Home » , , , , , , ,

Indian Government Plans Digital Central Monitoring System – CIS India


CIS Logo

by Maria Xynou

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. This means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may be another step in the wrong direction, especially with the lack of privacy laws to protect Indian citizens against potential abuse. Yet, all telecommunications and internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

Advertisement

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month. The Information Technology Amendment Act 2008 enables e-surveillance. The government plans to create a platform that will include all the service providers in Delhi, Haryana and Karnataka creating central and regional databases to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, CMS will equip government agencies with Direct Electronic Provisioning, filter and provide Call Data Records (CDR) analysis and data mining to identify the personal information and provide alerts of the target numbers.

The estimated cost of CMS is Rs. 4 billion. It will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). Last October, the NIA approached the Department of Telecom requesting for connection with the CMS to help it intercept phone calls and monitor social networking sites without the cooperation of telcos. NIA is currently monitoring eight out of 10,000 telephone lines and if connected with the CMS, NIA will also get access to e-mails and other social media platforms. Essentially, CMS will be converging all the interception lines at one location for Indian law enforcement agencies to access them. CMS will be capable of intercepting our calls and analyzing our data on social networking sites, and also tracking encrypted signals. Thus our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS installation, the Mumbai police set up a ´social media lab´ last month to monitor Facebook, Twitter and other social networking sites. Staffed with 20 police officers, this lab would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post during Bal Thackeray’s death was proof that the monitoring of our communications can potentially oppress our freedom and human rights. Now that all our online activities will be under the microscope, will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and the internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists. So all movement, action, interests, ideas and everything that could define an individual are closely being monitored. If everything about our existence is closely monitored and analysed, it seems likely that we will be instantly detected and prosecuted if engaged in illegal activity. But according to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining, the probability of us being charged for a crime we did not commit is real. Nonetheless, CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, a wholly owned subsidiary of SAS Institute Inc. SAS produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail. All the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly, SAS also produces social network analysis which ‘helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension’. Thus, a social network analysis solution uncovers previously unknown network connections and relationships, even to a terrorist organisation enabling more efficient investigations.

According to the SAS employee I spoke to, the company provides similar analysis to Indian law enforcement agencies and aims to support the CMS project in an attempt to tackle crime and terrorism arguing that their social network analysis solution only analyzes open source data thus respecting online individual privacy. Cyber security experts have argued in favour of the Mumbai social media lab stating that the idea that the privacy of our messages and online activity would be intercepted is a misconception.

It was also argued that there is no harm in creating monitoring centres, especially since other countries, such as the U.S., are conducting similar surveillance, thus justifying it in the name of security.

CMS targeting individuals: myth or reality?

Does CMS really target us individually as the cyber security experts in India claim? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can target individuals, which can only be proven once the two independent variables have been confirmed.

However, the surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world including, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception, among others. Indian law enforcement agencies are equipped with technologies and solutions capable of targeting us individually and of monitoring our private online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System which can intercept communications from any GSM service providers in the world and has a 100% target call monitor rate without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems which would enable CMS to monitor telecommunications more effectively.

In general, many companies, globally, produce surveillance products and solutions for supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? In other words, how can they access our ´private´ online communications to define whether we are a terrorist or not?

Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. The various surveillance technology companies ensure that Indian law enforcement agencies are equipped to analyse our data and match patterns.

Thus, the arguments brought forth by cyber security experts in India appear to be weak. So how does CMS also affect our human rights?

No privacy legislation currently exists in India. The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as CMS, lack adequate legal backing.  All individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activities. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications and access to intercepted data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, covering both policy and legal issues pertaining to the CMS ensuring that human rights are not infringed.

A version of this post was published on Centre for Internet & Society, India website

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

  • Abhimanyu R

    This line is misleading:

    “CMS will be capable of intercepting our calls and analyzing our data on social networking sites, and also tracking encrypted signals. ”

    The article linked to relates to ENCRYPTION OF TV CHANNELS by MSOs which is now mandated by law thanks to digitization etc. The CMS will (among other things) track whether everyone is adhering by not sending unencrypted signals. There is no real-time decryption happening here and in any case channels will have no issue in sharing the encryption keys since they anyway give them to every MSO.

    Today anyone with an android phone can generate a pretty solid device-level encryption which will be practically impossible to decipher using brute force computing and using other methods will not be very reliable. This is one cat and mouse game in which my money will always be on the rodent!

    • http://twitter.com/cis_india CIS

      Abhimanyu thanks for the comment! :) You´re absolutely right. I accidentally mixed up my references… My apologies for the inconvenience and thanks for clearing that up!

      Maria.

    • Soumendra

      Your sentence “an android phone can generate a pretty solid device-level encryption” does not auger well when we have a transparent network which sends authentication traffic or sms traffic or any other communication traffic in clear-text. Default implementations are almost always clear text. Most non-native Android apps and those based on HTML5 apps are still reliant on loose implementation of clear-text passwords. So, at the end of the day, most of the users will be non-tech savvy and they may not use a secure app (which typically are priced and free ones are rare in this segment) and/or fall prey to insecure and adware loaded apps. Check out the hits versus permissions required by the apps and you will learn that with so sympathy or empathy towards the permissions tab, the download numbers are highly skewed towards Free instead of secure apps.

  • PUA – SVM

    Oops Congress is preparing for its defeat in 2014!!!

    • http://www.facebook.com/armaanbhati Armaan Bhati

      And BJP will make full use of this system.

  • Samuel

    I am leaving to Finland. anybody in?

    • http://www.facebook.com/armaanbhati Armaan Bhati

      I am with you.

  • http://www.facebook.com/sandeepamar Sandeep Amar

    This is ridiculous, our country is no longer a democracy!

  • http://www.facebook.com/vibs2006 Vaibhav Agarwal

    unfortunate