  Indeed,  recent media controversies point to the possibility of political misuse of new tools and resources.

The government ought to consider bringing a comprehensive Privacy Bill to the floor for debate, instead of piecemeal additions to the Information Technology Act. This Bill should ensure adequate oversight for all activities of surveillance. This oversight should be coupled with providing information in public domain about convictions happening through such monitoring.

This will not only make it mandatory for the agencies concerned to justify their actions but will also lead to more efficient results than those expected from blanket monitoring. Such a bill will seek to also limit political abuse of resources at the disposal of national security & investigation agencies.

The United Nations Declaration of Human Rights mentions under Article 12 that:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.

As a signatory and one of the founding nations behind the UN Human Rights Declaration, we haven’t set the kind of example in our commitment to individuals’ privacy expected from a liberal democracy like ours. The need of the hour is for India to develop adequate and effective privacy legislation based on a set of clearly defined principles. Privacy as an entitlement ought to be an end result of this comprehensive reform.

Read full story · Comments { 0 }

Guestpost: Do we care about privacy?

India’s privacy policy cannot be formulated only in the privacy of the corridors of power.

Ranjeet Rane, Research Assistant with Takshashila Institution’s Cyber Security Team, argues for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System

While Mr. Edward Joseph Snowden gets to spend a year in Russia thanks to political asylum granted to him by the Russian president, the world is still recovering from the aftermath of the diplomatic quagmire his revelations of the U.S. Mass Surveillance Project brought in its wake.  To some, Mr. Snowden is a hero who exposed the machinations of Big Brother.  Regardless, the irony in Mr. Snowden’s choice of Russia as the staging ground for his apparent war against clandestine surveillance should not be lost on us.

If one looks beyond the news articles on clandestine surveillance,  it would be fair to say that the Snowden incident has now made it necessary to initiate a debate on balancing the concerns of privacy and security in India.  Indeed, the need for such is debate is even more pressing given the recent announcement of the Government of India to implement a Centralized Monitoring System (CMS) for the “lawful interception and monitoring” of electronic communication channels in the country comes at a time when the contours of a Privacy law are ill-defined in the country.

The Takshashila Institution’s discussion paper on the CMS highlights important concerns about the nature of privacy in the country. These concerns have found voice in recent news reports as well.

In the absence of laws that provide for the safeguarding of privacy and regulating data retention, ordinary citizens lack clarity on how their personal information is collected, stored, used and shared. Such practices are contradictory to the various interpretations of Article 19 & Article 21 of the Indian Constitution by the Supreme Court that indirectly uphold the Right to Privacy.

At present, lawful interception is vaguely defined within various Sections of the colonial-era Telegraph Act 1885. Among the more recent laws, Sections 69 & 69B of the Information Technology Act 2008 further expand the mandate for lawful interception, which may be exercised “when [the authorized officers] are satisfied that it is necessary or expedient” to do so in the interest of:

  1. The sovereignty or integrity of India;

  2. defense of India;

  3. security of the State;

  4. friendly relations with foreign States;

  5. public order;

  6. preventing incitement to the commission of any cognizable offence relating to above; or

  7. for investigation of any offence.

The directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. The analogous wording in the section coupled with the lack of exact definitions makes the nature of the powers of the Intercepting Officers synonymous with “discretionary.”

As for Data Retention, Section 67C of the Information Technology Act requires ‘intermediaries’ to maintain and preserve information. The nature of this information and the duration for the same was to be specified in a separate set of Rules to be issued by the Central Government. Apart from the Cyber Café Rules 2011 no such rules have been framed.  These Rules have led to a vast database of photo-copies of “ID proof” documents getting collected with cyber cafes across the country. Incidents of such documents been used for acquiring mobile SIM cards have also been highlighted by news reports.

It is clear from the examples above that there is complete lack of accountability and responsibility when it comes to the government controlling private data of the citizens. If the Government of India plans to implement the CMS or is already using Lawful Intercept and Monitoring (LIM) systems, then there is an urgent need for public discourse on this issue.

While current controls and accountability around lawful interception of personal data are not assuring, the ‘voluntary’ collection of citizen data through UID programs require further security provisions and clarity on how such data collected will be stored, which agencies will have access to it and with whom it will be shared. While a one-size-fits-all rule cannot be applied for data collected through interception systems or data voluntarily provided by citizens to avail various government benefits, it doesn’t take away the need to address the issues of privacy associated with both the categories.

Indeed, concerns of privacy cannot be wished away merely by citing vague threats to national security.  National security, can of course, trump concerns of privacy in extraordinary circumstances, but these ought to be the exception rather than the rule.  The status quo will only add to the rapidly escalating trust-deficit between the Government and its citizens.  While the draft of the Right to Privacy Bill has been making the rounds for quite some time, it hasn’t yet been opened for public consultation.

Policies on privacy cannot be formulated only in the privacy of the corridors of power.  Ultimately, it is imperative that the Government involve and consider the views of a much wider spectrum of stakeholders while formulating legislation on the basic rights of 1.2 billion people to own, control and share information about themselves.

 

Read full story · Comments { 3 }

Calling all stations

Why are Indian “techies” conspicuously absent from India’s debates on cyber-security?

In an attempt to regulate conduct and provide security over electronic media, the Indian government enacted the Information Technology (IT) Act (2000) and implemented the Central Monitoring System (CMS).  The IT Act, which contains clauses such as Section 66A, which challenges the spirit of the Constitution of the country, was passed in Parliament with no debate.

Similarly, the CMS, whose mandate encompassed the lawful interception of telecommunications and Internet traffic, was implemented at an initial cost of well over $120 million.  We are now given to understand that due to technological limitations, the scope of the CMS, at least in the interim, will be restricted to the interception of telecommunication and unencrypted Internet traffic.  OK, except freely-available open-source security tools and a pool of cyber-security professionals could deliver results sought by the restricted mandate of the CMS at a negligible cost.

The question that emerges is this: did the government of India (and those that advise it) know of the inherent technological limitations that inhibit full-spectrum interception of electronic data?  If they didn’t, we should be astounded by the level of incompetence.  If they did, India’s citizens should be challenging wasteful expenditure towards a program whose mandate no one appears to be able to deliver upon. Curiously, much of the public debate on cyber-security in India seems to be led mostly by legal experts or by open society advocates.  But where are India’s technophiles?  Why is there almost no articulation of the technological challenges such a program presents to those that govern us?

We are told that India is a global software leader and that IT and IT-enabled service sectors provide employment to millions of citizens. Indians are taking to the Internet at a faster rate than any other major economy in the world; India’s mobile penetration rate is off the charts at 70 per cent (870 million subscribers).

Heck, the IT revolution in India has also led us to coin and mass-accept the term “techie,” used by almost no one else in the world in that context (a “techie” in the U.S., for example, is technician involved in setting up sound and lighting for film/TV production sets).  An army of Indian technophiles dominates social media and multi-media sharing websites such as Youtube.  Yet, these technophiles have been silent in an already-muted debate on the governance of cyberspace in India.

This is not to say that legal experts and open society champions have no role to play in in the discourse.  Indeed, legal experts and open-society advocates provide perspective and expertise that others in India may not have.  Their participation in the debate, therefore, is not only beneficial but essential.  At the same time though, we are missing critical perspectives from technology experts if legal and open-society advocates continue to dominate the discourse as they do now in India.  The narrative of the discourse today is skewed in favor of debates over privacy and the spirit of the Constitution and doesn’t feature in any meaningful way, critiques of the government of India’s approach from a technological standpoint.

It should be a matter of concern that India’s broad and vibrant base of technology professionals is mostly absent from debates on how India governs technology.  What do we put this down to — a lack of awareness?  Or disinterest?  More importantly, what can we do to entice them into participating and enriching the discourse?

Read full story · Comments { 2 }