Warning: Creating default object from empty value in /nfs/c03/h07/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | prism

Guestpost: Do we care about privacy?

India’s privacy policy cannot be formulated only in the privacy of the corridors of power.

Ranjeet Rane, Research Assistant with Takshashila Institution’s Cyber Security Team, argues for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System

While Mr. Edward Joseph Snowden gets to spend a year in Russia thanks to political asylum granted to him by the Russian president, the world is still recovering from the aftermath of the diplomatic quagmire his revelations of the U.S. Mass Surveillance Project brought in its wake.  To some, Mr. Snowden is a hero who exposed the machinations of Big Brother.  Regardless, the irony in Mr. Snowden’s choice of Russia as the staging ground for his apparent war against clandestine surveillance should not be lost on us.

If one looks beyond the news articles on clandestine surveillance,  it would be fair to say that the Snowden incident has now made it necessary to initiate a debate on balancing the concerns of privacy and security in India.  Indeed, the need for such is debate is even more pressing given the recent announcement of the Government of India to implement a Centralized Monitoring System (CMS) for the “lawful interception and monitoring” of electronic communication channels in the country comes at a time when the contours of a Privacy law are ill-defined in the country.

The Takshashila Institution’s discussion paper on the CMS highlights important concerns about the nature of privacy in the country. These concerns have found voice in recent news reports as well.

In the absence of laws that provide for the safeguarding of privacy and regulating data retention, ordinary citizens lack clarity on how their personal information is collected, stored, used and shared. Such practices are contradictory to the various interpretations of Article 19 & Article 21 of the Indian Constitution by the Supreme Court that indirectly uphold the Right to Privacy.

At present, lawful interception is vaguely defined within various Sections of the colonial-era Telegraph Act 1885. Among the more recent laws, Sections 69 & 69B of the Information Technology Act 2008 further expand the mandate for lawful interception, which may be exercised “when [the authorized officers] are satisfied that it is necessary or expedient” to do so in the interest of:

  1. The sovereignty or integrity of India;

  2. defense of India;

  3. security of the State;

  4. friendly relations with foreign States;

  5. public order;

  6. preventing incitement to the commission of any cognizable offence relating to above; or

  7. for investigation of any offence.

The directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. The analogous wording in the section coupled with the lack of exact definitions makes the nature of the powers of the Intercepting Officers synonymous with “discretionary.”

As for Data Retention, Section 67C of the Information Technology Act requires ‘intermediaries’ to maintain and preserve information. The nature of this information and the duration for the same was to be specified in a separate set of Rules to be issued by the Central Government. Apart from the Cyber Café Rules 2011 no such rules have been framed.  These Rules have led to a vast database of photo-copies of “ID proof” documents getting collected with cyber cafes across the country. Incidents of such documents been used for acquiring mobile SIM cards have also been highlighted by news reports.

It is clear from the examples above that there is complete lack of accountability and responsibility when it comes to the government controlling private data of the citizens. If the Government of India plans to implement the CMS or is already using Lawful Intercept and Monitoring (LIM) systems, then there is an urgent need for public discourse on this issue.

While current controls and accountability around lawful interception of personal data are not assuring, the ‘voluntary’ collection of citizen data through UID programs require further security provisions and clarity on how such data collected will be stored, which agencies will have access to it and with whom it will be shared. While a one-size-fits-all rule cannot be applied for data collected through interception systems or data voluntarily provided by citizens to avail various government benefits, it doesn’t take away the need to address the issues of privacy associated with both the categories.

Indeed, concerns of privacy cannot be wished away merely by citing vague threats to national security.  National security, can of course, trump concerns of privacy in extraordinary circumstances, but these ought to be the exception rather than the rule.  The status quo will only add to the rapidly escalating trust-deficit between the Government and its citizens.  While the draft of the Right to Privacy Bill has been making the rounds for quite some time, it hasn’t yet been opened for public consultation.

Policies on privacy cannot be formulated only in the privacy of the corridors of power.  Ultimately, it is imperative that the Government involve and consider the views of a much wider spectrum of stakeholders while formulating legislation on the basic rights of 1.2 billion people to own, control and share information about themselves.

 

Read full story · Comments { 3 }

Big Brother India?

Why the Central Monitoring System (CMS) is not India’s PRISM.

Read almost any article on India’s soon to be implemented Central Monitoring System (CMS), and you’ll see references and attempts to draw parallels between the CMS and the (until recently) secret U.S. surveillance and data-collection program, PRISM.  Some articles have drawn comparisons between the two programs in an attempt to amplify threat perceptions, while other equations, curiously, seem to have been drawn with a sense of national pride.

Except the CMS is not India’s PRISM.  The only similarity between the two programs appears to be the objective — an apparent attempt to implement a program for the legal interception of data.  But that’s where all comparisons should end.  Both programs differ on general approach, operate under very different legal environments, and are dissimilar in terms of checks-and-balances and technical capabilities.

Interestingly, while the Indian government publicly announced its intention to establish a program for the legal interception of citizens’ data, it did not put into place any of the checks-and-balances needed (that we know of, anyway) for such an intrusive program.  Electronic data under the CMS, for example, can be legally intercepted by dozens of government agencies without the knowledge or cooperation of telecommunications and Internet service providers.  Indian citizens know little else about the program, apart from the fact that it apparently exists.

On the other hand, although the establishment of PRISM was a much more clandestine affair, the U.S. put into place mechanisms to regulate surveillance and circumscribed Executive authority.  Surveillance without the acquiescence of service providers was made difficult.  Only the U.S. Attorney General and the Director of National Intelligence could authorize surveillance through a formal order obtained through a Foreign Intelligence Surveillance Act (FISA) court; service providers were provided the ability to challenge the order to grant access to surveillance in a FISA court.

The legal environment matters too.  Strong privacy and data retention regulation in the U.S. have allowed groups to sue U.S. government agencies involved in PRISM on the grounds that it violated the rights of citizens to “reasonable expectations of privacy.”  Similar laws do not exist in India and it is unclear as to what recourse an Indian citizen would have vs. the Government of India should his or her privacy be unreasonably breached (or personal data disclosed) through electronic surveillance.

But perhaps most importantly, the differences are stark with regard to technical capabilities.  For all intents and purposes, the Internet as we know it today is a culmination of research conducted by the U.S.’s armed forces and educational institutions.  Mechanisms to secure data, in storage and in transit, were also developed by institutions in the U.S.  The AES encryption algorithm (in its various avatars) for instance, is now widely used to encrypt data worldwide.

The AES itself owes its mass acceptance to a detailed assessment and approval by a body of the U.S. government.  Which one? Oh, a tiny little agency known as the NSA.  Indeed, the same NSA in charge of PRISM.  How many countries and agencies would you suppose understand the intricacies and vulnerabilities of the AES algorithm better than the NSA?

India, on the other hand, benefits from no such advantages.  Its public and private institutions are not net-contributors to mass acceptance Internet and telecommunications technologies.  Most services consumed by Internet users in India (e.g., Google, Gmail, Facebook) are not physically based in India and employ encryption technologies that the Indian government cannot breach (at least, not without the active assistance of foreign governments).   Thus, even with the CMS, the Indian government will be at the mercy of foreign service providers to gain access to data published on popular and secure Internet platforms.

The Indian government could, of course, intercept land-based and mobile communication.  Indeed, the recent announcement by Research in Motion (the makers of BlackBerry mobile devices) means that the Indian government will have the ability to intercept voice and data communicated through all non-Corporate BlackBerry devices in India.  These capabilities, will no doubt, be rolled into the CMS.  But the use of open-source mobile operating systems coupled with encryption technology could still frustrate attempts to intercept mobile communication.

Effectively, this means that the Indian government is attempting to build a program whose extensive Executive mandate does not match its limited and imbalanced technical capabilities.  Such a system will, I fear, be inept or worse, vulnerable to misuse.

Ultimately, the Indian government must engage its citizens in a dialog on the need for a system for legal surveillance, and build trust among its citizens.  Ordinary, law-abiding citizens are not the only mass consumers of Internet and telecommunications technologies; terrorists and enemies of the state are too.  You could make a fairly solid argument, particularly given the challenges India continues to face with regard to national security, in favor of a system for legal surveillance.  Unfortunately, the Indian government has chosen silence instead of dialog.  This is no way to assuage the anxieties of citizens in a liberal democracy such as ours.

Read the Takshashila Institution‘s discussion document on the Central Monitoring System where we argue that:

[S]uch an inherently pervasive and intrusive program cannot be deployed in a liberal democracy without an adequate level of trust between the government and its citizens and an appropriate framework of checks-and-balances to ensure that entrusted agencies do not overstep their jurisdiction.

Thus, it is imperative that the Indian government take its citizens into confidence on the necessity for such a program, evolve an appropriate framework of laws, including those pertaining to privacy and data retention, and establish a system of checks-and-balances to ensure against systemic overreach prior to the implementation of the CMS. [Takshashila Institution]

 

Read full story · Comments { 1 }