Centre for Internet and Society

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit http://editors.cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit http://editors.cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Indian government to bar politicians from using Gmail for official business

praskrishna — 2013-09-05T09:52:17Z

US-based email services seen as too risky.

This article by Neil McAllister was published in the Register on August 30, 2013. Sunil Abraham is quoted.

The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, told the Times of India. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."

The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the contact page for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.

Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the Times of India that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.

The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from United Nations headquarters in New York City.

No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory asserted that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.

But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®

For more details visit http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business

Dear Milind Deora, Prakash Javadekar Deserved The Truth

praskrishna — 2013-09-05T10:38:05Z

Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn’t your typical politician.

This article by Rohin Dharmakumar was published in Forbesindia Magazine on August 22, 2013. Sunil Abraham is quoted.

At just 36, he’s way younger than the average cabinet minister (64) or Member of Parliament (53). He’s also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)

He’s got his own website - www.milinddeora.in - which unlike most of his peer’s websites, is fairly well-designed and constantly updated. He’s also an avid user of social networks like Twitter (@milinddeora) and Facebook.

Oh, he’s also a Blues fan and a pretty good guitarist.

In short, he’s the kind of politician or minister many Indians would like to vote for.

And vote they do, in fact. Deora’s won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent’s votes during the 2009 elections.

Which is why it’s surprising, and saddening, to see Deora trot out a patently false set of answers to how America’s global dragnet of Internet surveillance is affecting the privacy of Indians.

On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:

(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA”s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country”s interests and the privacy of its citizens?

Javadekar’s question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.

India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the “Boundless Informant” data mining tool that tracks the NSA’s (the US’ lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).

The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!

One would thus expect Deora to be seized of the urgency and concern behind Javadekar’s questions. His answer was:

(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.

Here we have a member of Parliament asks India’s Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US – ostensibly a friendly country – and all the Minister could do was cite newspaper reports?

What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?

But wait, Deora does go on to provide a few more answers:

(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.

Whew. That was reassuring. We expressed “concerns with regard to violation of any Indian laws relating to privacy of information” to the US during a “strategic dialogue meeting”.

Let me guess what the US side responded: “Sure. We’ll do that. Come back to us when you have a privacy law. Ha ha!”

As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

Which brings me to the final part of Deora’s response to Javadekar:

United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.

Dear Mr.Minister, either you have been lied to by your friendly “United States Official”, or, well…

Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA’s secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar’s question which specifically mentions other tools like Boundless Informant.

Almost all of the big Internet companies revealed to be part of the NSA’s global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the “Under This Program” dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

In case you weren’t aware of the NSA’s obfuscation tactics Mr.Minister, here is another great piece on it from the Slate – “How to Decode the True Meaning of What NSA Officials Say”

Thus when your friendly US official tells you that “only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored” under PRISM, not “data content/content of emails”, he or she is technically right.

Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture “nearly everything a typical user does on the internet”. This includes emails, visits to websites, web searches and Facebook chats & private messages.

Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?

Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.

FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that’s that for oversight.

And in the NSA’s Orwellian world of doublespeak, large scale interception and storage of Internet communications isn’t considered “collected” till such time one of their agents has had a chance to look at it. Which means if you’re reading this post – the NSA’s secret servers over the world and in India can coolly capture that and store it in vast databases for posterity – without it ever registering as a “collection” or requiring any approval from FISA courts.

Fact is, Mr.Minister, we “foreigners” (unless you belong to one of the four other countries that are part of the “Five Eyes” alliance, in which case you’ll be treated with a wee bit more caution) , that is, us, are fair game:

The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.

The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.

We expected better answers from you Mr.Minister – sorry, expect better.

Alas your recent answers don’t inspire much trust, for instance when you tell us constant surveillance is “good for us” and “will enhance the privacy of citizens”.

Or when you tell us that “Google Hangouts” – a service provided by a company that looms over nearly everything Indians do online – is a better medium to reach out to people than Parliament or Television.

We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.

For more details visit http://editors.cis-india.org/news/forbesindia-august-22-2013-rohin-dharmakumar-dear-milind-deora-prakash-javadekar-deserved-the-truth

Surveillance: Privacy Vs Security

praskrishna — 2013-08-19T05:32:55Z

The Foundation for Media Professionals is organizing a debate at the India International Centre, New Delhi on August 17, 2013. Shri Kapil Sibal will give the opening speech. Natgrid chief Raghu Raman is one of the debaters. Pranesh Prakash is participating in this event as a panelist.

This was published by the Foundation for Media Professionals on their website. Also read the blog post by Vivian Fernandes and Ninglun Hanghal.

In the backdrop of the recent disclosures by US defense contractor Edward Snowden about the activity of the National Security Agency (NSA) and reports that NSA may have collaborated with India on surveillance program in the country that have raised concerns about privacy and right of citizens, Foundation for Media Professionals (FMP) in partnership with Friedrich Ebert Stiftung (FES) invited Pranesh Prakash to a panel discussion on "Surveillance: Privacy vs. Security".

Guest Speaker
Kapil Sibal, Union Minister for Communications and Information Technology, Govt. of India

Panelists

Pranesh Prakash, Policy Director, Centre for Internet and Society

Dr. Usha Ramanathan, Independent Law Researcher
Saikat Datta, Resident Editor, DNA
Capt. Raghu Raman, National Intelligence Grid (Natgrid)

Moderator

Paranjoy Guha Thakurta

For more details visit http://editors.cis-india.org/news/foundation-for-media-professionals-august-17-2013-surveillance-privacy-v-security

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit http://editors.cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security

In India, Prism-like Surveillance Slips Under the Radar

praskrishna — 2013-07-03T09:31:18Z

Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.

The article by Anjan Trivedi was published in Time World on June 30, 2013. Sunil Abraham is quoted.

However, it turns out India, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi announced its intentions to watch over its citizens, however mutedly, in 2011, and rollout is slated for August. And while reports that the American system collected 6.3 billion intelligence reports in India led to a lawsuit at the nation’s Supreme Court, comparable indignation has been conspicuously lacking with the domestic equivalent.

CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s Centre for Development of Telematics (C-DOT), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ annual report. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government set aside approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.

Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.

Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. report stated.

India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up 52% from two years back, and removal requests from the government increased by 90% over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”

There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent editorial noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.

With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, according to a recent report. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.

India’s junior minister for telecommunications attempted to explain the benefits of this system during a recent Google+ Hangout session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does not have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the jurisdiction of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”

The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.

National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase operational efficiency. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.

The government has been cagey about details on implementation and extent. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.

For more details visit http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar

Internet users enraged over US online spying

praskrishna — 2013-07-01T04:10:05Z

India is the fifth most tracked nation by American intelligence agencies.

The article by Maitreyee Boruah was published in the Times of India on June 29, 2013. Sunil Abraham is quoted.

Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.

According to former US Central Intelligence Agency (CIA) employee Edward Snowden's testimony, the US National Security Agency ( NSA) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?

What should the Indian government do?

Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.

"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes the office of the privacy commissioner. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.

Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."

Era of the Big Brother?

Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."

Anger in the online community

A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the US government is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.

For more details visit http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying

Indian surveillance laws & practices far worse than US

pranesh — 2013-07-12T11:09:39Z

Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden.

Pranesh Prakash's column was published in the Economic Times on June 13, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).

Nothing Quite Private

The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.

US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.

Worse, Indian-Style

That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.

To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.

The law we currently have â€” sections 69 and 69B of the Information Technology Act â€” is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.

Keeping it Safe

Recent reports reveal India's secretive National Technical Research Organisation (NTRO) â€” created under an executive order and not accountable to Parliament â€” often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.

While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.

The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.

Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.

http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us

For more details visit http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us