Centre for Internet and Society

Himachal Pradesh (Govt) Notifications

praskrishna — 2013-07-23T16:05:11Z

List of notifications published by the state government of Himachal Pradesh can be viewed below:

For more details visit http://editors.cis-india.org/accessibility/resources/himachal-pradesh-govt-notifications

Snooping technology: Will CMS work in India?

praskrishna — 2013-07-22T07:19:02Z

The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.

Pierre Fitter's article was published in FirstPost on July 17, 2013. Pranesh Prakash is quoted.

Several articles have raised valid questions about privacy violations, including this one by Danish Raza. Elsewhere, Pranesh Prakash has raised important points about how CMS may actually violate several laws and at least one Supreme Court verdict.

I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?

	Encryption In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

Encryption

In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the Guardian. In an online chat where he took questions from the public, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the eavesdropping behemoth created of the NSA.

It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.

Over the years it has become easier to encrypt one’s communication. YouTube tutorials train even novice users to set up email encryption within minutes. Phone calls, text messages and online chats can also be encrypted with free, easy-to-install apps.

The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that it took them four years to factor a 768-bit integer. They estimated it would take 1,000 times longer to factorise a 1024-bit integer. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.

Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.

What about ‘Metadata’?

It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.

However, this method of tracing criminals has a limitation. Programs such as TOR and Hotspot Shield disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.

There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!

To make untraceable phone calls, terrorists have been known to use “burner” phones. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.

Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to turn off their phones and remove the battery to prevent being tracked even while not on a call.

So what is CMS good for?

If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?

Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.

Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.

Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.

What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?

These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.

For more details visit http://editors.cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology

सावधान आपके प्रोफ़ाइल पर है पुलिस की नज़र!

praskrishna — 2013-07-31T04:10:37Z

जन लोकपाल, दिल्ली रेप केस और बाबा रामदेव के आंदोलनों में उमड़ी भीड़ से घबराई सरकारी एजेंसियां अब सोशल मीडिया पर कड़ी नज़र रखने के लिए मैदान में उतरी हैं.

This blog post by Parul Aggarwal was published by BBC on July 18, 2013. Pranesh Prakash is quoted.

अपनी तरह के एक पहले मामले में मुंबई पुलिस ने क्लिक करें फ़ेसबुक-ट्विटर और दूसरे सोशल मीडिया पर आम लोगों की राय और उनकी भावनाओं पर निगरानी रखने की शुरुआत की है.

साइबर अपराधियों और इंटरनेट पर क्लिक करें गड़बड़ियां फैलाने वालों के अलावा अब पुलिस की नज़र उन लोगों पर भी रहेगी जो राजनीतिक-सामाजिक मुद्दों पर सोशल मीडिया में जमकर बोलते हैं.

आम लोग बने मुसीबत?

पुलिस की मंशा है समय रहते ये जानना कि जनता किन मुद्दो पर लामबंद हो रही है और विरोध प्रदर्शनों के दौरान बड़े स्तर पर लोगों का रुझान किस तरफ़ है.

सोशल मीडिया मॉनिटरिंग का ये काम मार्च 2013 में शुरु किए गए मुंबई पुलिस के सोशल मीडिया लैब के ज़रिए किया जाएगा. मुंबई पुलिस के एक वरिष्ठ अधिकारी ने बीबीसी से हुई बातचीत में कहा, ''नौजवान आजकल फ़ेसबुक पर ख़ासे एक्टिव हैं, ये लोग नासमझ हैं और बात-बात पर उग्र हो जाते हैं. सोशल मीडिया लैब के ज़रिए हम ये देखते हैं कि कौन किस मुद्दे पर ज़्यादा से ज़्यादा लिख रहा है और किस तरह की प्रतिक्रिया दे रहा है.''

दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं."
रजत गर्ग, सीईओ सोशलऐप्सएचक्यू

इस काम में पुलिस को तकनीकी मदद मिल रही है नैसकॉम और तकनीकी क्षेत्र की एक निजी कंपनी ‘सोशलऐप्सएचक्यू’ से.

सोशल मीडिया पर लामबंदी

सोशलऐप्सएचक्यू के सीईओ रजत गर्ग ने बीबीसी से हुई बातचीत में कहा, ''दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं. ''

फ़ेसबुक-ट्विटर पर क्लिक करें निगरानी कोई नई बात नहीं लेकिन अब तक ये काम ज्यादातर मार्केटिंग कंपनियां ही करती आई हैं. लेकिन सोशलऐप्सएचक्यू जैसी कंपनियां जो कर रही हैं वो 'ओपन सोर्स इंटेलिजेंस' यानी सार्वजनिक स्रोतों से मिली संवेदनशील जानिकारियों को इकट्ठा करना है.

विशेष सॉफ्टवेयर्स की मदद

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’ सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.	अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’

सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.

अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

पारदर्शिता की कमी

ऐसे में सार्वजनिक मंच पर कई ऐसी जानकारियां उपलब्ध हो सकती हैं जो उन्हें पुलिस की आंख की किरकिरी बना दें.

साल 2012 में पूर्व शिवसेना प्रमुख बाला साहब ठाकरे की निधन के मौक़े पर बुलाए गए मुंबई बंद के ख़िलाफ़ फ़ेसबुक पर टिप्पणी करने वाली एक लड़की और उसकी पोस्ट को लाइक करने वाली उसकी दोस्त को रातोंरात गिरफ्तार कर लिया गया. पुलिस ने ये कार्रवाई एक स्थानीय शिवसेना नेता की शिकायत पर की थी.

कथित तौर पर संविधान का मज़ाक उड़ाने और अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया. मीडिया में हुए हंगामे के बाद सभी लोगों को छोड़ दिया गया लेकिन भारत में अब तक इस तरह के कई ऐसे मामले सामने आ चुके हैं.

सूचना प्रौद्योगिकी क़ानून की धारा 66 कहती है कि इस तरह की कार्रवाई बेहद संवेदनशील और राष्ट्रहित से जुड़े मामलों में ही की जानी चाहिए. हालांकि धारा 66 की आड़ में सरकार और नेताओं के ख़िलाफ़ बोलने वालों की गिरफ्तारी सरकार की मंशा पर कई सवाल खड़े करती है.

इंटरनेट से जुड़े मुद्दों पर काम करने वाली संस्थाएं मानती हैं कि भारत में इंटरनेट और आम लोगों पर निगरानी रखने के मामले में सरकार की ओर से पारदर्शिता की बेहद कमी है.

'दुरुपयोग की संभावना'

द सेंटर फ़ॉर इंटरनेट एंड सोसाएटी से जुड़े प्रनेश प्रकाश कहते हैं, ''भारत में सूचना प्रौद्योगिकी और इंटरनेट से जुड़े क़ानूनों को अगर पढ़ें तो समझ आता है कि वो कितने ख़राब तरीक़े से लिखे गए हैं. इन क़ानूनों में स्पष्टता और जवाबदेही की गुंजाइश न होने के कारण ही उनका इस्तेमाल तोड़-मरोड़ कर किया जाता है.''

सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुच्छेक मामलों को छोड़कर चीन जैसे देशों के मुकाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अबतक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है. "

प्रनेश कहते हैं, ''साल 2011 में सरकार ने केंद्रीय मंत्रालयों और विभागों के लिए सोशल मीडिया से जुड़े दिशा-निर्देश जारी किए. इसका मक़सद था सरकारी विभागों को ये बताना कि सोशल मीडिया पर आम लोगों से कैसे जुड़ें. यही वजह है कि जब सरकार और पुलिस से जुड़े विभागों ने सोशल मीडिया लैब बनाए तो ज्यादातर लोगों ने समझा कि इनका मक़सद जनता की निगरानी नहीं बल्कि आम लोगों से जुड़ना है.''

तो मुंबई पुलिस का ये क़दम क्या आम लोगों और मानवाधिकार संगठनों के लिए ख़तरे की घंटी है ?

प्रनेश कहते हैं, “सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुछ एक मामलों को छोड़कर चीन जैसे देशों के मुक़ाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अब तक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है.”

For more details visit http://editors.cis-india.org/news/bbc-uk-july-18-2013-parul-aggarwal-social-media-monitoring

Goa (Govt) Notifications Word Files

praskrishna — 2013-07-16T06:11:18Z

For more details visit http://editors.cis-india.org/accessibility/blog/goa-govt-notifications-2.zip

Goa (Govt) Notifications PDF Files

praskrishna — 2013-07-16T06:09:17Z

For more details visit http://editors.cis-india.org/accessibility/blog/goa-govt-notifications-1.zip

Goa (Govt) Notifications

praskrishna — 2013-07-16T06:11:56Z

The following folder contains a series of notifications published by the Government of Goa.

Click on the links at the end to download the PDFs or Word Files (zip folders) to read the notifications containing:

Rules Regulating the Grant of Award to a Married Couple in which Either of the Partners or Both are Disabled Persons.
The Scheme for Scholarship for Differently-abled Persons
Incentive Scheme for Employment of Differently-abled Persons
Scheme to Provide Subsidy to Kadamba Transport Corporation in Lieu of Travel Concession Provided to Senior Citizens and Persons with Disabilities.
Goa Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Rules, 1997.
Scheme to Provide "Residential School" to the Visually Disabled Children.
Voluntary Retirement Scheme for Government Employees who are Parents of Persons with Disabilities.
Rules Regulating the Grant of Financial Assistance to the Physically Handicapped Persons for the Purpose of Undertaking Gainful Self Employment in the State of Goa.
Rules Regulating the Grant of Financial Assistance to a Person with Severe Disability.
Schemes for Social Audit in Respect of the Implementing Agencies under the Persons with Disabilities Act.
Scheme of State Awards for the Welfare of Persons with Disabilities.

Click on the links below to download the files:

PDF Zip Folder (1336 Kb)
Word Zip Folder (230 Kb)

For more details visit http://editors.cis-india.org/accessibility/resources/goa-govt-notifications

An Interview of Vera Franz

praskrishna — 2013-07-15T09:49:16Z

This interview was conducted at the Diplomatic Conference to Conclude a Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities on June 26, 2013.

Vera Franz praises Rahul Cherian of Inclusive Planet while talking about her work. Watch the video below:

Video

For more details visit http://editors.cis-india.org/news/interview-of-vera-franz

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit http://editors.cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit http://editors.cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

India's centralised snooping system facing big delays

praskrishna — 2013-07-15T06:35:05Z

Central Monitoring System lacks algorithms, database and data.

This blog post by Phil Muncaster was published in "The Register, UK" on July 9, 2013. The Centre for Internet & Society is mentioned.

After recent revelations about governments snooping on their own citizens, it's nice to know that not every such effort is going smoothly, as India’s much criticised NSA-style Centralised Monitoring System (CMS) is facing big delays after it emerged that the project is still missing the vital software which will allow analysts to search comms data.

The nation's Department of Telecommunications has now told the Center for Development of Telematics (C-DoT), which is installing the system, to speed things up, according to official documents seen by the Wall Street Journal.

The Rs.4 billion (£47.8m) CMS was originally conceived as a way of allowing the authorities to lawfully intercept voice calls and texts, emails, social media and the geographical location of individuals.

However, the Intelligence Bureau, which will be manning the system, has delayed its introduction for several reasons.

Firstly, mobile operators in only seven of the sub-continent’s 22 service areas have been connected to the CMS, leaving holes in its reach.

There’s also a major issue in that the system currently lacks the search algorithms needed to identify specific documents, meaning that as it stands operatives would have to search every email in the CMS to find the one they’re looking for.

The datacentre where intercepted data is to be stored is also apparently not yet ready, while the country’s Central Bureau of Investigation has yet to be given access to the system, causing further delays.

At a time when mass government monitoring of communications networks is a hot topic around the world thanks to Edward Snowden’s NSA revelations, rights groups have roundly slammed India’s CMS plans.

Human Rights Watch branded the scheme “chilling” in a strongly worded response, while India’s Centre for Internet and Society warned that the country currently doesn’t have privacy laws which could protect individuals from potential abuse of the system.

A Stop ICMS campaign has also been launched online in an attempt to mobilise opposition to the plans.

For more details visit http://editors.cis-india.org/news/theregister-uk-phil-muncaster-july-9-2013-indias-centralised-snooping-system-facing-big-delays

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit http://editors.cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security

Tenders, EOI and Press Release

praskrishna — 2013-07-15T05:56:07Z

For more details visit http://editors.cis-india.org/internet-governance/blog/tenders-eoi-press-release.zip

RTI on Officials and Agencies Authorized to Intercept Telephone Messages in India

praskrishna — 2013-07-15T05:23:54Z

In an RTI mailed on April 17, 2013, the Centre for Internet and Society sought comprehensive information on the officials and agencies authorized to intercept telephone messages in India.

A portion of the RTI still awaits response, as it was redirected to the Department of Electronics and Information Technology. But on May 23, 2013 Rakesh Mittal of the Ministry of Home Affairs responded in brief and directed us to the 2007 Amendment to the 1885 Indian Telegraph Act.

Referring to rule 419-A of the amendment and the Ministry of Home Affairs website, we find that within central government the power to order communications surveillance is normally reserved for Union Home Secretary, a position held by Shir Anil Goswami as of June 30, 2013 (previously R.K. Singh). The amendment goes on to say, “In unavoidable circumstances,” however, such an order can be commanded by a Joint Secretary who has been authorized by Union Home Secretary Goswami. On the federal level, the Ministry of Home Affairs includes nearly 20 such Joint Secretaries able to be authorized for making interception commands.

A listing of the original question requests are given below:

Please provide a list containing name, rank and office address of the officers/agencies authorized by the Central Government to issue an order for interception under section 5(2) of the Telegraph Act, 1885
Please provide a list containing name, rank and office address of the officers authorized to issue interception orders under Rule 419A(1) of the Telegraph Rules, 1951 in unavoidable circumstances when such orders cannot be issued by the secretary to the Government of India, Ministry of Home Affairs.
Please provide a list containing the name, rank and office address of the officers/agencies designated as “competent authority” in terms of the Rule 419A(1) proviso of the Telegraph Rules, 1951.
Please provide a list of the agencies authorized by the Central Government to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under section 69(1) of the Information Technology Act, 2000.
Please provide a list of the agencies authorized by the Central Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource under section 69-B of the Information Technology Act, 2000.
Please provide a list containing name, rank and office address of the officers/agencies authorized to issue interception orders under Rule 3, first proviso, of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
Please provide a list of the agencies authorised to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.

For more details visit http://editors.cis-india.org/internet-governance/resources/rti-on-officials-and-agencies-authorized-to-intercept-telephone-messages-in-india

Redirected to DEITY for Response to RTI

praskrishna — 2013-07-15T05:04:30Z

Ministry of Home Affairs redirected to the Department of Electronics and Communication Information to respond to the RTI filed by CIS regarding information on the officials and agencies authorized to intercept telephone messages in India.

For more details visit http://editors.cis-india.org/internet-governance/blog/redirected-to-deity.pdf

Response from Ministry of Home Affairs

praskrishna — 2013-07-15T04:34:10Z

Rakesh Mittal's reply received by the Centre for Internet and Society.

For more details visit http://editors.cis-india.org/internet-governance/blog/response-from-ministry-of-home-affairs.pdf