The Great Indian Surveillance Paradox
(Or: Why I'm Sceptical About Privacy in India)
Pranesh Prakash
Policy Director
(and Resident Geek)
Centre for Internet and Society
@pranesh
pranesh@cis-india.org
Made using 100% F/OSS + open standards
What we know about communications surveillance
Snowden vs. India
FAIRVIEW, BLARNEY, STORMBREW, OAKSTAR
Unofficial transparency vs. Official transparency
So while we know a lot, we know very little.
Transparency vs. Accountability
What we know about governmental surveillance
C.M.S.
Natgrid
T.C.I.S.
C.C.T.N.S.
etc., etc., etc.
Communications Surveillance Laws
No mass surveillance.
General laws for interception:
Indian Telegraph Act of 1885
Information Technology Act of 2000
Communications Surveillance Laws
Colonial 1885 Telegraph Act is far better than 2008 Information Technology Act.
Public Emergency | Danger to Public Safety
+
the sovereignty and integrity of India
the security of the state
friendly relations with foreign states
public order
or for preventing incitement to the commission of an offence
Communications Surveillance Laws
Colonial 1885 Telegraph Act is far better than 2008 Information Technology Act.
Public Emergency | Danger to Public Safety
+
the sovereignty OR integrity of India
defence of India
the security of the state
friendly relations with foreign states
public order
or for preventing incitement to the commission of a cognizable offence
or for investigation of any offence
Communications Surveillance Laws
Unauthorized access to communications data is not punishable per se - Arun Jaitley case
But failure to help can land you in jail for 7 years!
Even an IB officer spilling state secrets can only be imprisoned for 3 years.
What of right against self-incrimination? (Art. 20(3)
Communications Surveillance Laws
Far worse than law: contract.
Telcos have to provide direct access to all communications data and content even without a warrant
UL: ‘bulk encryption’ of less than 40 bits prohibited
ISPL: "individuals/groups/orgs need permission of the licensor and disclosing decryption keys for all encryption above 40-bits in length"
A5/0! So EVERYONE not just government can intercept.
Communications Surveillance Laws
Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year.
Communications Surveillance Laws
In Data Protection and Intermediary Liability Rules:
Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity".
Yes, I can't parse that sentence either.
Communications Surveillance Laws
1996 PUCL recognized need to protect citizens
Telecom licences bypass this.
Should we trust the government?
Democracy cannot function without trust.
Yet, many reasons for concern.
Should we trust the government?
CMS cuts out the telcos.
Not a bad idea per se
(M.A. Arun's story on Airtel)
But they act as a check:
Reliance figures (100 per day) vs. government figures (419 over months)
Should we trust the government?
Cabinet Secy says: 7,000 to 9,000 phone taps are authorized or re-authorized.
Even if it took Home Secretary just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests.
Saikat Datta said 100,000 requests.
Should we trust the government?
Who can intercept?
Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency
Three are exclusively dedicated to economic offenses.
(And no National Technical Research Organization??)
Should we trust the government?
Spy vs. Spy (NTRO vs. NIC vs. IB)
Saikat Datta's Outlook stories
("These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad")
NTRO: "contrary to norms, were deployed more often in the national capital than in border areas"
Should we trust the government?
Kanpur
Should we trust the government?
Himachal Pradesh
Should we trust the government?
Arun Jaitley case
Amar Singh case
Amit Shah case
Pranab Mukherjee case
Non-Communications Surveillance
GPS + RFID tracking of vehicles
Aadhaar linking
+
many more
Research
Data retention laws
(police + courts + telcos/ISPs)
Interception requests
(police + courts + telcos/ISPs)
Aadhaar efficacy
(failure rates)
Policy Changes
AP Shah GoE report
Wide variety of changes needed in everything from intelligence agencies to interception to data retention to data security to minimize the harms of surveillance while maximizing benefits.
Surveillance in India:
By Pranesh Prakash
Surveillance in India:
- 3,209