Do you want to be watched?
|
COMMENTS 
The new rules for surveillance under the IT Act are an assault on our freedom. They also seem misguided, says Sunil Abraham. How many terrorists or criminals will be arrested in India thanks to the new ID requirements at cybercafés or a ban on public wi-fi? Intelligence work cannot be replaced with blanket surveillance
Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far (see box below for a lowdown on the rules). Already, in accordance with the Internet Service Provider (ISP) license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse.
Now imagine my daughter visits the neighborhood cybercafé; the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.
Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to draw fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Suppose this is a fringe Web 2.0 platform run by an Indian entrepreneur. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both this entrepreneur and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.
You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp”. The message is clear—you are being watched so watch your tongue.
Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exist, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangements based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have led the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cybercafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource-hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.
Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider, do not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have to be reminded of authorised and unauthorised surveillance and their associated leaks.
Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually give rise to criminal and corrupt behaviour. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy-enabling software. Like the prohibition, this will only result in further insecurity and breakdown in the rule of law.
(Sunil Abraham is the executive director of the Centre for Internet and Society)
Parliament must debate the IT Rules By M R Madhavan The government has recently announced a series of four Rules under the Information Technology Act, 2000 (as amended in 2008). These pertain to safeguard of sensitive personal information by intermediaries; due diligence by intermediaries; operation of cybercafes; and electronic delivery of services such as applications, certificates and licenses. The rules raise some important issues related to privacy and implementation. In general, many Acts delegate the power to make rules on specific issues. This enables a quick response to changing circumstances. If these provisions were in the Act, any change would require an amendment to be passed by parliament, which could take a significant amount of time and resources. Sensitive personal information The rules define sensitive personal information as including passwords and information related to biometrics, health, finances and sexual orientation. They require corporations to disclose a privacy policy, which should meet certain minimum standards. The information shall not be disclosed to any third party without prior permission from the person providing the information. There is an exception clause to this requirement. The information has to be shared with government agencies which are mandated by law to obtain such information for the purpose of verifying identity or preventing, detecting, investigating or prosecuting offences. The agency has to give a written request for the information, and may not share the information with any other person. This exception clause raises issues related to the sanctity of private information. The Supreme Court has read the right to privacy as part of the fundamental right to life, and said that this right is subject to reasonable restrictions. For example, for the government to tap telephones, it needs to meet certain conditions, requires written sanction from the home secretary, and each case is reviewed by a high-level committee. An investigating officer needs to get a warrant from a magistrate before seizing any document. These IT Rules, on the other hand, permit access without such a check. Thus, an investigating officer needs a warrant to obtain access to a physical record, but can access the same information without a warrant if it is kept on a computer database. Due diligence by intermediaries The Rules require all intermediaries to publish certain minimum terms and conditions for users. These include, among other conditions, that the user shall not post content that is “grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner”. If any contravention is brought to the knowledge of the intermediary, the content has to be blocked. The Rules require the intermediary to take action within 36 hours, if they are so informed in writing or by an electronically signed email. There are three issues with these Rules. First, many of the terms are not defined and open to interpretation. Second, many of these items are not illegal and a restriction may impinge on the right to free speech. For example, it is not illegal to be an atheist (and therefore blasphemous), or to disparage a government rule (such as this one) or to write an analytical piece on gambling. Third, the onus of interpreting any content will be on the intermediary if someone writes about a violation. Note that the intimation of violation is not necessarily from a government agency or regulator but can be from any person. Given the costs involved in monitoring and responding to complaints, this Rule could lead to lower levels of openness and access to content on the internet (including unmoderated comments on websites and blog hosting). Cybercafe rules The rules also mandate certain a layout for cybercafes. Any partition should be less than 4½ feet high, and all terminals should face a common space (and be visible to others). There should be a board that informs users not to access pornographic sites or download information prohibited by the law. These rules raise both privacy and implementation issues. The history of all websites accessed by a person, as well as personal details (name, address, photograph) are available to the cybercafe owners. This information could be misused to profile persons, and in some cases even harass them. Second, the rules are difficult to implement in several cases. Cybercafe is defined as any facility that offers access to the internet in the ordinary course of business to members of the public. This would include coffee shops, airport lounges etc, that offer wi-fi access. Requirements of identity verification, maintenance of usage history and layout prescriptions would likely lead to such facilities being withdrawn. Electronic service delivery The ball is now in parliament’s court (M R Madhavan heads research at PRS Legislative Research) |
These articles first appeared in Pragati: The Indian National Interest Review, June 2011