The Great Indian Surveillance Paradox

(Or: Why I'm Sceptical About Privacy in India)

Pranesh Prakash

Policy Director
(and Resident Geek)
Centre for Internet and Society

@pranesh
pranesh@cis-india.org

Made using 100% F/OSS + open standards

Communications Surveillance Laws

No mass surveillance.

General laws for interception:

Indian Telegraph Act of 1885
Information Technology Act of 2000

Communications Surveillance Laws

Colonial 1885 Telegraph Act is far better than 2008 Information Technology Act.

Public Emergency | Danger to Public Safety

+

the sovereignty and integrity of India
the security of the state
friendly relations with foreign states
public order
or for preventing incitement to the commission of an offence

Communications Surveillance Laws

Colonial 1885 Telegraph Act is far better than 2008 Information Technology Act.

Public Emergency | Danger to Public Safety

+

the sovereignty OR integrity of India
defence of India
the security of the state
friendly relations with foreign states
public order
or for preventing incitement to the commission of a cognizable offence
or for investigation of any offence

Communications Surveillance Laws

Unauthorized access to communications data is not punishable per se - Arun Jaitley case 

But failure to help can land you in jail for 7 years!

Even an IB officer spilling state secrets can only be imprisoned for 3 years.

What of right against self-incrimination? (Art. 20(3)

Communications Surveillance Laws

Far worse than law: contract.

Telcos have to provide direct access to all communications data and content even without a warrant
 

UL: ‘bulk encryption’ of less than 40 bits prohibited
ISPL: "individuals/groups/orgs need permission of the licensor and disclosing decryption keys for all encryption above 40-bits in length"

A5/0! So EVERYONE not just government can intercept.

Communications Surveillance Laws

Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year.

Communications Surveillance Laws

In Data Protection and Intermediary Liability Rules:

 Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity".

Yes, I can't parse that sentence either.

Communications Surveillance Laws

1996 PUCL recognized need to protect citizens

Telecom licences bypass this.

 

Should we trust the government?

Democracy cannot function without trust.

Yet, many reasons for concern.

Should we trust the government?

CMS cuts out the telcos.
Not a bad idea per se
(M.A. Arun's story on Airtel)

But they act as a check:
Reliance figures (100 per day) vs. government figures (419 over months)

Should we trust the government?

Cabinet Secy says: 7,000 to 9,000 phone taps are authorized or re-authorized.

Even if it took Home Secretary just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests.

Saikat Datta said 100,000 requests.

Should we trust the government?

Who can intercept?

Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency

Three are exclusively dedicated to economic offenses.

(And no National Technical Research Organization??)

Should we trust the government?

Spy vs. Spy (NTRO vs. NIC vs. IB)

Saikat Datta's Outlook stories

("These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad")

NTRO: "contrary to norms, were deployed more often in the national capital than in border areas"

Should we trust the government?

Kanpur

Should we trust the government?

Himachal Pradesh

Should we trust the government?

Arun Jaitley case

Amar Singh case

Amit Shah case

Pranab Mukherjee case