Is CMS a Compromise of Your Security?
This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.
Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?
If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.
There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.
Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.
In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.
Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.
“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.
There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.
The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.
Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.
As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?
But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.
“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.
He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”
Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.