Yesterday and the day before, twitter accounts of the Indian National Congress were (allegedly) hacked: first the twitter handle of its VP Rahul Gandhi, then the political party’s own twitter handle, and finally, the twitter handle of another member, Rachit Seth. At the time of writing this post, Seth’s twitter handle still appears to be inaccessible to him: the pinned tweet has an email a political supporter apparently sent to Gandhi, and other tweets appear to suggest that they have access to the party’s emails:
Congratulations on enabling 2-Step Verification for your Google Account email@example.com!
Fear, but it's too late
— Rachit Seth (@rachitseth) December 1, 2016
In tweets, the hackers (or those who have gained access to the emails) have said that they intend to publish emails online. The fact that someone was able to allegedly access details of a security measure such as two factor authentication being enabled suggests that they had access to all incoming mail, live email at that time. Email access would have allowed them to change passwords.
Email hacks are not new, especially political hacks: in the past year, we’ve seen emails of the US’s Democratic National Committee hacked and published online. I’ve had some people question how leaking of emails impacts the democratic process, suggesting that I’m overstating the impact.
Some thoughts on email hacking, and the publishing of private emails online:
1. Email leaks impact the democratic process: The notion that you shouldn’t worry about privacy if you’ve got nothing to hide is false. To those saying this, they should think about how they feel about their email records being accessible to everyone. What emails leaks do is that they rob people of privacy: It means that if there isn’t privacy, people can’t trust you.
Forget that this is about Congress. It could be any political party, including BJP. They would have internal information, ideas, comments, opinion, thoughts, plans, minutes of meeting, research, operational strategy, all exchanged on email. Colleagues might have made snarky remarks on bosses or opponents. Someone might have made a joke about an opponent. Comments made by potential funders might have been shared. Some of it would be palpable for the general public, some would not. Therefore:
– Inhibits communication: This will negatively impact how the party communicates in the future, impact operations, and whether anyone trusts their communication with them or not.
– Balance of power: What they’ve said in private mails, private messages, can have the impact of lingering. Once leaked, private emails will change the course of history, and potentially impact the balance of power: it’ll change how people view the political party or the politician. You only have to see what happens with the DNC and Hillary Clinton to understand how leaks impact perception, and this lingers. Political parties could be decimated, because private communication has been released. Because the leak/hack is selective, it advantages the opposing side, because they’re not being judged by the voter on equal terms.
– This isn’t just about politics, it could happen to anyone: In the same way, if crores of people find out that their personal communication has been made public, it does impact our country. This is why the centralised monitoring system, which collects your mobile CDRs , NATGRID, which connects your data points across multiple institutions like banks and telecom operators and Aadhaar, which links all of your data together, are major security risks for democracy, much more than just the Congress party’s email being hacked. It means that for some people, their private information, if captured and stores, can be leaked selectively to impact a process. Imagine Ratan Tata’s personal emails about Cyrus Mistry being leaked to subvert that process.
2. How does this compare with journalism? Someone asked about how this compares with journalism. If a journalist gets access to “incriminating documents about party A (via a leak from a source of that party, because that happened to be the extent of her sources, as is usually the case) and writing an expose based on those documents. Does that impact the democratic process in the same way? Should her newspaper refrain from publishing the story until an equally incriminating story is unearthed about party B, so voters can judge all parties on equal terms? The Watergate scandal would be such an example.”
-Raw data is that which is unverified. Someone could be lying in an email. With leaks, it’ll be taken as the truth. The information, when leaked is untrustworthy, which is not the case with journalism (ideally). So we can’t compare raw data with news.
– Journalists we have to be equal opportunity offenders, and get info on everyone.
– We also have to always questions the intention of the source, and with the info, trust but verify. Both stories and leaks have an impact on democracy, but journalists have to exercise judgment about whether it is news or not first, and then verify it.
The difference between Wikileaks and the Journalists who reported on them is that wikileaks dumps all the information, but journalists contextualise it, figure out what is in public interest (this is something they’re supposed to do, sometimes don’t), verify the information and the claims, and provide context. A conversation between Ratan Tata and Niira Radia about her dress was not in public interest, but others, such as over the appointment of a telecom minister, were.
Saikat Datta, a journalist who used to be the national security editor at the Hindustan Times, and has handled sensitive material, including the Radia Tapes, had this to say:
– Journalism works on the principle of public good. There is an elaborate editorial process where a news organization decides collectively to put out information after it has been vetted by editors, cross checked for accuracy, context, security of process and individuals, etc. A hacker isn’t.
– Under the PRB Act and other laws, the editor and her/his colleagues are liable, and therefore, responsible. A hacker isn’t.
– Journalism is also peer-driven, like many other professions. Once an individual or an institution loses credibility, they will find it hard to get it back. A hacker has no such compulsions.
3. Is it like theft of money? No it isn’t. There’s a difference between mere theft of money and an email dump being leaked. Theft of money of a political party might hamper their ability to get the message out, but it doesn’t negatively impact their reputation, credibility or their ability to even try and get the message out. It doesn’t affect message, only distribution. In some cases, the idea carries itself, so lack of money impacts, but not as much as a reputation hit.
4. You can’t blame this on negligence alone, given how cyber security is not akin to protecting belongings. There are layers upon layers of dependencies: it could be an email provider, a server, a hosting service provider, or merely a system that crashed because it didn’t have DDoS protection: You can spot and identify someone trying to break into a house, and stop it. You can’t stop someone accessing information with brute force attacks and algorithms. There are also issues of social engineering, where a human can leak access information. The number of hacks we see, for example, recently data from 7 Indian embassies was hacked and put online. Everyone is at risk, so we need to take such attacks seriously.
Above all, like I’ve been saying, we need a privacy law, data protection laws, and for citizens to get control over their own data.