(Continued from Page 1)

This is because a majority of the Indian ISPs neither have the government’s LIM system installed nor do they have functional nodal officers — and, as a result, the ISP-level mandatory check for authenticating government’s monitoring orders to protect user privacy is absent. In effect, all Internet traffic of any user is open to interception at the international gateway of the bigger ISP from whom the smaller ISPs buy bandwidth.

Even where the LIM exists, the process of seeking authentication by nodal officers exists mostly on paper. Since the government controls the LIMs, it directly sends software commands and sucks out whatever information it needs from the Internet pipe without any intimation or information to anyone, except to those within the government who send the Internet traffic monitoring commands. No ISP confirmed as to whether they had ever received an “authorization” letter for interception or monitoring of Internet content.Further, unlike mobile call interception safeguards, where only a pre-specified, duly authorized mobile number is put under “targeted surveillance”, to prohibit misuse, in the case of Internet traffic, the government’s monitoring system, which is installed between the ISPs Internet Edge Router (PE) and the core network, has an “always live” link to the entire traffic. The LIM system, in effect, has access to 100% of all Internet activity, with broad surveillance capability, based not just on IP or email addresses, URLs, fttps, https, telenet, or webmail, but even through a broad and blind search across all traffic in the Internet pipe using “key words” and “key phrases”.

In practical terms, this would mean that security agencies often launch a search for suspicious words such as “mithai” (sweets) — a code often used by extremist organizations to describe an explosive. However since the monitoring is broad, blind and based on “key word” or “key phrase”, the LIM system, using “text search”, “check some search”, “serial scanning”, “wildcard search” software commands, etc., monitors the entire Internet pipe indiscriminately for all traffic of every and any Internet user for as long as it desires, without any oversight of courts and without the knowledge of ISPs.

This monitoring facility is available to nine security agencies including the IB, the RAW and the MHA. It is unclear whether future safeguards promised for CMS exist while monitoring Internet traffic today.

Though it is presumed that the provisions of Rule 419(A) are followed, no one within the government or the ISPs was willing to reveal as to who sends the “intimation for interception”, or who checks its authentication and who implements it, especially since the search is made on the basis of “keyword” across all traffic rather than a specified targeted surveillance. No government official or ISP was willing to go on record to provide any details as to how such Internet traffic interception ensures compliance with the law, or how an average citizens’ privacy relating to their Internet activity is protected.