Govt says CMS enhances privacy even as concerns over snooping grow

New Delhi: The Government would have us believe that the new interception system it is putting in place is the most secure yet for monitoring calls and e-mails but grave doubts persist over the Centralized Monitoring System (CMS).

CMS may facilitate centralized Government access to all communications and content through all telecom networks in India. The New York Times said recently that the CMS could mean the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, site visits, usernames and passwords if your communications are not encrypted.

But a recent internal note prepared by the Department of Telecom suggests that instead of hacking into citizens’ private mails and listening in to phone conversations, the CMS actually provides even greater privacy than we enjoy currently.

The note points out that with CMS, there would be no need for an intercepting agency to take permission from the nodal officer of a telecom service provider before beginning to tap a phone, thereby eliminating at least one additional link in the interception chain. It also says that when CMS becomes operational, the provisioning and intercepting agencies would be separate, which is not the case now. Provisioning will be done by the CMS authority while monitoring will be done by law enforcement agencies. So the provisioning agency will not be able to know the content of your phone call while the monitoring agency will cannot order a phone tap.

Under CMS, your service provider cannot provision for interception and the CMS system will maintain a non-erasable command log of all provisioning activities so that any unauthorized provisioning can be detected immediately.

But media reports have regularly expressed doubts over the Government’s claims of CMS enhancing privacy of Indian citizens.

A story in the The Hindu quotes project documents related to the CMS to allege that without the assurance of a matching legal and procedural framework to protect privacy, CMS threatens to be as intrusive as the US government’s controversial PRISM project. It further alleges that the CMS will enhance the government’s surveillance and interception capabilities far beyond ‘meta-data,’ data mining, and the original expectation of “instant” and secure interception of phone conversations.

“The interception flow diagram, hitherto under wraps, reveals that the CMS being set up by C-DoT - an obscure government enterprise located on the outskirts of New Delhi - will have the capability to monitor and deliver Intercept Relating Information (IRI) across 900 million mobile (GSM and CDMA) and fixed (PSTN) lines as well as 160 million Internet users, on a ‘real time’ basis through secure ethernet leased lines,” the Hindu story says.

But the internal note of DoT makes no mention of e-mails being monitored by CMS, it only speaks of phone tapping.

CMS in fact will enable security agencies to lawfully intercept phone numbers without manual intervention from service providers by end of this year in 10 out of the country’s 22 service areas.

So is CMS good for national security but invasive into our personal lives? Should we even have what is called lawful interception unless there are much stronger privacy laws in India? Some questions which need to be raised.

The NYT article quoted above speaks of absence of any laws in India which allow mass surveillance. The DoT’s internal note speaks of interception which will be done under the purview of Section 5(2) of the Indian Telegraph Act read with rule 419 (A). This law is 128 years old! The NYT piece quotes another, more recent piece of legislation: the Information Technology Act of 2000, amended in 2008, and says both these laws restrict lawful interception to time-limited and targeted interception.