What do the Boundless Informant and Verizon stories mean for India?
The last week has seen numerous reports in the Guardian, the Washington Post and the New York Times that provide a glimpse of the growing corporate-military nexus in the telecommunications space.1
While the revelations made concerning the Verizon-FISA Order and the PRISM programs (by The Guardian and The Washington Post respectively) are not as explosive as many are making them out to be – for instance, it has been public knowledge for quite some time that the FBI utilizes splitters to divert and monitor internet traffic for instance at AT&T’s Folsom Street, San Francisco facility2 – the sheer scale and scope of the surveillance has come as a shock to many.
It is clear that the technology to monitor and track user activity both on the Internet and in the traditional telecommunications systems exists (and has done for quite some time). In the Internet space, this is the basis for the massive revenues earned by the Internet giants (who track their users activities in order to direct targeted advertisements at them). It was therefore only a matter of time before governments caught on to the huge potential of the information gathered by these companies and put in place mechanisms that would enable them to tap into this resource.
In the United States, this push came after the events of 9/11 and the consequent introduction of the PATRIOT Act. The fact that laws such as the PATRIOT Act and FISA are susceptible to misuse has been highlighted by numerous organizations over the last decade – notably the EFF and the ACLU.
So again, the fact that legal mechanisms are in place to permit government agencies relatively unhindered access to personal information is well known. What the latest revelations do is demonstrate the expanded and (questionably) wide interpretation given to laws that should, under traditional rules of statutory interpretation be read narrowly/strictly, and consequently the unprecedented levels of surveillance that citizens are subject to. These revelations also demonstrate the problem with a lack of public accountability caused by the veil of secrecy surrounding the entire functioning of this ‘underground’ legal system.
There are slight differences in the two exposes mentioned above – the Verizon order in brief, concerns the United States law enforcement authorities being permitted to access telephone meta-data (or transactional data) with regard to any and all calls passing through Verizon’s communications networks if involving a non-American element. The order is extremely broad in its scope requiring all call records pertaining to a specified period of time to be handed over to the NSA, rather than just the records pertaining to any particular or targeted individual or transaction.
The Prism scoop pertains to various mega Internet Service Providers (such as Google, Facebook, Microsoft, etc.) allowing the NSA and other law enforcement agencies, unhampered access to user data collected by them (or passing through their servers). This means that all e-mails, videos, Internet transactions etc. taking place through the servers of these corporations could potentially be monitored by US intelligence agencies.3
Both programs have of course, been justified by the US government on grounds of national security – it is claimed that there are adequate checks and balances in place to prevent misuse of the programs – though this claim is highly dubious given the levels of secrecy surrounding these programs, the lack of information about these programs in the public domain; and the consequent lack of accountability of those involved in these programs.4
Irrespective of the legality or otherwise of these US programs under domestic US law, the rest of the world, and particularly countries like India (which is pushing hard to connect its citizens to the Internet as an enabling and democratizing tool, and which the Washington Post reveals is the 5th most ‘surveilled’ country in the world) must surely take issue with what can only be described as espionage on an unprecedented scale (just that we as consumers of these services assisted the espionage by blindly entrusting these corporations with our data!) as well as being in violation of various international treaties to which the US is a party including the UDHR and ICCPR.
The two exposes mentioned above clearly demonstrate the hazards associated with offshore data processing and the retention of data by telecommunications companies and will hopefully act as a wake up call for the Indian government – not to put in place programs similar to that of the US government (which it is trying hard to do) – but to ensure that Indian data (both private and government owned) is protected adequately.
India relies largely on US based services to host data – from corporate information stored in the ‘cloud’ on servers owned by GoDaddy or Google, to personal information uploaded on Facebook or Twitter, or even government data stored with US corporations under for instance the UID scheme, it is clear that no data or conversation is safe from the reach of the US government – who’s reach is analogous to that of the various US based corporates that control the world of telecommunications (internet and traditional telephony). The security risk posed by this centralization of information exchange (either in the form of data storage or routing) in the United States need not be overstated.
The problem with such a system where these Internet giants cede control of the data stored by them to the US Government is only exacerbated when these Internet giants fail to comply with directions from non-US governments or domestic law requirements of non-US countries – usually on the basis that they are based in the US and such compliance would fall foul of US law. 5
So there is clearly an international law issue to this matter that needs to be taken up at the appropriate levels and as a matter of some urgency. It is essential that global rules and norms be put in place to ensure privacy rights are respected globally and that an appropriate balance is found between security concerns of a state, corporate interests and individual liberties – at the moment it appears there is no question of a balance but rather a binary treatment of the concepts – with privacy being trumped by security and commercial interests every time. Global Internet governance processes and procedures must also be strengthened including by much needed democratization / non-corporatization.
It continues to be a problem that basic internet infrastructure (and governance systems) tend to be US based – DNS root servers for instance are concentrated in the US and Europe, ICANN is a registered US based organization and the US holds a veto on every vote6…The political pressure and international clout that the US carries and unhesitatingly wields (to protect what it sees as its domain) is also evident as shown by their position at the ITU’s World Conference on Information Technology in December 2012.7
On the domestic front too, there is much to be done: The government must put pressure on foreign intermediaries to locate in India and as a corollary retain Indian data within India (through means of legislation or otherwise). India is after all a sufficiently large market for most of these companies.
The government must also attempt to encourage the growth of appropriate infrastructure in India such as server farms. The latter is critical and must be a priority given the huge capacities required for our e-governance projects such as UID etc.
The Indian government must also act to demonstrate its commitment towards protecting its citizens’ data including putting in place the necessary privacy legislation as suggested by the Justice AP Shah Committee.
However, it appears the Indian governments intentions may lie in a contrary direction – given both the lack of movement or debate surrounding the Privacy Bill amongst other relevant legislation, as well as the institution of a Central Monitoring System (announced in 2009) which will apparently “bypass manual intervention from telecom service providers to access call records and enable the government to access surveillance data directly”.8 Recently, the government has clarified that this umbrella agency will only “oversee metadata but not mine the data”.9
Nonetheless, it is unclear if such broad and unaccounted surveillance can be conducted by the Indian state under present legislation.
At present the only laws regulating this sphere are contained in the Information Technology Act, 2000 and rules thereunder notably the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 and the Information Technology Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information Rules, 2009.
Section 69 of the IT Act permits notified government authorities to “intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource” in the event they are satisfied that “it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offense relating to above or for investigation of any offense.” Section 69B permits an authorized agency of the government to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource” in order “to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country”.
The Rules mentioned above lay out a system of checks and balances to protect against government excesses – for instance in requiring oversight of all monitoring requests by a review committee (though information about the actual working of this review committee is difficult to come by and one wonders if this is merely an agency that rubber stamps all requests for monitoring, etc.), by specifying the purposes to which any information gleaned may be used and penalizing aberrant use, etc.
The two legal provisions mentioned above therefore have clearly defined limits in terms of when they can be used, what the information can be used for, and procedures to ensure that civil liberties are not unduly violated. The existing legal system, it appears, envisages only case-by-case monitoring when certain specific conditions are made out, rather than an overarching monitoring system such as the CMS (which would apply irrespective of whether any enabling conditions were met or not). (Separately, one should note that per the requirements of the ISPs licenses as well as various provisions of the IT Act, they are required to provide all necessary information and assistance to the relevant government agencies).
In addition to the lack of legislative mandate for an overarching monitoring system as contemplated by the CMS, the fact that such a system has been introduced without any public debate and only minimal parliamentary oversight (if at all) is worrying.
While programs such as the CMS must undoubtedly be subject to at least the same or similar level of checks and balances as are currently envisaged under the IT Act, it is equally important that the government encourage greater transparency and accountability in such systems that act to abrogate fundamental rights of citizens – including by giving effect to existing legislation such as the Right to Information Act. For instance an RTI query concerning the number of historical instances of tapping or monitoring should not be considered as falling within the security exemption in Section 8 of the Act, merely because it is so stated by the government agency concerned (as is unfortunately, often the case).