PRABIR PURKAYASTHA | 7 JANUARY, 2019
The surveillance notification decoded
NEW DELHI: The notification issued by the Ministry of Home Affairs (MHA) arming 10 government agencies under the Section 69 of the IT Act to break into all our communications and computers, have been followed by Ministry of Information Technology modifying its Rules. Taken together, these proposed modifications identify how the breaking of our communications will be done.
The target in the first instance are the service providers – the telecom and digital service providers such as WhatsApp (owned by Facebook), Telegram, etc., and the equipment vendors.
Service providers are required to provide access and encryption keys, while the device providers will probably be asked for de-encryption tools and backdoors for their devices. We are rapidly entering an era of mass surveillance of the kind that Snowden has madefamiliar, and with paranoid governments wanting to monitor all its citizens.
It is true that the Section 69 of the IT Act, 2000 gives certain powers to the government in monitoring our communications. In 2000, when the Act was passed, this appeared on par with the powers of telephone tapping that the government already had, namely a “Competent Authority”, in this case the Secretary, MHA to sign off on the request for telephone tapping.
Since then, there are major changes that have taken place, which makes the government’s powers and the new orders far more dangerous.
One major change is that the surveillance system no longer functions by authorities issuing notice to the telecom service providers – Airtel, Vodafone, etc. – to provide access to certain telephone numbers. Instead, a Centralised Monitoring System (CMS) has been created by the government which directly accesses the infrastructure of the telecom service providers. Through this, the concerned agencies can tap into any conversation or our telephones at will.
The protection to us as users is that it still needs the sign off of the Secretary, MHA. According to an RTI filed by the Software Freedom Law Centre in 2014, 7,500-9,000 such requests are approved every month by the Home Secretary. These numbers have probably grown many times since then. Now, with 10 agencies given such access, these numbers are likely to balloon much further.
If we believe that a Secretary rank officer in the government of India is seriously looking at these requests to protect the citizens’ privacy, we would be foolish indeed.
We have to accept that the basic protection envisaged under the IT Act is not working and has been reduced to a meaningless bureaucratic procedure.
Now that the Supreme Court has upheld the right to privacy as a fundamental right, and given us tests under which our privacy can be invaded, we have to relook at this fundamental issue.
Can the state invade our privacy with one signature of a Home Secretary for thousands of people, and yet be in line with the Puttuswamy tests – enunciated in the privacy judgement – of legality, fairness and proportionality? The simple fact that thousands of such interceptions are granted by the “competent authority” shows the incompetence of the system in protecting the citizens’ fundamental right to privacy. We can well imagine the consequence of expanding the powers of surveillance now to 10 agencies!
The second notification, issued by the Ministry of Information Technology, the one that has now been opened for public scrutiny, is an even more dangerous one.
It is essentially a step towards the state’s right to de-encrypt all communications, and asking for either encryption keys, or providing backdoors with de-encryption to their entire digital infrastructure. Worse, since the Section 69 of the original Act talked about all computer resources, it is restricted not just to digital infrastructure. It means asking the device manufacturers – from smart phones to computers, all of which qualify as computer resource under the Act – to either leave backdoors in their equipment and/or provide encryption keys and tools.
All this may sound gobbledygook to most readers of this column. So, let me take an example.
All our WhatsApp phone calls and messages have end-to-end encryption. Facebook, which owns WhatsApp, has stated that this encryption cannot be broken by even Facebook. What Facebook sees is only metadata: who is talking to whom when and from where. What the government is asking that these companies, and WhatsApp is not the only one providing such services, should provide encryption keys and similar access to what the telecom service providers now give to the authorities.
The wording computer resources is again something that we, as digital activists, did not foresee in the year 2000 when the Act was passed. It becomes important as we may encrypt our hard disk or keep encrypted messages on our smart phones. Not because we are indulging in criminal activities, but because we all have a need for keeping some of our data secure. It may be our financial information, our technology know-how, or simply passwords to our various accounts, which we don’t want to become public if the device – a computer or a cell phone – get stolen. Encryption is not what only criminals do but which we also need.
For financial companies, who routinely deal with money transfers, the need for encryption is even more important. That is why all financial transactions are encrypted. Encryption is again routine to a number of tech companies that insist that their employees’ disks be encrypted to protect their data and know-how from criminals.
Therefore, the demand for encryption keys and access to de-encrypted communication/resources is a whole new ball game. In the age of digital communications, asking for such access is basically to do away with all the protection that has now become routine in the functioning of companies and people.
If it is indeed the law, as the government claims, it certainly is not in line with the Puttuswamy Judgement in which the Court has accepted privacy as a fundamental right. Instead of putting in place the safeguards now required under the privacy judgement, the government is bent on expanding its powers, powers it did not have in 2000, as the technology had not evolved in ways that it has done today.
Finally, the key question, why now?
Is it because as long as WhatsApp was being used widely to promote hatred, communal riots, and lynchings in the name of the cow, this was of no concern to the government?
Is it because earlier, the BJP’s IT Cell was way ahead of all other parties in creating and running WhatsApp groups?
Is it that the BJP troll brigade earlier controlled the digital space and social media space which it is now losing?
With people increasingly coming out against the Modi government even in the digital and social media space, is there now a need to find out who they are? And after identifying them, brand them as anti-nationals?
We have only to look at Bulandshar to understand how the BJP’s mindset works. No, killing a police officer is not the issue; filing a false FIR charging 4 innocent Muslims with cow slaughter is not the issue; collecting a lynch mob on the basis of false information is not the issue. The issue is only cows being killed, even if this account is found false. According to Adityanath, the CM of UP, this is the only issue.
Under BJP’s law and order scheme, the issue is not WhatsApp and other such platforms providing secure communication, but that it provides this to all groups. As long as it was provided to groups instigating communal and caste violence, this was all right. Providing such facilities to others as well is the problem. That is why the new expansion of the surveillance regime that the BJP-led NDA government is proposing.
The problem with the new set of proposals is that it does not take into account that once encryption keys are given to the government, they will invariably leak out.
As Snowden showed, not even the NSA could keep its information secure. The second, if a backdoor is created in digital devices – smart phones or computers – the criminals will not take much time to find it out as well.
It will endanger everybody’s privacy and security of information. In today’s day and age, asking for governmental backdoors and encryption keys in the name of national security will make us far more insecure. And if we are all collectively insecure, does the nation become more secure?
(Prabir Purkayastha is founder editor of Newsclick)