DisFact #15: India needs surveillance reform; social media regulation; telecom security

Happy new year, readers! Welcome to DisFact. I am Samarth Bansal. Hope you have a great and promising 2019.

Thanks for reading and subscribing. Know a friend who would find this newsletter useful? Please consider forwarding this email. Here is the sign up link and list of all previous issues.

In this issue: three recent stories in the technology policy space.

  • In-depth: Is the Indian government snooping on its citizens? Did anything change under the Modi government?

  • India has proposed draft rules to regulate social media platforms. One provision would require companies like WhatsApp to break end-to-end encryption, sparking concerns from privacy activists.

  • India has invited Chinese manufacturer Huawei Technologies for 5G trials. Few countries have banned the company citing security concerns. Officials are concerned as India doesn’t have adequate safeguards to secure its telecom infrastructure.

State of surveillance in India

On 20th December, the Union home secretary issued a statutory order authorising 10 security and intelligence agencies to lawfully “intercept, monitor and decrypt” information that is “generated, transmitted, received or stored in any computer resource”.

No new powers: If you read this notification in isolation (as a lot of people did) it may appear that India turned into a surveillance state overnight—that the government got new powers to snoop into your computers, access documents stored in your laptop, read your emails etc. That’s not what happened: no new powers The notification was merely a formality and should have been issued long ago.

But debating the issue at hand—India’s surveillance regime—is crucial. India has an “urgent need for surveillance reform”, privacy activists say, especially after last year’s Supreme Court judgement that held privacy as a fundamental right.

As I was browsing the comment section on news sites, I observed that the bulk of the readers were not concerned about the powers that the government enjoys. If the objective is national security, what’s the fuss about? So before diving into details of the Indian law, here is a quick background to set the context.

1. What is surveillance and why is it controversial

Governments around the world ideally want stronger provisions for surveillance—the ability and tools to keep an eye on citizens, their actions, conversations and everything else. The argument offered is national security: security agencies need legal provisions to monitor people to prevent crimes and terrorist attacks.

Security vs privacy: However, surveillance is in tension with an individual’s right to privacy—now a fundamental right in India. The powers that the State enjoys, privacy activists say, could be used to suppress dissent or agitations against the government.

People don’t care: Most citizens across the world do not care about privacy. The most common refrain is that only those who have done “something wrong” are concerned. “What do I have to hide?” they say. It is only for elites, goes another argument. I don’t buy that. Privacy matters. I explored the debate in this article for the Hindustan Times. Read it here.

Orwellian reminder: One of the main lessons of George Orwell's 1984 is that when a society shrinks privacy to zero, people can't even have unconventional thoughts. That’s the way you get to a totalitarian society. By accepting high degrees of government intrusion and omnipresent technology that tracks our movements and our records, who we call, who we email—we are shrinking our freedom.

More importantly, it is “nobody’s case that privacy is absolute”, Gautam Bhatia wrote in The Hindu:

The staunchest civil rights advocates will not deny that an individual reasonably suspected of planning a terrorist attack should be placed under surveillance. The debate, therefore, is not about ‘whether surveillance at all’, but about ‘how, when, and what kind of surveillance’.

Yes, note that: the debate is about ‘how, when, and what kind of surveillance’.

Snowden revelations about NSA spying: The world woke up to the dangers of surveillance after Edward Snowden showed how the National Security Agency (NSA)—US Intelligence Agency—was collecting data on millions of ordinary Americans (not just terrorist suspects). The NSA was storing that data, with little or no oversight about how the data was being used. There wasn't much of an infrastructure for keeping that data out of the wrong hands.

To understand more about privacy, surveillance and Snowden revelations, watch this excellent Jon Oliver episode.

2. Surveillance laws in India

There are two main acts governing the legal provisions for surveillance in India.

  • First, the Telegraph Act, 1885, that allows for the interception of calls and messages

  • Second, the Information Technology Act, 2000. It concerns with provisions to intercept digital information including data stored on a computer, internet traffic and other data flows.

The current controversy is about the IT Act.

There is one key difference between the two acts: The grounds under the IT act are wider and lack some of the safeguards under the telegraph Act.

Under the telegraph act, there should be a condition of a “public emergency” or “interest of public safety” for intercepting information. There is no such requirement under the IT Act which makes it more powerful: the government can intercept information without any stated pre-conditions as in the telegraph act.

3. The new notification

The Ministry of Home Affairs (MHA) notification that sparked controversy merely lists the agencies who have the power for interception under the IT Act—meaning the government did not get any additional powers with the notification. By explicitly stating the name of agencies, the government specified who has the power to request for interception. That’s it.

The ten agencies that were given the authority to intercept digital information had the power of telephone surveillance for decades.

It is unfortunate that this turned into a BJP vs Congress debate. The Congress alleged that the Modi government had begun snooping on citizens. Haha. The amendment to the IT Act that gave surveillance powers to the state was introduced in 2008/09, when the Congress-led UPA was in power. The amendments were passed in the Parliament—where BJP was in the opposition—without any debate.

What does this mean? That this is not about party A or party B. It is about state vs citizens.

4. Concerns with India’s surveillance laws

The notification has brought to light a long-standing debate regarding surveillance provisions in India. Privacy activists say that intelligence and law enforcement agencies have massive powers to gather information about citizens without adequate legal and procedural safeguards to protect individual rights.

Do we have enough checks and balances to ensure state power is not misused?

The government says yes: Officials say that there are processes in place to check misuse of the power.

“All such cases of interception are reviewed by a committee headed by the cabinet secretary. The committee meets at least once in every two months. In states, the chief secretary holds the power to review the cases,” said the home ministry spokesman. (Hindustan Times)

Three issues:

First, decisions about surveillance are taken by the executive branch. There is no parliamentary or judicial supervision.

Second, if you are under surveillance, you will almost never know. Which means if the government is snooping on, say, a dissenter—and not a terror suspect—one won’t know and can’t even challenge that decision before the court.

Third, the regime is opaque.

There is almost no information available about the bases on which surveillance decisions are taken, and how the legal standards are applied. Indeed, evidence seems to suggest that there are none: a 2014 RTI request revealed that, on an average, 250 surveillance requests are approved every day. It stands to reason that in a situation like this, approval resembles a rubber stamp more than an independent application of mind. (The Hindu)

Why you should care: Journalist Saikat Datta posted an excellent Twitter thread explaining the controversy. Here is a snippet from his tweets:

So you may want to ask where is all this surveillance material going? And who is using it? And for what? The common answer to all this is the Government. Whoever is in power uses this massive surveillance machinery to spy on us, the citizens. And this won't change unless we realise how dangerous this is and what surveillance does to a democracy. It gives power to a very few people to control the rest of us. And we don't even realise it. That's what surveillance does.

Read more:

  1. The case against surveillance (Gautam Bhatia, The Hindu)

  2. Business Standard Journalist Kumar Sambhav Shrivastava has been reporting on how government agencies have been monitoring social media accounts of citizens. Here is a Twitter thread with all that has been reported so far.

Regulating social media content

What: The Indian government has proposed draft amendments to a law governing online content which would require social media platforms to trace the originator of a message, use “automated tools” to proactively detect and remove “unlawful information” and set up a business entity in India.

Why: The move was triggered by concerns raised by Rajya Sabha members in July this year about the “misuse of social media and propagation of fake news causing unrest and violence”—especially referring to incidents of mob lynchings driven by rumours circulated on WhatsApp.

Main issue: A key proposal of the new rules—ensuring traceability—would require messaging apps like WhatsApp and Signal to break the built-in end-to-end encryption, sparking concerns about privacy rights.

End-to-end encryption? In platforms that have enabled end-to-end encryption, only the sender and receiver of a conversation can see the messages that are exchanged.

Implications: The platforms have no way of viewing end-to-end encrypted messages, meaning if the rules are passed, companies will be forced to either rewrite underlying software or install backdoors to gain access to the messages.

The move comes weeks after the Australian government passed a similar controversial law that forces technology companies to hand over encrypted messages, even if end-to-end encrypted, to law enforcement agencies, a first in the world.

Five major changes have been proposed to the Intermediary rules. You can read more details here.

What next: Draft rules have been placed for public consultation. People can submit comments to the ministry by January 15, 2019.

Insufficient security safeguards plague telecom sector

In the Hindustan Times, I wrote a detailed piece about the controversy surrounding India’s invitation to Huawei for 5G trials. I spoke with current and former government officials, Huawei executives, and independent experts to understand what plagues India’s telecom security—the sector which forms the backbone of the digital economy. The picture is concerning.

What: “India’s invitation to Chinese telecom giant Huawei Technologies—a company banned in the US, which has termed it a cybersecurity threat, and from building 5G networks in Australia and New Zealand—to participate in 5G trials has aroused some concern in security and technology establishments.”

Why is Huawei an issue: In 2010, India had banned Huawei for 8 months. Back then, India’s home ministry raised concerns that imported telecom equipment could contain “back doors” and spyware that would allow foreign governments to snoop on Indians, intercept calls or remotely control networks, posing a security threat.

What can nations do to safeguard against the security threat

Experts point out two ways that governments can adopt to guard against the perceived security threat.

One, set up auditing infrastructure to test and identify vulnerabilities in the telecom equipment before deploying it in the country.

Two, develop the capacity to manufacture critical hardware components within the country.

India has not made progress on either front, officials say, and the security threat is not limited to Chinese companies but applies to imported telecom equipment in general.

The telecom department promised to set up security testing labs by 2013 in order to test for bugs in network equipment, the official added, but they are still not in place.

And India still imports 90% of its telecom equipment needs. India’s import of parts of mobile phones as well as telecom equipment from China increased from $1.3 billion in 2014 to $9.4 billion in 2017, according to a recent study by the ministry of commerce and industry.

What is Huawei saying:

“So many years, so many telecom operators, so many countries—someone should have already found the back doors in our products,” Huawei India CEO Jay Chen said in an interview.

“Huawei’s operations in Germany, France and Japan is business as usual,” he said. “The ongoing controversy is only about politics. Not about technology, not about security, not about the commercial aspects. Just politics,” Chen said.

Why it matters:

This places India on the back foot at a time when state-driven cyber warfare is no more a theoretical threat. An early 2018 estimate suggested that around 200 publicly known state-on-state cyberattacks have taken place over the past decade, according to David Sanger of The New York Times.

Read the full story here

Talk to me

Comments? Feedback? Suggestions? Write to me at samarthbansal42@gmail.com or hit reply to this email. Thank you!