CIS LogoAnd what do the latest Spy Files mean for India?

Spy Files reveal data about Indian law enforcement agencies that are interested in surveillance and companies that are interested in selling and/or buying the latest spy gear.  This is important for three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3 and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which plan to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UASLicense Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs. 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systemssuch as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

Targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights. Interestingly enough, Indian law enforcement agencies which attended last years’ ISS World trade shows are linked to the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies whichwill have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System.

Spy Files 3 and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is also a part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure.

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology(AmendmentAct cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a publicemergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. ClearTrail’s products which enable the mass interception of IP networks, lack legal backing. India also currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

Spy Files 3 and human rights in India

The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market.

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance – especially the type undertaken by ClearTrails products – can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise.

Five years ago, a UK student studying Islamic terrorism for his Masters dissertationwas detained for six days. The student may not have been a terrorist, but his data said this: “Young, male, Muslim… who is downloading Al-Qaeda’s training material” – and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim – which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity – with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always have something tohide, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold byClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

A version of this post was published on Centre for Internet & Society, India website

(c) Centre for Internet and Society 2013

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.