News » National

Updated: September 9, 2013 16:21 IST

Govt. violates privacy safeguards to secretly monitor Internet traffic

Shalini Singh
Comment (13)   ·   print   ·   T  T  
Internet activities of India’s roughly 160 million users are being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules.
The Hindu
Internet activities of India’s roughly 160 million users are being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules.

Keyword-based monitoring can snoop in on emails, web-browsing, chat

Amid fresh controversy following reports of the U.S.’s Prism programme targeting the Brazilian President, and the impending launch of the Indian government’s own Central Monitoring System (CMS) project, an investigation by The Hindu reveals that the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring “privacy of communications”.

While the CMS is in early stages of launch, investigation shows that there already exists — without much public knowledge — Lawful Intercept and Monitoring (LIM) systems, which have been deployed by the Centre for Development of Telematics (C-DoT) for monitoring Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.

Secret monitoring

While mobile operators deploy their own LIM system, allowing “interception” of calls by the government, only after checking “due authorisation” in compliance with Section 5(2) of the Indian Telegraph Act read with Rule 419(A) of the IT Rules, in the case of the Internet traffic, the LIM is deployed by the government at the international gateways of a handful of large ISPs. The functioning of these secretive surveillance systems is out of reach of these ISPs, under lock and key and complete control of the government.

Following the leak of the Amar Singh tapes, the government had notified safeguards on February 7, 2006 for monitoring Internet traffic titled “Instructions for ensuring privacy of communications”, which mandates all ISPs to have “designated nodal officers” for communicating and receiving the “intimations for interceptions”. Nodal officers are required to hold meetings with the government to “seek confirmation regarding their (interception orders) authenticity every 15 days”. The safeguards include the need for 24x7 availability of “nodal officers”, and a procedure for monitoring traffic during “exceptions in emergent cases”.

However, in reality, these safeguards stand violated for the most part. This is because a majority of the Indian ISPs neither have the government’s LIM system installed nor do they have functional nodal officers — and, as a result, the ISP-level mandatory check for authenticating government’s monitoring orders to protect user privacy is absent. In effect, all Internet traffic of any user is open to interception at the international gateway of the bigger ISP from whom the smaller ISPs buy bandwidth.

Even where the LIM exists, the process of seeking authentication by nodal officers exists mostly on paper. Since the government controls the LIMs, it directly sends software commands and sucks out whatever information it needs from the Internet pipe without any intimation or information to anyone, except to those within the government who send the Internet traffic monitoring commands. No ISP confirmed as to whether they had ever received an “authorization” letter for interception or monitoring of Internet content.Further, unlike mobile call interception safeguards, where only a pre-specified, duly authorized mobile number is put under “targeted surveillance”, to prohibit misuse, in the case of Internet traffic, the government’s monitoring system, which is installed between the ISPs Internet Edge Router (PE) and the core network, has an “always live” link to the entire traffic. The LIM system, in effect, has access to 100% of all Internet activity, with broad surveillance capability, based not just on IP or email addresses, URLs, fttps, https, telenet, or webmail, but even through a broad and blind search across all traffic in the Internet pipe using “key words” and “key phrases”.

In practical terms, this would mean that security agencies often launch a search for suspicious words such as “mithai” (sweets) — a code often used by extremist organizations to describe an explosive. However since the monitoring is broad, blind and based on “key word” or “key phrase”, the LIM system, using “text search”, “check some search”, “serial scanning”, “wildcard search” software commands, etc., monitors the entire Internet pipe indiscriminately for all traffic of every and any Internet user for as long as it desires, without any oversight of courts and without the knowledge of ISPs.

This monitoring facility is available to nine security agencies including the IB, the RAW and the MHA. It is unclear whether future safeguards promised for CMS exist while monitoring Internet traffic today.

Though it is presumed that the provisions of Rule 419(A) are followed, no one within the government or the ISPs was willing to reveal as to who sends the “intimation for interception”, or who checks its authentication and who implements it, especially since the search is made on the basis of “keyword” across all traffic rather than a specified targeted surveillance.

so how have they broken HTTPS? That would be my first concern.

from:  Nilesh Trivedi
Posted on: Sep 11, 2013 at 14:26 IST

Not surprised at all. The current definition for the government in India is 'institutions that does NOT do anything that they are supposed to do and does everything that they are NOT supposed to do'! Look at how the RTI Act has been subverted and Adhaar has been thrust upon hapless citizens when developed countries like the US of A (having one fifth of our population and the richest country in the world!) have given up such programs due to privacy and cost issues!

from:  P M Ravindran
Posted on: Sep 10, 2013 at 08:55 IST

National security always come first than citizens privacy.

from:  Ishwar
Posted on: Sep 9, 2013 at 16:15 IST

I guess this is the very reason why we never heard any strong protest
about the PRISM programme carried out by the USA by any of Indian
official. This act of compromising privacy with impunity under the
shroud of national security is very violative of the fundamental rights
provided to the citizen. However its necessity can not be denied. But a
confidence building measure should be put in place before resorting to
such practices.

from:  Shashank Kumar Pandey
Posted on: Sep 9, 2013 at 15:22 IST

It is just like shaking the hands with the US. But more surprising thing is that no media has given attention to this matter when Ed. Snowden blows the whistle of worldwide US blanket surveillance.
This kind of completely biased news coverage has become a threat to the socio-politcal progress of India.

from:  kakati
Posted on: Sep 9, 2013 at 15:22 IST

With the Big Data problem and the lack of any credible filtering
software, all this surveillance will only enable mindless data
collection. Unfortunately one possible misuse of all that data could
result in framing innocents. Any word, phrase or action done in the past
can be used to paint anyone in a bad light and be used to subject the
victim to incarceration. This is exactly what's been happening in the US
and now the Indian Govt is following suit.

from:  Derek D
Posted on: Sep 9, 2013 at 12:45 IST

In the absence of any transparent policy on such monitoring, we are creating a "giant" in the name of safeguarding the population. If history teaches us anything, there is every possibility of this information being misused at some point of time, if not always. Don't we remember how uncomfortable we felt when the invigilator stood behind us, watching our paper? Unfortunately, all these are being implemented without any meaningful public or legislative debates!

from:  Sandy
Posted on: Sep 9, 2013 at 11:41 IST

None can deny the right of a government, which is faced with various
security related problems, to monitor internet activities under CMS.
However what is worrying is the near non-existence of laws governing
these activities. The way "The Hindu" has compared the mobile &
internet monitoring systems put in place by the Government, shows
clearly the need of wide-ranging reforms in the internet monitoring
system. Here one thing must be born in mind that privacy of citizens
and national security are needed to be balanced with each other &
former cant be completely ignored for the later. So the need of the
hour is to ensure ISP-level monitoring a foolproof activity so as to
make it an actual tool to serve the national security and not merely
as an encroachment in user's privacy as we have recently seen in the
Delhi metro's CCTV- leakage case which only brought a bad name to all
stakeholders. So it is better to pre-empt it before things of this
sorts get distorted.

from:  vinayak singh
Posted on: Sep 9, 2013 at 11:16 IST

In the name of security, constitutional rights are eliminated one by one. Instead of becoming more and more open society, it is getting more and more closed society. Welcome to the modern police state!

from:  KVR
Posted on: Sep 9, 2013 at 03:05 IST

Whatever America does, India does.

from:  irfan iftekhar
Posted on: Sep 9, 2013 at 02:16 IST

This is just outrageous.
Much more than what Ed Snowden has shown is being done by NSA and CIA
in the US. I thank The Hindu for bringing this out hoping that you
will publicise this as much as possible and this remains a front-page
material for many days.

We do not have any lack of corrupt police officials or politicians in
this country. In a place where fake encounters are common simply on
the basis of suspicion, just imagine what this framework can do to
millions of innocent citizens. I'm sure if you scan someone's emails
for the last 5 years, it won't be difficult to find some 'keywords'
sufficient enough to implicate the said person in any
criminal/terrorist activity.

from:  Prashant
Posted on: Sep 9, 2013 at 02:12 IST

As an Indian citizen I don't mind if my govt watches me.... if it reduces crime in my country. .

from:  Joe
Posted on: Sep 9, 2013 at 01:17 IST

There would be negligible furore expected over this issue. Indian security agencies had real tough time handling various threat all over the country. It's a justified move unless not against an individual for personal gains. We may not see similar reactions in India, as it happened in USA.

from:  Ankit Amartya
Posted on: Sep 9, 2013 at 00:51 IST
Show all comments
This article is closed for comments.
Please Email the Editor

Tamil Nadu

Andhra Pradesh

Other States






Recent Article in National

The Karnataka High Court had given a clean chit to Ms. Jayalalithaa (in picture) and three others on May 11, clearing them of all charges in the 19-year-old case, helping her to return as Chief Minister of Tamil Nadu.

KPCC legal cell against filing appeal in SC

Department Chairman says Karnataka "has no interest in the outcome of the trial". »