Big brother, smaller siblings watching you

Big brother, smaller siblings watching you

 The request was simple, though against the norm, she obliged.  But to her misfortune the former colleague was on a conference call with a friend, when he made the request using the same phone. To her double misfortune, the colleague's friend's phone, which was at the other end of the conference call, had been tapped by police.

 The entire conversation was recorded and she was sacked.

The recent spat between Blackberry-maker RIM and central government has brought to limelight widespread interception of private communication by government agencies.

 “Several security agencies can walk into any mobile or Internet service provider and walk out with any information they want. They won’t stop until they get similar access to communication sent through Blackberries,” said a senior executive of a mobile operator in Maharashtra.

 Information gathered by Deccan Herald shows that voice calls, sms, emails, chats, browsing details and other forms of electronic communication are routinely monitored and intercepted by Government authorities. Your private calls to a friend, the mp3 files you download on the sly, dirty pictures you view when none is around, mid-night chats you indulge in with exciting strangers, sms you send to your girl friend, confidential email you send to your sister – everything is vulnerable to the prying eyes of the government.

 Alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization. Given the sensitivity of the subject, very few executives were willing speak on record.

“All countries have a legitimate interest in monitoring these activities for security reasons. But what is probably unique in India is the ingenious bureaucratic machinery that has come about to carry out interceptions,” said the Maharashtra executive.

A long list of security agencies – literally, the who’s who of enforcement – comprise the first wheel of the interception machinery: State police, Intelligence Bureau, Narcotics Control Bureau, Directorate of Enforcement, Central Economic Intelligence Bureau, Directorate of Revenue Intelligence, Income Tax Department, Central Bureau of Investigations, Directorate of Signal Intelligence (in sensitive areas of the country) and TERM, DoT.

A request for interception can come from any of these agencies. The state police is said to be the most prolific user of the interception machinery, though others do not seem to be way behind. The request to tap lobbyist Nira Radia’s phone, which eventually led to the recording of her conversation with IT and Communications minister A Raja, came from the Income Tax department.

‘Nodal officers’, appointed by service providers in each telecom circle, are the second wheel. They provide the information security agencies need: call content, subscriber details, location of calls, call data records, browsing details, chatting transcripts, emails, attachments...

Nodal officers are available to security agencies round-the-clock, attend fortnightly meetings with them and are rewarded with appreciation letters by grateful superintendents of police. If service providers do not comply with the interception requests, they can be penalised. The performance of the nodal officers is partly assessed by how effectively they help their companies avoid penalties.  

Whatever you do with your mobile or on Internet, can be captured and handed over to security agencies. Handing over this information is a relatively simple affair, technically speaking. If the police need any call or browsing related information, a document similar to the monthly bill you get is generated and handed over to the police.

“Most people get adventurous online, thinking they are covered with a cloak of anonymity. In reality, they are as exposed as the Emperor who wore nothing,” said the Maharashtra executive.

Intercepting voice calls is also a cake walk. The targeted subscriber’s calls are diverted to a parallel number with a police officer, who will then get to listen to the suspects’ conversations as they happen. Even if the police officer is in an area with a lot of background noise, the suspect will not notice anything unusual, thanks to the noise cancellation technology.

“The government wants a similar system of monitoring and interception with Blackberry as well”, said the Maharashtra mobile executive.

Interceptions are fragmented by telecom circles and further segmented by service providers. Hence, it is hard to keep count of the total number of calls being intercepted in the country at any given time. A senior police officer Deccan Herald spoke to was not sure of the total number of intercepted calls, but assumed that the number was being aggregated somewhere!

A nodal officer from Bihar circle said he received up to the 200 requests from security agencies in a month. The number of requests depend on the crime rate in the region and varies from circle to circle, he added.  With the growing use of mobiles, police are increasingly calling upon service providers to assist in their investigation.

Dr Pushkar Raj of People's Union for Civil Liberties (PUCL) says, “Interceptions are being carried out more widely than you and I think.” “PUCL has no problem in police tapping the phones of terrorists. But interceptions have spilled over to watch human rights activists,” he adds.   

Former DGP of Karnataka Sri Kumar dismisses the notion of widespread interceptions. “Tapping telephones is a time-consuming job. Police do not have the resources to engage in large-scale interceptions,“ he points out.  Sri Kumar says he might have asked for interceptions ‘half-a-dozen times” in his 37 years of police work.

Interceptions are subject to clear government guidelines. Requests have to be usually approved by union or state home secretary. But during emergencies an officer of the rank of Inspector General of Police can request interception for seven days, which can be extended up to 60 days if approved by the Home Secretary.  Suspects can be intercepted for a maximum period of six months.  

Service providers say the procedure is generally followed, but with significant exceptions. “We get interception requests saying paper work will follow, which do not eventually materialise, in many cases,“ said the Maharashtra mobile executive. “Even if there is a breach of procedure, we are forced to oblige to ensure a smooth working relationship with police,” he said.

More importantly, civil rights advocates say the procedures make interceptions an internal affair of bureaucracy. As they are exercised outside judicial or any other independent supervision, they are prone to abuse by rogue cops.

Leading criminal lawyer Nanditha Haksar used a memo written by K K Paul, a special commissioner of intelligence, in her defence of Parliament-attack accused S. A. R. Geelani. The memo took note of mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of "opponents in trade or estranged spouses".

Senior police officers in different states have been charged with serious crimes ranging from murder to extortion. Activists say the power to intercept at will is a handy tool to a rogue officer.

But Sri Kumar says there are enough safeguards within the system to prevent abuse. “The officer who requests interception is not the one who approves.  All interceptions are monitored by a review committee.”

Sri Kumar admits he himself has investigated and punished cases of rogue interceptions by police, but says the rate of such incidents is “not alarming”. “Hang those who misuse, but do not tarnish all officers with the same brush”, he says.

Cautioning against excessive criticism of interception, he says, police interceptions are legal and in national interest, but are hampered by lack of technology and resources.

The Maharashtra mobile official said security agencies have begun to use new technologies to intercept. “They now put equipment on the premises of service providers, which lets them intercept calls on their own. Service providers now have to just provide access and do not even know which number is being tapped. The system is so opaque now, we do not even know if they are following the laid-down procedures while accessing our subscribers’ information.”

Sri Kumar says authorities had to put this equipment as the response from the service providers was slow. “They typically take 48 hours to respond to our requests. When we are in hot chase, we don’t have that kind of time,” he adds.

Security agencies are bypassing mobile operators using another piece of technology, which is now becoming popular: off-the-air GSM/CDMA monitoring systems. These devices can be mounted on cars, driven around and used to intercept calls in the vicinity, without giving a clue even to the mobile operator.  

Media has frequently reported that security agencies have been using these devices to tap phones of politicians and keep tabs on areas with significant minority population.

While civil rights advocates are focused on reigning in police, service providers are grappling with the problem of rogue employees snooping on subscribers without any authorization. A few years ago a popular actor and actress, both from Bollywood dynasties, were in a relationship. They happened to use the same mobile operator and there were thick rumours in the company that, a few employees were privy to their intimate conversation.

Service provider employees have been allegedly found informing suspects that their phones were under surveillance or doing unwarranted favours to their friends.

 A former senior employee of one of the largest mobile operators of the country said the company did not have a mechanism to track any employee who intercepted calls without authorization.

He said after a nodal officer receives a request for interception, a senior officer within the circle has to validate. From there the request goes to a typically middle-ranking technical manager to carry out the interception. It is here the system is vulnerable for abuse as many service providers do not have adequate safeguards in place, he said.

An engineer who worked for a software company that wrote the interception software for the same mobile operator more than five years ago agreed with the statement. The specification was to just write the software to enable interception as required by authorities. The operator did not go a step further to create a monitoring mechanism to check unauthorized interception by employees.

“They were shortsighted and just anxious to meet the legal requirement and be done with that,” said the engineer. The engineer also said a similar weakness may possibly exist among few other older operators as well. The mobile operator in question declined to comment on the story.

A senior official of Indian Cellular Association said,  “The problem possibly exists and companies should upgrade software”. “But the industry is grappling with too many issues, this is not a priority at the moment,“ he said speaking off-the-record. The Cellular Operator’s Association of India did not respond to queries.         

“Rogue interception by employees can damage company reputation and create serious liability. Most companies sack erring employees and hush up the issue,” the Maharashtra mobile executive said.

The Indian Telegraph Act, 1885, and the Information Technology Act, 2008, which legalise surveillance of telephones and online activities, also slap stiff penalties on service providers for break of privacy.

Sri Kumar says with communication shifting from voice to data, monitoring at the ISP-end is becoming increasingly important.  

Your ISP is the channel that connects your computer to the web site you want to access. The moment you connect to the Internet all your moves come under the ISP scanner. “There is nothing your ISP cannot read, monitor, intercept, deny or allow, “says Pradeep Srinivas, CEO of MNXT consultancy, who has 26 years of experience in security.  

 Your ISP knows which computer you use, where it is located, which operating system and browser you are running. It can read your email, track your chats, know your unsecured user name and passwords, follow you to the web sites, watch what you do there.

 But given the huge amount of information that passes through them, ISPs do not have the resources or need to read every email that is sent through them. They are more like traffic cops who keep an eye on the traffic passing on the road. They are usually content to let the vehicles to pass. But if any vehicle acts suspiciously, they intercept and look who is inside.

 ISPs are legally required to maintain sophisticated surveillance systems to monitor online traffic and track suspects.

 A California firm Narus provides technology for ISPs to monitor and intercept. In India, AT&T, Reliance, Sify and Cable and Wireless are prominent users of Narus software.

A Bangalore-based employee of Narus said a ‘semantic traffic analyzer’ is installed in ISPs to “sniff illegal data transmissions” and make them available for security agencies.  ”The system can be programmed to trigger alerts if it sniffs emails with content on terrorism, chatting in localities known to harbour anti-social elements and activities in computers owned by known criminals,” he said.

“If police identify a suspect, Narus can help ISPs make a copy of all communication happening through his computer,” he added. Narus declined to share details of its interception capabilities with Deccan Herald.

But even the most advanced monitoring mechanism can go horribly wrong.  

 A Bangalore-based HCL engineer Lakshmana Kailash was arrested by the Pune police in August, 2007 for defaming Chatrapati Shivaji on Orkut. He was identified by his computer address, provided by Airtel, which turned out to be incorrect. But by then Kailash had spent over 50 days in jail.

 The Information Technology Act requires ISPs to ‘maintain strict confidentiality’ on the direction for interception or monitoring issued by security agencies.  None of the ISPs contacted by Deccan Herald were willing to share information on how closely the security agencies watch the Internet.

To get an idea on that we have to turn to another source. In April, Google made public the 'requests' it had received from various governments to identify specific users or remove objectionable content from its services.

 In seeking information about users, India came fourth after Brazil, US and UK.  In requesting for removal of content India followed Brazil and Germany. A Wall Street Journal report quoted a Google India official saying the company literally pushed back on a daily basis requests to remove objectionable content.

Not all the requests Google gets involve national security. In 2008 Pune police asked Google to identify an Orkut member who had posted derogatory messages about Sonia Gandhi and arrested him.  Google, MSN, Yahoo declined to comment on the story.
As with mobile operators, there is risk of ISP employees intercepting subscriber activities on their own.

 An expert on cyber laws and security, Na.Vijayashankar, says many ISPs have not put in place adequate safeguards to prevent unauthorized interceptions by employees. “We tell ISPs to follow due diligence as employee misuse can cause serious liability,” he adds.  

Internet Service Providers Association of India (ISPAI) secretary Desi Valli says, “Of 300 odd ISPs in the country there could be some without safeguards to protect consumer information from employees.”

“This is a vast industry and not everyone knows the available solutions to prevent employee misuse, which are expensive as well,” says Desi Valli. “Periodic auditing should be done internally to plug loopholes. Some ISPs do it monthly, some quarterly and some annually,” Desi Valli adds.  

Government authorities are tightening surveillance measures and have asked major online service providers such as Skype, Google and Yahoo to move their servers to the country.

 Defending the government move, Desi Valli says the number of exit points are increasing and hence, keeping servers within the country will lead to better monitoring. Exit points are the locations where the Internet traffic exits the country through undersea cables.

The Narus employee said using his company software all forms of online activities can be monitored at the ISP or gateway level. For example, Narus web mail solution can scrutinise web-based emails such as Yahoo, hot mail and Gmail. There is no need to shift their servers here, he said.

Pradeep Srinivas said, “By asking these companies to shift servers to the country, Government is just imposing its authority on them. Making surveillance too obvious will prompt criminals to find better ways to evade.”

”Don’t turn security into a cat and mouse game,” he added.