by Saikat Datta

Milind Deora

Update: The Press Trust of India reports that the government has set up entralised data centres in Delhi and Bengaluru while servers have been installed at locations of telcos as part of its Centralized  Montioring System (CMS). The report, attributing to government sources, said that centralised data centre (CMC), Delhi and disaster recovery site at Bengaluru has been completed and testing is in progress for the surveillance systems.

Earlier: The National Democratic Alliance government is reportedly placing on the fast track a project to intercept phone and internet communication. Called the Central Monitoring System, it was conceptualised in 2011 a few months after the infamous Radia Tapes controversy hit the headlines and created a furore. Embarrassed by the leakage of the tapes, the United Progressive Alliance government swung into action to create a system that could safely intercept phone calls, emails and other forms of communication without the telecom or internet service provider getting to know about it.

Milind Deora was the Minister of State for Communications and Information Technology in the UPA government when the CMS was conceptualised. By the time the NDA government took over on May 26, 2015, the Central Monitoring System was well into the implementation stage.

With reports that the Modi government wants to speed up the implementation of Central Monitoring System, Scroll.in spoke with Deora about its architecture and privacy safeguards. He admitted that the system could be misused in the absence of a privacy law.

Here are some excerpts from the conversation.

Why and when was the CMS created?

CMS was envisioned as a means to do away with the involvement of the TSP (Telecom Service Provider) so that there weren’t any leakages in the system. This means there would be one less person in the process and any lawful interception of phone calls could be conducted safely. There are variations of the CMS in other countries and we should look at it as a technical upgrade of the current lawful interception system.

What are the technical aspects of the CMS?

During our time we were looking at using the CMS for intercepting voice communications only. In subsequent phases we could have looked at email or VOIP (Voice over Internet Protocol) or other forms of electronic communication. But for now, our government wanted to ensure that if we are tapping into, say, the communications of a terrorist, there shouldn’t be any leakages and they shouldn’t get alerted. The TSPs have been asked to connect their NOCs (Network Operations Centre) to a central, government-controlled location and their nodal officers and personnel will no longer have any access to the intercepted communication or even get to know who is being tapped, as far as I remember.

Who are the principal stakeholders of the CMS?

It was a project that was being implemented by the DoT (Department of Telecommunications) under the MoCIT (Ministry of Communications and Information Technology) with the Ministry of Home Affairs playing a major role in it. The other stakeholders would have to be the TSPs (Telecom Service Providers) and the telecom users who could be the target of the lawful interception. In the future the ISPs (Internet Service Providers) and email providers would also become a stakeholders in the CMS.

What are the safeguards to protect the misuse of the CMS?

The system has many advantages. It ensures complete secrecy of the lawful interception after it has been authorised by the Union Home Secretary. Now the authorised government official does not need the TSP to set up a lawful intercept from their NOCs. Instead, the official can cut across TSPs and conduct the lawful interception from a central location or even remotely if the facility is set up in another city. This helps you centrally monitor that no unlawful interception is taking place, which would show up in the central location if it was being done, and ensure complete protection to the citizens.

But when I was a minister I also realised it is not a perfect system. It may ensure lawful interception, but it cannot determine if a person is being targeted for reasons other than national security. I realised that unless we have a strong privacy bill with adequate safeguards, it will be difficult to protect the technically lawful, but malicious use of the CMS. The privacy law should be used to prevent such a misuse and also penalise anyone who indulged in such an interception.

But how will citizens know their privacy has been breached if the CMS is shrouded in secrecy?

We need to study the system in other countries and the varying degrees of safeguards they have to prevent the second kind of misuse. We never had that debate in the government and the government of the day must address these issues. (In my view), we need to see how much transparency we can introduce into the system while we keep in mind the needs of the security agencies to protect national security.

But it has been learnt that security agencies are opposed to the Privacy Bill putting a check on their activities. What steps do you suggest to ensure citizens are safe as well?

CMS is a powerful tool and in a democracy there must be some safeguards to protect citizens and their privacy. I believe that one has to allow the agencies the freedom to operate, but there are laws, warrants and other checks and balances in other countries that we must look into. Groups like the Electronic Frontier Foundation (EFF) in the U.S has done a lot of work to ensure there is a greater push towards transparency while conducting lawful surveillance. I think we should be moving in that direction.

Saikat Datta is a senior fellow with the National Law University, Delhi.

Copyright (C) 2015, Scroll.in. Crossposted from here with permission from Scroll.in.

Image credit: Milind Deora’s Twitter account