Big brother is watching you

Big brother is watching you

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives.

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status.

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them.

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet.

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source.

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.  

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India.  Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to.

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic.

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ –  under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years.

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key.

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate  different keys for each session.

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients.

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act.

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home.

(The writer is executive director, Centre for Internet and Society.)

DH Newsletter Privacy Policy Get top news in your inbox daily
GET IT
Comments (+)