The revelations of Edward Snowden have opened up the case of snooping and the vulnerability of India in the realm of cyber security. According to reports, in 2013 India stood at fifth place in terms of cyber attacks; it was one of the most actively targeted in Asia by the US National Security Agency (NSA) that amassed 13.5 billion bits of information and 6.2 billion bits of metadata (Saxena, 2013). According to experts, the entire account of an individual’s professional and personal life can be assembled by analysing metadata. However, the Indian Government’s response had been lukewarm as the former External Affairs Minister Salman Khurshid was quoted saying, “it is not actually snooping” (Saxena, 2013). Another recent release from the whistle-blower disclosed that the NSA supposedly had received the Obama administration’s approval for spying on the Bharatiya Janata Party (BJP) amongst six other political parties of India that strained US-India relations (MacAskill, 2014).
In February, 2014 a report on “Cyber Crime, Cyber Security and the Right to Privacy” was tabled in the Parliament by the Ministry of Communication and Information Technology, where it was acknowledged by the Secretary of the Department of Electronics and Information Technology that “whatever data has been gathered by them (US) for surveillance relates only to the metadata…” and “it has been reiterated and stated at highest level of the US President that only metadata has been accessed, which is the origin, receiving point and destination of the message and route through which it has gone, but not the actual content itself” (Rao, 2014).
There are perils involved in such collection of data. The data that the NSA holds could reveal the type of information attached to every single email of an individual, the place from where the mail was sent and received and “to whom”, “from” and the “bcc” section of a typical mail (Greenfield, 2013). An email metadata is more revealing than this; it is a laid-back effort to geo-locate both sides easily on a map. These bundles of information gathered acutely have not only breached the right to privacy but also underscored the current state of IT infrastructure and the absence of data protection laws in India.
In the year of 2012, the National Security Council of India, which was headed by the former Prime Minister Manmohan Singh, planned the establishment of the National Critical Information Infrastructure Protection Centre (NCIPC) that was to be created by the National Technical Research Organization (NTRO) (Joseph, 2012). The Standing Committee on Information Technology has recommended the following apart from the setting up of the NCIPC (Legislative, 2014):
- * Establishment of a protection centre;
- * Creation of a single centralised body dealing with cyber-crimes;
- * Employment of skilled IT professionals to overcome shortage of manpower and;
- * Funding as well as conducting extensive research and development.
In the hindsight, the right to privacy has not been granted under the Constitution of India, although the courts encompass it within the ‘freedom of speech and expression’ under Article 19(1) (a) and ‘right to life and personal liberty’ under Article 21. Currently there is no dedicated legislation in place aimed at data protection or privacy. The data protection laws are a set of privacy laws and procedures meant for minimizing intrusion of privacy, owing to surveillance and data collection. Nevertheless the Centre for Internet & Society, an NGO based in New Delhi has researched extensively and drafted a version of the Privacy Protection Bill, 2013 (Acharya, 2013). Some characteristics of the bill include:
- * It seeks to heavily penalize organisations or institutions obtaining personal data under false pretext;
- * It authorizes suspension of telecom service provider’s license if it violates conditions of confidentiality mentioned in the bill;
- * It states that recommendations shall be made by committee comprising the Cabinet Secretary, Secretaries of Departments of Personnel and Electronics and IT, as well as two experts of data protection, law and finance to be nominated by the Central government.
However, the National Security Advisor (NSA) seeks to weaken the bill by reducing its scope and introducing provisions that would protect the intelligence agencies. The current IT Act applies only on entities and persons located in India and not foreign corporations or people located abroad (Kosturi Ghosh, 2014). It is designed to be incursive. For instance under Section 43A, the IT Act legalizes handling of sensitive personal data, and under Section 69, the Government of India can “intercept, monitor or decrypt” any information transmitted or generated from any computer resource in the interest of the sovereignty and integrity, defence, public order, preventing incitement and for the security of the State (Dalmia, 2011).
The impact on privacy will be hard hitting when the Central Monitoring System (CMS) comes into action. It was fast tracked post 26/11 Mumbai attacks in which the perpetrators used voice over internet protocol (VoIP). This system would allow the Government to access every digital communication and telecommunication in the country. The CMS will be capable of covering text messages, online activities, phone calls, online searches and even social media conversations! (Nandakumar, 2013). According to investigations, about 160 million users are already under the scrutiny of wide-ranging surveillance. They have further revealed that a “Lawful Intercept and Monitoring Systems” is in place, which has been arranged by the Centre for Development of Telematics for the purpose of monitoring Skype, emails, web-browsing and of course Internet traffic (Singh, 2013).
The surveillance agency in Australia, Defence Signals Directorate (DSD) shared metadata of its citizens with intelligence allies overseas. Prime Minister Tony Abbott defined meta-data as “essentially the billing data which is different from the actual content of calls.” A metadata can paint a “visual rendering” of one’s digital and physical existence (Laughland, 2013). Owing to the trails of pieces, internet activities of an individual can be linked and traced back. The NSA’s meta-data surveillance programme compiles the data giving a detailed picture of lives of individuals; these can provide information about people’s political or religious affiliations and even their relationships.
One of the other important phenomena has been the rise in the number of smart phones in India. The industry has been very successful and has seen spike in the number of smart phone users, with the market leader Android reportedly holding 62% of the market share according to a 2012 survey (Brindaalakshmi, 2013), followed by Windows Mobile, RIM, IOS and so on. A rising consumer base for these companies is a cause of concern, as in the past these very firms had provided direct access to the NSA. The NSA allegedly had access to over 180 million records from Yahoo, Google and Facebook. In 2013, the percentage of obtained information from Skype rose to 248%, for Facebook, 131% and 63% for Google with DropBox being designed as a PRISM provider (Glenn Greenwald, 2013).
The recent upgrades in the Android software (Kit-Kat) make it the best spying phone that could capture highly personal data of movements, activities, interests, internet searches and geo-locations. These smart phones use cutting-edge technology, making them a potential spying weapon (Liss, 2014). The fact remains that such an incident can happen without anyone’s knowledge just like the NSA snoop-gate, and governments would not even come to know unless there is another Snowden out there.
The mechanisms and artillery adopted in the IT sector by the Indian Government may all seem too invasive of one’s own privacy but all of these are absolute a necessity for the fight against cyber terrorism, mass-surveillance, cyber espionage and to prevent another snoop-gate by a foreign country. The past incidents have shown how powerful and exploitative these instruments are as they hamper freedom of speech and expression and lead to wrongful arrests for even ‘liking’ a post on Facebook or tweeting. Legal frameworks to tackle these issues are extremely essential; at the same time amends have to be made in the IT Act.
The scope of jurisdiction of the IT Act has to widen and cover countries other than India. It is clear that the tactics used by the NSA to gather information about political parties in India reveal just how pervasive NSA’s reach has been in India; this indeed makes the case for effective legislation directed towards foreign companies stronger. One can only hope that Prime Minister Modi would raise these issues strongly at the highest levels with the US Government during his visit to the US in September.
Disclaimer: The views expressed in this article are personal.
References
Acharya, B. (2013). Privacy (Protection) Bill, 2013: Updated Third Draft. Centre for Internet & Society.
Brindaalakshmi. (2013). 62% of Indian Smartphone Users Surveyed Prefer Android; Paid App Trends. MediaNama.
Cavoukian, A. (2013). A Prime on Metadata: Separating Fact from Fiction. IPC.
Dalmia, V. P. (2011). Data Protection Laws in India. Vaish Associates Advocates.
Glenn Greenwald, E. M. (2013). NSA Prism program taps into user data of Apple, Google and others. The Guardian.
Greenfield, R. (2013). What Your Email Metadata Told the NSA About You. The Wire.
Joseph, J. (2012). India to add muscle to its cyber arsenal. The Times of India.
Kosturi Ghosh, S. H. (2014). Data Protection in India: Overview. UK Practical Law.
Laughland, O. (2013). Metadata: is it simply billing data or something more personal?. The Guardian.
Laughland, O. (2013). What can you learn about me from 24 hours of metadata. The Guardian.
Legislative, P. (2014). Cyber Crime, Cyber Security and Right to Privacy. PRS Journal Research.
Liss, R. (2014). How your phone camera can be used to spy on you. Reviewed.com.
MacAskill, A. (2014). India Demands U.S. Explanation After Modi Party Spied On. Bloomberg.
Mail, A. P. (2013). NSA 'broke into Yahoo and Google data centers to obtain millions of records every day'… and leaked doodle shows how spy agency did it with a smiley face. Daily Mail.
Nandakumar, I. (2013). Government can now snoop on your SMSs, online chats. The Times of India.
Patry, M. (2013). India: Digital freedom under threat? Surveillance, privacy and government’s access to individuals’ online data. Index.
Rao, R. (2014). Govt confirms: US snooped on India emails. The Indian Express.
Saxena, G. G. (2013). India among top targets of spying by NSA. The Hindu.
Singh, S. (2013). Govt. violates privacy safeguards to secretly monitor Internet traffic. The Hindu.
Society, C. f. (2014). An Analysis of the New Draft Privacy Bill – CIS India. MediaNama.
Tucker, P. (2014). How the NSA Can Use Metadata to Predict Your Personality. Defense One.
Laveesh Sharma, Masters Student at the Jindal School of International Affairs, Haryana.