The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 31 to 45.
Paper-thin Safeguards and Mass Surveillance in India
http://editors.cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india
<b>The Indian government's new mass surveillance systems present new threats to the right to privacy. Mass interception of communication, keyword searches and easy access to particular users' data suggest that state is moving towards unfettered large-scale monitoring of communication. This is particularly ominous given that our privacy safeguards remain inadequate even for targeted surveillance and its more familiar pitfalls.</b>
<p style="text-align: justify; ">This need for better safeguards was made apparent when the Gujarat government illegally placed a young woman under surveillance for obviously illegitimate purposes, demonstrating that the current system is prone to egregious misuse. While the lack of proper safeguards is problematic even in the context of targeted surveillance, it threatens the health of our democracy in the context of mass surveillance. The proliferation of mass surveillance means that vast amounts of data are collected easily using information technology, and lie relatively unprotected.</p>
<p style="text-align: justify; ">This paper examines the right to privacy and surveillance in India, in an effort to highlight more clearly the problems that are likely to emerge with mass surveillance of communication by the Indian Government. It does this by teasing out Indian privacy rights jurisprudence and the concerns underpinning it, by considering its utility in the context of mass surveillance and then explaining the kind of harm that might result if mass surveillance continues unchecked.</p>
<p style="text-align: justify; ">The first part of this paper threads together the evolution of Indian constitutional principles on privacy in the context of communication surveillance as well as search and seizure. It covers discussions of privacy in the context of our fundamental rights by the draftspersons of our constitution, and then moves on to the ways in which the Supreme Court of India has been reading the right to privacy into the constitution.</p>
<p style="text-align: justify; ">The second part of this paper discusses the difference between mass surveillance and targeted surveillance, and international human rights principles that attempt to mitigate the ill effects of mass surveillance.</p>
<p style="text-align: justify; ">The concluding part of the paper discusses mass surveillance in India, and makes a case for expanding our existing privacy safeguards to protect the right to privacy in a meaningful manner in face of state surveillance.</p>
<p style="text-align: justify; "><a href="http://editors.cis-india.org/internet-governance/blog/paper-thin-safeguards.pdf" class="external-link">Download the paper here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india'>http://editors.cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india</a>
</p>
No publisherchinmayiSurveillanceInternet GovernancePrivacy2015-06-20T10:17:57ZBlog EntryNew Document on India's Central Monitoring System (CMS) - 2
http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2'>http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:40:31ZFileModels for Surveillance and Interception of Communications Worldwide
http://editors.cis-india.org/internet-governance/blog/models-for-surveillance-and-interception-of-communications-worldwide
<b>This is an evaluation of laws and practices governing surveillance and interception of communications in 9 countries. The countries evaluated represent a diverse spectrum not only in terms of their global economic standing but also their intrusive surveillance capabilities. The analysis is limited to the procedural standards followed by these countries for authorising surveillance and provisions for resolving interception related disputes.</b>
<table class="grid" style="text-align: justify; ">
<thead></thead>
</table>
<table class="plain" style="text-align: justify; ">
<thead>
<tr>
<th>Sl. No.</th> <th>Country</th> <th>Legislation</th> <th>Model</th>
</tr>
</thead>
<tbody>
<tr>
<td>1.</td>
<td>Australia</td>
<td><b>Telecommunications (Interceptions and Access) Act, 1979</b><br />
<ul>
<li>Governs interception of communications</li>
<li>Relevant provisions: S. 3, 7, 6A, 34, 46</li>
</ul>
<b> Surveillance Devices Act, 2004 </b>
<ul>
<li>Establishes procedure for obtaining warrants and for use of surveillance devices</li>
<li>Relevant Provisions: S.13, 14</li>
</ul>
</td>
<td>
<ul>
<li> <span style="text-align: justify; ">Authorisation for surveillance is granted in the form of a warrant from a <b>Judge or a nominated member of the Administrative Appeals Tribunal</b></span></li>
<li><span style="text-align: justify; ">The warrant issuing authority must be satisfied that information obtained through interception shall assist in the investigation of a serious crime</span></li>
<li>The Acts provide a list of prescribed offences for which interception of communication may be authorized</li>
<li>T<span style="text-align: justify; ">he Acts also specify certain federal and state law enforcement agencies that may undertake surveillance</span></li>
</ul>
</td>
</tr>
<tr>
<td>2.</td>
<td>Brazil</td>
<td><b style="text-align: justify; ">Federal Law No. 9,296, 1996</b><span style="text-align: justify; ">:</span>
<ul>
<li>Regulates wiretapping</li>
</ul>
</td>
<td>
<ul>
<li> <span style="text-align: justify; ">Authorisation for interception is granted on a <b>Judge’s order</b> for a period of 15 days at a time</span></li>
<li>Interception is only allowed for investigations into serious offences like drug smuggling, corruption murder and kidnapping</li>
</ul>
</td>
</tr>
<tr>
<td>3.</td>
<td>Canada</td>
<td><b>Criminal Code, 1985</b>
<ul>
<li><span style="text-align: justify; ">Governs general rules of criminal procedure including search and seizure protocols</span></li>
<li>Relevant Provision: §§ 184.2, 184.4</li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Grants power to intercept communication by obtaining authorisation from a </span><b style="text-align: justify; ">provincial court judge or a judge of the superior court</b></li>
<li>Before granting his authorisation, the judge must be satisfied that either the originator of the communication or the recipient thereof has given his/her consent to the interception</li>
<li>Under exceptional circumstances, however, a police officer owing to the exigency of the situation may intercept communication without prior authorisation</li>
</ul>
</td>
</tr>
<tr>
<td>4.</td>
<td>France</td>
<td><b style="text-align: justify; "><i>Loi d'orientation et de programmation pour la performance de la sécurité intérieure</i></b><b style="text-align: justify; "> (LOPPSI 2), 2011</b><span style="text-align: justify; ">:</span>
<ul>
<li>Authorises use of video surveillance and interception of communications</li>
<li>Relevant Provisions: Article 36</li>
</ul>
<b><i>Loi de Programmation Militaire</i></b><b> (LPM), 2013</b>:
<ul>
<li>Authorises<b> </b>surveillance for protection of national security and prevention of terrorism</li>
</ul>
</td>
<td>
<ul>
<li> <span style="text-align: justify; ">Interception of comm<b>unication under LOPPSI 2 requires previous authorization from an investigating Judge after consultation with the Public Prosecutor</b></span></li>
<li><span style="text-align: justify; ">
<div style="text-align: left; ">Such authorization is granted for a period of 4 months which is further extendable by another 4 months</div>
</span></li>
<li><span style="text-align: justify; ">
<div style="text-align: left; "><span style="text-align: justify; ">
<div style="text-align: left; "><span style="text-align: justify; ">Interception of communication <b>under LPM does not require prior sanction from an investigating judge and is instead provided by the </b></span><span style="text-align: justify; "><b>Prime Minister’s office</b></span></div>
</span></div>
</span></li>
<li>Information that can be intercepted under LPM includes not only metadata but also content and geolocation services</li>
</ul>
</td>
</tr>
<tr>
<td>5.</td>
<td>Germany</td>
<td><span style="text-align: justify; "> </span><b style="text-align: justify; "><i>Gesetz zur Beschränkung des Brief-, Post und Fernmeldegeheimnisses </i>(G10 Act)<i>, </i>2001</b>
<ul>
<li>Imposes restrictions on the right to privacy and authorizes surveillance for protecting freedom and democratic order, preventing terrorism and illegal drug trade</li>
<li>Relevant Provisions: §3</li>
</ul>
<b>The German Code of Criminal Procedure (StPO), 2002</b><br />
<ul>
<li><span style="text-align: justify; ">Lays down search and seizure protocol and authorizes interception of telecommunications for criminal prosecutions</span></li>
<li>Relevant Provisions: §§ 97, 100a</li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Authorises </span><b style="text-align: justify; ">warrantless</b><span style="text-align: justify; "> surveillance by specific German agencies like the </span><i style="text-align: justify; ">Bundesnachrichtendienst </i><span style="text-align: justify; ">(Federal Intelligence Service)</span></li>
<li>Lays down procedure that must be followed while undertaking surveillance and intercepting communications</li>
<li><span style="text-align: justify; ">Authorises sharing of intercepted intelligence for criminal prosecutions</span></li>
<li><span style="text-align: justify; ">Mandates </span><i style="text-align: justify; ">ex post</i><span style="text-align: justify; "> notification to persons whose privacy has been violated but no judicial remedies are available to such persons</span></li>
<li>The Code of Criminal Procedure authorises interception of communication of a person suspected of being involved in a serious offence only on the <b>order of a court</b> upon <b>application by the public prosecution office</b></li>
</ul>
</td>
</tr>
<tr>
<td>6.</td>
<td>Pakistan</td>
<td><b>Pakistan Telecommunications Reorganisation Act, 1996:</b>
<ul>
<li>Controls the flow of false and fabricated information and protects national security</li>
<li>Relevant Provisions: § 54</li>
</ul>
<b>Investigation for Fair Trial Act, 2013:</b>
<ul>
<li>Regulates the powers of law enforcement and intelligence agencies regarding covert surveillance and interception of communications</li>
<li><span style="text-align: left; ">Relevant Provisions: §§ 6,7, 8, 9</span><span style="text-align: left; "> </span></li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Authorisation for interception is provided by the </span><b style="text-align: justify; ">federal government</b><span style="text-align: justify; ">. No formal legal structure to monitor surveillance exists</span></li>
<li>Interception can be authorized in the interest of national security and on the apprehension of any offence</li>
<li><span style="text-align: justify; ">Requests for filtering and blocking of content are routed through the Inter-Ministerial Committee for the Evaluation of Websites, a confidential regulatory body</span></li>
<li><span style="text-align: justify; ">Under the Fair Trial Act, interception can only be authorised on application to the </span><b style="text-align: justify; ">Fedral Minister for Interior</b><span style="text-align: justify; "> who shall then permit the application to be placed before a </span><b style="text-align: justify; ">High Court Judge</b></li>
<li>The warrant shall be issued by a judge only on his satisfaction that interception will aid in the collection of evidence and that a reasonable threat of the commission of a scheduled offence exists</li>
</ul>
</td>
</tr>
<tr>
<td>7.</td>
<td>South Africa</td>
<td><b style="text-align: justify; ">The Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002</b>
<ul>
<li>Regulates and authorizes monitoring and interception of telecommunications services</li>
<li><span style="text-align: left; ">Relevant Provisions: §§ 16, 22</span></li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Warrant for intercepting communications and installing surveillance devices is granted by a </span><b style="text-align: justify; ">designated judge</b></li>
<li>The warrant is issued on satisfaction of the judge that the investigation relates to a serious offence or that the information gathering is vital to public health or safety, national security or compelling national economic interests</li>
</ul>
</td>
</tr>
<tr>
<td>8.</td>
<td>United Kingdom</td>
<td><b style="text-align: justify; ">Regulation of Investigatory Powers Act, 2000</b><span style="text-align: justify; ">:</span>
<ul>
<li>Authorises interception of communications and surveillance</li>
<li><span style="text-align: left; ">Relevant Provisions: §§ 5, 6, 65</span></li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Authorisation for interception is granted in the form of a warrant by the </span><b style="text-align: justify; ">Secretary of State </b><span style="text-align: justify; ">or in certain special cases by a </span><b style="text-align: justify; ">‘senior officer’</b></li>
<li>Communications can be intercepted only it is necessary to do so in the interest of national security or for the purpose of preventing and detecting serious crimes</li>
<li>Complaints of alleged illegal surveillance are heard by the Investigatory Powers Tribunal</li>
</ul>
</td>
</tr>
<tr>
<td>9.</td>
<td>United States</td>
<td><b style="text-align: justify; ">Electronic Communications Privacy Act, 1986 (Title III, Omnibus Crime Control and Safe Streets Act)</b>
<ul>
<li>Governs authorisation for wiretapping and interception</li>
<li><span style="text-align: left; ">Relevant Provisions: §18</span></li>
</ul>
</td>
<td>
<ul>
<li><span style="text-align: justify; ">Authorisation for interception can be granted by </span><b style="text-align: justify; ">a district court or federal appeals court</b><span style="text-align: justify; "> on application by a law enforcement officer duly signed by the attorney general</span></li>
<li>Application mandates obtaining the information through a service provider before invading upon individual’s privacy</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/models-for-surveillance-and-interception-of-communications-worldwide'>http://editors.cis-india.org/internet-governance/blog/models-for-surveillance-and-interception-of-communications-worldwide</a>
</p>
No publisherbedaavyasasurveillance technologiesInternet GovernanceSurveillance2014-07-10T07:50:08ZBlog EntryMisuse of Surveillance Powers in India (Case 1)
http://editors.cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1
<b>In this series of blog posts, Pranesh Prakash looks at a brief history of misuse of surveillance powers in India. He notes that the government's surveillance powers have been freqently misused, very often without any kind of judicial or political redressal. This, he argues, should lead us as concerned citizens to demand a scaling down of the government's surveillance powers and pass laws to put it place more robust oversight mechanisms.</b>
<h1 id="case-1-unlawful-phone-tapping-in-himachal-pradesh">Case 1: Unlawful Phone-tapping in Himachal Pradesh</h1>
<p>In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.</p>
<p>On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371<sup><a href="#fn1" class="footnoteRef" id="fnref1">1</a></sup> phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.</p>
<h2 id="violations-of-the-law">Violations of the Law</h2>
<p>While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34<sup><a href="#fn2" class="footnoteRef" id="fnref2">2</a></sup> cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.</p>
<p>Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.</p>
<p>While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.</p>
<h2 id="concluding-concerns">Concluding Concerns</h2>
<p>What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.</p>
<p>What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the <a href="http://indiankanoon.org/doc/87862/"><i>PUCL</i> judgment</a>, were blatantly ignored.</p>
<p>What should concern us is that it took a change in government to actually uncover this sordid tale.</p>
<div class="footnotes">
<hr />
<ol>
<li id="fn1"><p>1385 according to <a href="http://www.hindustantimes.com/india-news/vigilance-probe-done-underlines-illegal-tapping-of-phones/article1-1076520.aspx">a Hindustan Times report</a> [1]: http://indiatoday.intoday.in/story/himachal-pradesh-police-registers-first-fir-in-phone-tapping-scandal/1/285698.html<a href="#fnref1">↩</a></p></li>
<li id="fn2"><p>A <a href="http://zeenews.india.com/news/himachal-pradesh/vigilance-to-probe-phone-tapping-hp-cm_832485.html">Zee News report states 34</a> while it’s 171 according to a <a href="http://indiatoday.intoday.in/story/himachal-pradesh-police-registers-first-fir-in-phone-tapping-scandal/1/285698.html">Mail Today report</a><a href="#fnref2">↩</a></p></li>
</ol>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1'>http://editors.cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1</a>
</p>
No publisherpraneshSurveillancePrivacy2013-12-06T09:37:24ZBlog EntryMastering the Art of Keeping Indians Under Surveillance
http://editors.cis-india.org/internet-governance/blog/the-wire-may-30-2015-bhairav-acharya-mastering-the-art-of-keeping-indians-under-surveillance
<b>In its first year in office, the National Democratic Alliance government has been notably silent on the large-scale surveillance projects it has inherited. This ended last week amidst reports the government is hastening to complete the Central Monitoring System (CMS) within the year.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://thewire.in/2015/05/30/mastering-the-art-of-keeping-indians-under-surveillance-2756/">the Wire</a> on May 30, 2015.</p>
<hr />
<p style="text-align: justify; ">In a statement to the Rajya Sabha in 2009, Gurudas Kamat, the erstwhile United Progressive Alliance’s junior communications minister, said the CMS was a project to enable direct state access to all communications on mobile phones, landlines, and the Internet in India. He meant the government was building ‘backdoors’, or capitalising on existing ones, to enable state authorities to intercept any communication at will, besides collecting large amounts of metadata, without having to rely on private communications carriers.</p>
<p style="text-align: justify; ">This is not new. Legally sanctioned backdoors have existed in Europe and the USA since the early 1990s to enable direct state interception of private communications. But the laws of those countries also subject state surveillance to a strong regime of state accountability, individual freedoms, and privacy. This regime may not be completely robust, as Edward Snowden’s revelations have shown, but at least it exists on paper. The CMS is not illegal by itself, but it is coloured by the compromised foundation of Indian surveillance law upon which it is built.</p>
<p style="text-align: justify; "><b>Surveillance and social control</b></p>
<p style="text-align: justify; ">The CMS is a technological project. But technology does not exist in isolation; it is contextualised by law, society, politics, and history. Surveillance and the CMS must be seen in the same contexts.</p>
<p style="text-align: justify; ">The great sociologist Max Weber claimed the modern state could not exist without monopolising violence. It seems clear the state also entertains the equal desire to monopolise communications technologies. The state has historically shaped the way in which information is transmitted, received, and intercepted. From the telegraph and radio to telephones and the Internet, the state has constantly endeavoured to control communications technologies.</p>
<p style="text-align: justify; ">Law is the vehicle of this control. When the first telegraph line was laid down in India, its implications for social control were instantly realised; so the law swiftly responded by creating a state monopoly over the telegraph. The telegraph played a significant role in thwarting the Revolt of 1857, even as Indians attempted to destroy the line; so the state consolidated its control over the technology to obviate future contests.</p>
<p style="text-align: justify; ">This controlling impulse was exercised over radio and telephones, which are also government monopolies, and is expressed through the state’s surveillance prerogative. On the other hand, because of its open and decentralised architecture, the Internet presents the single greatest threat to the state’s communications monopoly and dilutes its ability to control society.</p>
<p style="text-align: justify; "><b>Interception in India</b></p>
<p style="text-align: justify; ">The power to intercept communications arises with the regulation of telegraphy. The first two laws governing telegraphs, in 1854 and 1860, granted the government powers to take possession of telegraphs “on the occurrence of any public emergency”. In 1876, the third telegraph law expanded this threshold to include “the interest of public safety”. These are vague phrases and their interpretation was deliberately left to the government’s discretion.</p>
<p style="text-align: justify; ">This unclear formulation was replicated in the Indian Telegraph Act of 1885, the fourth law on the subject, which is currently in force today. The 1885 law included a specific power to wiretap. Incredibly, this colonial surveillance provision survived untouched for 87 years even as countries across the world balanced their surveillance powers with democratic safeguards.</p>
<p style="text-align: justify; ">The Indian Constitution requires all deprivations of free speech to conform to any of nine grounds listed in Article 19(2). Public emergencies and public safety are not listed. So Indira Gandhi amended the wiretapping provision in 1972 to insert five grounds copied from Article 19(2). However, the original unclear language on public emergencies and public safety remained.</p>
<p style="text-align: justify; ">Indira Gandhi’s amendment was ironic because one year earlier she had overseen the enactment of the Defence and Internal Security of India Act, 1971 (DISA), which gave the government fresh powers to wiretap. These powers were not subject to even the minimal protections of the Telegraph Act. When the Emergency was imposed in 1975, Gandhi’s government bypassed her earlier amendment and, through the DISA Rules, instituted the most intensive period of surveillance in Indian history.</p>
<p style="text-align: justify; ">Although DISA was repealed, the tradition of having parallel surveillance powers for fictitious emergencies continues to flourish. Wiretapping powers are also found in the Maharashtra Control of Organised Crime Act, 1999 which has been copied by Karnataka, Andhra Pradesh, Arunachal Pradesh, and Gujarat.</p>
<p style="text-align: justify; "><b>Procedural weaknesses</b></p>
<p style="text-align: justify; ">Meanwhile, the Telegraph Act with its 1972 amendment continued to weather criticism through the 1980s. The wiretapping power was largely exercised free of procedural safeguards such as the requirements to exhaust other less intrusive means of investigation, minimise information collection, limit the sharing of information, ensure accountability, and others.</p>
<p style="text-align: justify; ">This changed in 1996 when the Supreme Court, on a challenge brought by PUCL, ordered the government to create a minimally fair procedure. The government fell in line in 1999, and a new rule, 419A, was put into the Indian Telegraph Rules, 1951.</p>
<p style="text-align: justify; ">Unlike the United States, where a wiretap can only be ordered by a judge when she decides the state has legally made its case for the requested interception, an Indian wiretap is sanctioned by a bureaucrat or police officer. Unlike the United Kingdom, which also grants wiretapping powers to bureaucrats but subjects them to two additional safeguards including an independent auditor and a judicial tribunal, an Indian wiretap is only reviewed by a committee of the original bureaucrat’s colleagues. Unlike most of the world which restricts this power to grave crime or serious security needs, an Indian wiretap can even be obtained by the income tax department.</p>
<p style="text-align: justify; ">Rule 419A certainly creates procedure, but it lacks crucial safeguards that impugn its credibility. Worse, the contours of rule 419A were copied in 2009 to create flawed procedures to intercept the content of Internet communications and collect metadata. Unlike rule 419A, these new rules issued under sections 69(2) and 69B(3) of the Information Technology Act 2000 have not been constitutionally scrutinised.</p>
<p style="text-align: justify; "><b>Three steps to tap</b></p>
<p style="text-align: justify; ">Despite its monopoly, the state does not own the infrastructure of telephones. It is dependent on telecommunications carriers to physically perform the wiretap. Indian wiretaps take place in three steps: a bureaucrat authorises the wiretap; a law enforcement officer serves the authorisation on a carrier; and, the carrier performs the tap and returns the information to the law enforcement officer.</p>
<p style="text-align: justify; ">There are many moving parts in this process, and so there are leaks. Some leaks are cynically motivated such as Amar Singh’s lewd conversations in 2011. But others serve a public purpose: Niira Radia’s conversations were allegedly leaked by a whistleblower to reveal serious governmental culpability. Ironically, leaks have created accountability where the law has failed.</p>
<p style="text-align: justify; ">The CMS will prevent leaks by installing servers on the transmission infrastructure of carriers to divert communications to regional monitoring centres. Regional centres, in turn, will relay communications to a centralised monitoring centre where they will be analysed, mined, and stored. Carriers will no longer perform wiretaps; and, since this obviates their costs of compliance, they are willing participants.</p>
<p style="text-align: justify; ">In its annual report of 2012, the Centre for the Development of Telematics (C-DOT), a state-owned R&D centre tasked with designing and creating the CMS, claimed the system would intercept 3G video, ILD, SMS, and ISDN PRI communications made through landlines or mobile phones – both GSM and CDMA.</p>
<p style="text-align: justify; ">There are unclear reports of an expansion to intercept Internet data, such as emails and browsing details, as well as instant messaging services; but these remain unconfirmed. There is also a potential overlap with another secretive Internet surveillance programme being developed by the Defence R&D Organisation called NETRA, no details of which are public.</p>
<p style="text-align: justify; "><b>Culmination of surveillance</b></p>
<p style="text-align: justify; ">In its present state, Indian surveillance law is unable to bear the weight of the CMS project, and must be vastly strengthened to protect privacy and accountability before the state is given direct access to communications.</p>
<p style="text-align: justify; ">But there is a larger way to understand the CMS in the context of Indian surveillance. Christopher Bayly, the noted colonial historian, writes that when the British set about establishing a surveillance apparatus in colonised India, they came up against an established system of indigenous intelligence gathering. Colonial rule was at its most vulnerable at this point of intersection between foreign surveillance and indigenous knowledge, and the meeting of the two was riven by suspicion. So the colonial state simply co-opted the interface by creating institutions to acquire local knowledge.</p>
<p style="text-align: justify; ">The CMS is also an attempt to co-opt the interface between government and the purveyors of communications; because if the state cannot control communications, it cannot control society. Seen in this light, the CMS represents the natural culmination of the progression of Indian surveillance. No challenge against it that does not question the construction of the modern Indian state will be successful.</p>
<p style="text-align: justify; "><i> </i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-may-30-2015-bhairav-acharya-mastering-the-art-of-keeping-indians-under-surveillance'>http://editors.cis-india.org/internet-governance/blog/the-wire-may-30-2015-bhairav-acharya-mastering-the-art-of-keeping-indians-under-surveillance</a>
</p>
No publisherbhairavSurveillanceInternet GovernancePrivacy2015-08-23T12:26:48ZBlog EntryIs CMS a Compromise of Your Security?
http://editors.cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security
<b>By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.
</b>
<hr />
<p style="text-align: justify; ">This <a class="external-link" href="http://forbesindia.com/article/real-issue/is-cms-a-compromise-of-national-security/35543/1#ixzz2YX7nI92k">article appeared in the Forbes India magazine</a> of 12 July, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?<br /><br />If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.</p>
<p style="text-align: justify; ">There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.</p>
<p style="text-align: justify; ">Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.<br /><br />In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.<br /><br />Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.<br /><br />“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.<br /><br />There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.<br /><br />The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.<br /><br />Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.<br /><br />As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?<br /><br />But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.<br /><br />“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.<br /><br />He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”<br /><br />Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.<br /><br /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security'>http://editors.cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-15T06:27:05ZNews ItemInternet users enraged over US online spying
http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying
<b>India is the fifth most tracked nation by American intelligence agencies.</b>
<hr />
<p style="text-align: justify; ">The article by Maitreyee Boruah was <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2013-06-29/people/40256468_1_privacy-private-information-sunil-abraham">published in the Times of India</a> on June 29, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.</p>
<p style="text-align: justify; ">According to former US <a href="http://timesofindia.indiatimes.com/topic/Central-Intelligence-Agency">Central Intelligence Agency</a> (CIA) employee Edward Snowden's testimony, the US National Security Agency ( <a href="http://timesofindia.indiatimes.com/topic/National-Security-Agency">NSA</a>) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?</p>
<p style="text-align: justify; "><b>What should the <a href="http://timesofindia.indiatimes.com/topic/Indian-Government">Indian government</a> do?</b></p>
<p style="text-align: justify; ">Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.</p>
<p style="text-align: justify; ">"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes <a href="http://timesofindia.indiatimes.com/topic/The-Office">the office</a> of the <a href="http://timesofindia.indiatimes.com/topic/Privacy-Commissioner">privacy commissioner</a>. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.</p>
<p style="text-align: justify; ">Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."</p>
<p><b>Era of the Big Brother?</b></p>
<p style="text-align: justify; ">Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."</p>
<p><b>Anger in the online community</b></p>
<p style="text-align: justify; ">A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the <a href="http://timesofindia.indiatimes.com/topic/US-Government">US government</a> is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying'>http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-01T04:10:05ZNews ItemIndian surveillance laws & practices far worse than US
http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
<b>Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden. </b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's column was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-06-13/news/39952596_1_nsa-india-us-homeland-security-dialogue-national-security-letters">published in the Economic Times</a> on June 13, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).</p>
<p><b>Nothing Quite Private </b></p>
<p>The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.</p>
<p style="text-align: justify; ">US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.</p>
<p><b>Worse, Indian-Style </b></p>
<p style="text-align: justify; ">That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.</p>
<p style="text-align: justify; ">To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.</p>
<p style="text-align: justify; ">The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.</p>
<p><b>Keeping it Safe </b></p>
<p style="text-align: justify; ">Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.</p>
<p style="text-align: justify; ">While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.</p>
<p style="text-align: justify; ">The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.</p>
<p style="text-align: justify; ">Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.</p>
<div id="_mcePaste"><span><a href="http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us">http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a> </span> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us'>http://editors.cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a>
</p>
No publisherpraneshSurveillanceInternet GovernanceCensorshipSAFEGUARDS2013-07-12T11:09:39ZBlog EntryIndian PM Narendra Modi’s digital dream gets bad reception
http://editors.cis-india.org/internet-governance/news/the-australian-amanda-hodge-september-29-2015-indian-pm-narendra-modi-digital-dream-gets-bad-reception
<b>As Indian Prime Minister Narendra Modi told Silicon Valley’s most powerful chief executives this week how his government “attacked poverty by using the power of networks and mobile phones’’, the entire population of the state of Kashmir remained offline — by order of the state.
</b>
<p style="text-align: justify; ">The article by Amanda Hodge was published in <a class="external-link" href="http://www.theaustralian.com.au/news/world/indian-pm-narendra-modis-digital-dream-gets-bad-reception/story-e6frg6so-1227547929688">the Australian</a> on September 29, 2015. Sunil Abraham gave inputs.</p>
<hr />
<p style="text-align: justify; ">“I see technology as a means to empower and as a tool that bridges the distance between hope and opportunity,” Mr Modi said yesterday on a trip in which he will also discuss development at the UN.</p>
<p style="text-align: justify; ">Earlier, in a “town hall” meeting with Facebook chief Mark Zuckerberg Mr Modi hailed the power of social media networks that gave governments the opportunity to correct themselves “every five minutes”, rather than every five years.</p>
<p style="text-align: justify; ">His remarks during his Digital India tour of the US west coast sparked a storm of Twitter protest.</p>
<p style="text-align: justify; ">The northern state’s former chief minister Omar Abdullah, who noted the “irony of listening to Prime Minister Modi lecturing about connected digital India, while we are totally disconnected”.</p>
<p style="text-align: justify; ">The ban on mobile and broadband internet in Jammu and Kashmir was imposed last Friday, the beginning of the Muslim holiday of Eid-ul-Zuha during which animals are slaughtered and the meat fed to the poor, for fear social media could inflame tensions over the state government’s decision to enforce a beef ban.</p>
<p style="text-align: justify; ">It was to have lasted 24 hours but — notwithstanding Twitter feedback — was extended twice as a “precautionary” measure.</p>
<p style="text-align: justify; ">As Mr Modi outlined his dreams of a broadband network connecting the country’s most remote communities, millions of New Delhi mobile phone users continued their daily wrestle with line dropouts.</p>
<p style="text-align: justify; ">“We are bringing technology, transparency, efficiency, ease and effectiveness in governance,” he said, as in New Delhi the government talked of pulling down more mobile towers.</p>
<p style="text-align: justify; ">Centre for Internet and Society director Sunil Abraham said yesterday: “Schizophrenia between rhetoric and reality (on digital policy) is the global standard for all world leaders.</p>
<p style="text-align: justify; ">“Politicians in opposition are invariably opposed to surveillance and in favour of free speech but the very day that politician assumes office even if it is someone as splendid as Barack Obama, they change their opinions on these topics and become pro-surveillance and pro-censorship.”</p>
<p style="text-align: justify; ">Certainly successive Indian governments have had a patchy record on such issues. Last March India’s activist Supreme Court struck down a controversial section of the Information Technology Act which made posting information of a “grossly offensive or menacing character” punishable by up to three years’ jail.</p>
<p style="text-align: justify; ">That month police in northern Uttar Pradesh arrested a teenager for a Facebook post, which they said “carried derogatory language against a community”.</p>
<p style="text-align: justify; ">Previous cases under the former Congress-led government include that of a university professor detained for posting a cartoon about the chief minister of West Bengal and the arrest of two young women over a Facebook post criticising the shutdown of Mumbai following the death of a Hindu right politician.</p>
<p style="text-align: justify; ">While Mr Modi’s government welcomed the Supreme Court ruling as a “landmark day for freedom of speech and expression”, last month it attempted to block 857 random porn sites.</p>
<p style="text-align: justify; ">Notwithstanding the gulf between Mr Modi’s digital dream rhetoric and the reality at home, his second US visit in 17 months has reaped dividends. Google has committed to a joint initiative to roll out free Wi-Fi to 500 railway stations across the country, and Qualcomm has pledged a $US150 million ($213m) tech startup fund.</p>
<p style="text-align: justify; ">But Mr Abraham warned of the potential for such investments to compromise net neutrality — the principle of allowing internet users access to all content and applications.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-australian-amanda-hodge-september-29-2015-indian-pm-narendra-modi-digital-dream-gets-bad-reception'>http://editors.cis-india.org/internet-governance/news/the-australian-amanda-hodge-september-29-2015-indian-pm-narendra-modi-digital-dream-gets-bad-reception</a>
</p>
No publisherpraskrishnaInternet GovernanceCensorshipSurveillance2015-09-29T15:23:04ZNews ItemIndian government to bar politicians from using Gmail for official business
http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business
<b>US-based email services seen as too risky.</b>
<p style="text-align: justify; ">This article by Neil McAllister was <a class="external-link" href="http://www.theregister.co.uk/2013/08/30/india_government_gmail_ban/">published in the Register on August 30, 2013</a>. Sunil Abraham is quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.</p>
<p style="text-align: justify; ">"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, <a href="http://timesofindia.indiatimes.com/tech/tech-news/internet/Cyberspying-Government-may-ban-Gmail-for-official-communication/articleshow/22156529.cms" target="_blank">told</a> the <i>Times of India</i>. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."</p>
<div class="not_moved article_side_content" style="text-align: justify; ">
<div id="article-mpu-container">
<div class="adu" id="ad-mu1-spot">
<div id="ad-mu1-spot_ad_container"><ins><ins></ins></ins></div>
</div>
</div>
</div>
<p style="text-align: justify; ">The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the <a href="http://deity.gov.in/content/people-and-offices" target="_blank">contact page</a> for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.</p>
<p style="text-align: justify; ">Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the <i>Times of India</i> that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.</p>
<p style="text-align: justify; ">The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from <a href="http://www.theregister.co.uk/2013/08/27/un_to_question_us_on_nsa/">United Nations headquarters</a> in New York City.</p>
<p style="text-align: justify; ">No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory <a href="http://www.theregister.co.uk/2013/08/14/google_cloud_users_have_no_legitimate_expectation_of_privacy/">asserted</a> that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.</p>
<p style="text-align: justify; ">But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.</p>
<p style="text-align: justify; ">"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."</p>
<p style="text-align: justify; ">When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business'>http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business</a>
</p>
No publisherpraskrishnaInternet GovernanceSurveillance2013-09-05T09:52:17ZBlog EntryIndia's Central Monitoring System (CMS): Something to Worry About?
http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="http://editors.cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="http://editors.cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryIn India, Prism-like Surveillance Slips Under the Radar
http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar
<b>Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.
</b>
<p>The article by Anjan Trivedi was <a class="external-link" href="http://world.time.com/2013/06/30/in-india-prism-like-surveillance-slips-under-the-radar/#ixzz2XoCbrn00">published in Time World </a>on June 30, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">However, it turns out <a href="http://topics.time.com/india/">India</a>, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi <a href="http://www.dot.gov.in/sites/default/files/AR%20Englsih%2011-12_0.pdf">announced</a> its intentions to watch over its citizens, however mutedly, in <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">2011</a>, and rollout is slated for August. And while reports that the American system collected 6.3 billion <a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">intelligence reports</a> in India led to a <a href="http://m.indianexpress.com/news/supreme-court-agrees-to-hear-pil-on-us-surveillance-of-internet-data/1131011/">lawsuit</a> at the nation’s <a href="http://topics.time.com/supreme-court/">Supreme Court</a>, comparable indignation has been conspicuously lacking with the domestic equivalent.</p>
<p style="text-align: justify; ">CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s <a href="http://www.cdot.in/about_us/berif_history.htm">Centre for Development of Telematics</a> (<a href="http://pib.nic.in/newsite/erelease.aspx?relid=78145">C-DOT</a>), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ <a href="http://www.dot.gov.in/sites/default/files/Telecom%20Annual%20Report-2012-13%20%28English%29%20_For%20web%20%281%29.pdf">annual report</a>. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government <a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp12/cit/wgrep_telecom.pdf">set aside</a> approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.</p>
<p style="text-align: justify; ">Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.</p>
<p style="text-align: justify; ">Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. <a href="http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf">report</a> stated.</p>
<p style="text-align: justify; ">India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up <a href="http://www.google.com/transparencyreport/userdatarequests/IN/">52% from two years back</a>, and removal requests from the government <a href="http://www.google.com/transparencyreport/removals/government/IN/?metric=items&p=2012-12">increased by 90%</a> over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”</p>
<p style="text-align: justify; ">There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent <a href="http://www.indianexpress.com/news/way-to-watch/1133737/0">editorial</a> noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.</p>
<p style="text-align: justify; ">With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, <a href="http://startupcatalyst.in/wp-content/uploads/2013/05/From_Buzz_to_Bucks_Apr_2013_tcm80-132875.pdf">according to a recent report</a>. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.</p>
<p style="text-align: justify; ">India’s junior minister for telecommunications attempted to explain the benefits of this system during a <a href="http://www.youtube.com/watch?v=rwTsek5WUfE">recent Google+ Hangout</a> session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does <a href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">not</a> have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=71791">jurisdiction</a> of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”</p>
<p style="text-align: justify; ">The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.</p>
<p style="text-align: justify; ">National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase <a href="http://pib.nic.in/newsite/erelease.aspx?relid=80829">operational efficiency</a>. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.</p>
<p style="text-align: justify; ">The government has been cagey about details on implementation and <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=70791">extent</a>. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar'>http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-03T09:31:18ZNews ItemHow Aadhaar compromises privacy? And how to fix it?
http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it
<b>Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens. </b>
<p style="text-align: justify; ">The op-ed was published in the <a class="external-link" href="http://www.thehindu.com/opinion/op-ed/is-aadhaar-a-breach-of-privacy/article17745615.ece">Hindu</a> on March 31, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.</p>
<p style="text-align: justify; "><b>Shift from biometrics to smart cards:</b><span> In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.</span></p>
<p style="text-align: justify; "><b>Destroy the authentication transaction database:</b><span> The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.</span></p>
<p style="text-align: justify; "><b>Prohibit the use of Aadhaar number in other databases:</b><span> We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.</span></p>
<p style="text-align: justify; "><span>To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it'>http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it</a>
</p>
No publishersunilSurveillanceAadhaarInternet GovernancePrivacy2017-04-01T07:00:06ZBlog EntryHits and Misses With the Draft Encryption Policy
http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy
<b>Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.
</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://thewire.in/2015/09/26/hits-and-misses-with-the-draft-encryption-policy-11708/">published in the Wire</a> on September 26, 2015.</p>
<hr />
<p style="text-align: justify; ">This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.<br /><br />However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.</p>
<h3 style="text-align: justify; ">Plain-text storage requirement</h3>
<p style="text-align: justify; ">First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.<br /><br />Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.<br /><br />Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.</p>
<h3 style="text-align: justify; ">Regulatory design</h3>
<p style="text-align: justify; ">Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.<br /><br />This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.<br /><br />Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”<br /><br />The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.</p>
<h3 style="text-align: justify; ">And the good news is…</h3>
<p style="text-align: justify; ">On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.<br /><br />Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.<br /><br />The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.<br /><br />Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy'>http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy</a>
</p>
No publishersunilOpen StandardsInternet GovernanceSurveillanceFOSSB2B2015-09-26T16:46:53ZBlog EntryGovt to keep Aadhaar record for 7 years, activists worried
http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried
<b>The government will keep for seven years a record of all the services and benefits availed using the Aadhaar number, say new rules, prompting fears that the database could be used for surveillance.</b>
<p style="text-align: justify; ">The article by Aloke Tikku was published in the <a class="external-link" href="http://www.hindustantimes.com/india-news/govt-to-keep-aadhar-record-for-7-years-activists-worried/story-jSY820Ee1ZnQNLL5vuWMOI.html">Hindustan Times</a> on October 17, 2016. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.</p>
<p style="text-align: justify; ">“This is an unprecedented centralised data retention provision,” said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.<br /><br />UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.</p>
<p style="text-align: justify; ">The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.<br /><br />Users will be able to check the records but only for two years.<br /><br />This restriction won’t apply to security agencies. Pandey, however, said the records would not be available to them without a district judge’s permission.<br /><br />But, HT found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.<br /><br />“Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual,” Abraham said.<br /><br />This is how the system, which will need millions of fingerprint-reading machines, works.<br /><br />Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.<br /><br />The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.<br /><br />“You can think of it as Natgrid Plus,” Abraham said, a reference to the National Intelligence Grid being built by the government.<br /><br />A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.<br /><br />“…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it,” UIDAI’s Pandey said.<br /><br />But seven years is a long time. Only a select category of government files are kept for longer than five years.<br /><br />Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.<br /><br />The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual’s privacy.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried'>http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried</a>
</p>
No publisherpraskrishnaSurveillanceAadhaarInternet GovernancePrivacy2016-10-17T01:53:24ZNews Item