Last weekend, even as the world was reeling from the shocking expose on the National Security Agency’s clandestine surveillance programme, Prism, the Indian wing of the hackers’ collective Anonymous announced a multi-city protest against what they termed “the Indian prism”.
Though the protests did not take off here, the issue they were raising is one that has defenders of online privacy and Internet freedom crying foul. Their contention is that the Centralised Monitoring System (CMS), which reportedly went operational this April, facilitates a “Prism-like” project that allows the government to snoop on phone calls, mobile and Internet traffic.
But is CMS the ‘Big Brother’ project that it’s being made out to be? Maybe. Maybe not. The fact is that till date, the actual nature of the programme remains a top secret. There is very little in the public domain that sheds light on the project itself, let alone what kind of monitoring it entails, what type of data it attempts to tap, collect or analyse, the technological aspects, and limitations and safeguards.
For starters, there is little clarity on whether the CMS deals with Internet traffic. Recently, at a Google Hangout, Union Communications Minister Milind Deora spoke about CMS as a system that only intercepts phone data; it allows the government to directly access phone data of suspects (based on other intelligence sources) without having to approach the telecom service provider each time. His argument was that far from being an invasion of privacy, the intention was to protect the privacy of individuals from private companies (telecos).
Nowhere does he mention monitoring of Internet traffic, even as he clarifies that CMS was an afterthought to the ‘leak’ in the corporate lobbyist Niira Radia phone tapping case, which had industrialist Ratan Tata taking the government to court.
What we know
First talked about shortly after the 2008 Mumbai terrorist attacks, CMS was touted as a one-stop solution to the “decentralised nature” of intelligence gathering in the country. Developed by the Department of Telecommunications’ Telecom Enforcement, Resource and Monitoring (TREM) Cell along with the Centre for Development of Telematics, the Rs. 170 crore facility reportedly has a large server in Delhi.
Again, there is little known about the technical capabilities of this facility.
The only known official word on the nature of content that will be monitored here is in the form of a 2009 reply in the Rajya Sabha, where the then IT Minister Gurudas Kamat explained that CMS would monitor communications on mobile phones, landlines and the Internet in the country.
He said that this was in the interest of protecting secrecy of the system as it does away with “manual interventions”, instead “these functions will be performed on secured electronic link and there will be minimum manual intervention.” It was clarified that the interception would be real time or “instant as compared to the existing system which takes a very long time”.
The stated benefits of this, according to the Rajya Sabha transcripts uploaded on the PIB site, were to create central and regional database to help central and State enforcement agencies in interception and monitoring, eliminating “manual intervention” by telecom service providers enabling “direct electronic provisioning”, “filter and alert creation on target numbers”, and analysis of call data records and data mining.
But, how is this remarkably different from what’s already being done now?
“The promise is that the entire operation will enable intelligence gathering to be much faster. It isn’t that all this data can’t be accessed now; [with CMS] the process of accessing this will be in real time. At least that’s what is being promised,” says a senior government official.
Further, the official argues, law enforcers have to go through the regular processes of getting permission, either from the Home Ministry or the courts, for any interception. “Technically, this does little more than make the actual process of accessing the information faster. Also, the telecom service providers now don’t have to be consulted every time a surveillance request must be made, as that part will be centralised.”
Where’s the debate?
Critics of this project do not buy the government’s line that the project is necessary to protect them from private players. The biggest sore point is the fact that there is neither public information on CMS nor has a debate been called for before it is implemented. Further, they point out that in the absence of laws on privacy, such a project could lead to “gross violations of individual liberty”.
Says Pranesh Prakash, lawyer with the Centre for Internet and Society, “The biggest problem with the centralised monitoring system is that it is being introduced without any public discussion or mechanism of parliamentary accountability, as though issues of the nation’s security and incursions into individual privacy should not concern us.”
That the CMS could involve a monitoring system that keeps tabs on, harvests and applies analytics to user metadata or simply snoops on Internet traffic is not altogether inconceivable. Take for instance, tenders called for similar Internet monitoring programmes by States including Karnataka, Maharashtra and Assam.
A public tender called by the special branch of the Assam police, uploaded on tech news portal NextBigWhat, calls explicitly for the kind of monitoring system that privacy activists have been warning about. The tender calls for creating an “automated system” with Internet monitoring solutions, where the “deployment architecture” will include “10 GB probes deployed [on] ISP premises, strategically or tactically deployed at various tapping points in the ISP network”.
The document, in its mission brief, states that each Internet service provider (ISP) site shall host at least one aggregation server for all the probes, where the information will be collated and transferred to a master aggregation server. The aim, it clarifies, is to “collect, filter and analyse data” in real time.
On metadata, the document states that the information must be retained for at least a year; and clearly states that it should be able to monitor unstructured content such as emails, chats and transcribed call logs.
Mr. Prakash says: “The tenders floated by various State governments, including Assam, Delhi and Karnataka, show that State-level surveillance might even exceed central-level surveillance, and these ‘Internet monitoring systems’ are just as worrisome and they too lack public accountability.”