Are US spy agencies monitoring all mobile phone calls in India?

The Intercept, a publication that provides a platform to report on the documents leaked by NSA whistleblower Edward Snowden has just published a piece earlier today on how US and British spies hacked into the internal network of Gemalto, one of the largest manufacturers of SIM cards in the world way back in 2010. The hack gave the US National Security Agency (NSA) and its British counterpart Government Communications Headquarters (GCHQ) access to encryption keys used to protect the privacy of mobile cellular communications across the globe. [caption id=“attachment_2112709” align=“alignleft” width=“380”]  Representational image. AFP[/caption] What makes it relevant for India is The Intercept claims these spies mined the private communications of Gemalto engineers and employees in multiple countries, including India. Encryption keys are important because all mobile communications are based on an encrypted connection between the mobile phone and the mobile operator’s network. Your tiny SIM card has one set of the keys and another set is provided by the SIM card manufacturer to your mobile operator so that the connection can be established and verified for proper billing and security when you insert the SIM card into your mobile phone, and then each time you make a call, send a text message, or use data to check e-mail, WhatsApp messages, browse the Internet or use an application. Since mobile communication is wireless there’s every chance that someone with the right equipment can intercept communication, but unless they had these encryption keys, all they would get is garbled nonsense. And while breaking encryption is not impossible, it’s not something amateurs can do and requires significant computing power and mathematical skills that typically only governments could afford. However, once someone has access to these encryption keys they can monitor all mobile communications on those SIM cards without seeking permission from Indian courts, the government, the mobile operator, etc. And the worst part is that there is no trace on the mobile operator’s network that communications were monitored by a third party since they have the actual keys and are not using brute force to break encryption. When a mobile operator orders a consignment of SIM cards from a manufacturer like Gemalto, they are delivered physically, but the encryption key files are usually sent electronically by SIM card manufacturers to the operators. The Intercept reveals that the NSA and GCHQ intercepted the encryption files containing the keys as they were transmitted between Gemalto and mobile operators who had purchased these cards from Gemalto by hacking e-mails from relevant employees, names of whom they had figured out based on rigorous monitoring and analysis. The scary part for India is that the new revelations show that in the first quarter of 2010, GCHQ successfully intercepted keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan. Another internal document from May 2011 indicated that Gemalto’s Indian facilities were among the more than a dozen facilities targeted by GCHQ. Since each SIM card has an individual key, some might think it’s impossible to monitor millions of SIM cards. But the Intercept article points out that even way back in 2009 the NSA had the capacity to process between 12 and 22 million keys per second and was already claiming it could process more than 50 million per second in the near future. Considering this has come to light nearly six years later, the possible numbers today would be staggering and shocking in equal measure. And once a spy agency figured out the identity of the person who owned the SIM card, which would be fairly easy for them and suppose the owner was an important political figure or a bureaucrat, then focused monitoring would be fully possible, thus making one wonder about the security of any mobile communications in India, even at the highest levels. Interestingly German Chancellor Angela Merkel’s voice calls were monitored by US spies and thanks to that fracas, the German government today uses BlackBerry smartphones with an additional layer of voice encryption by Secusmart, a company BlackBerry acquired, to avoid the prying eyes of US spies. Even Indian Prime Minister Narendra Modi now uses a BlackBerry (possibly with similar Secusmart technology), according to BlackBerry CEO John Chen. However, what is most interesting from the latest leaks is that GCHQ could not intercept keys used by mobile operators in Pakistan, even though Pakistan is a priority target for Western intelligence agencies. The GCHQ document quoted by The Intercept suggests that the Pakistanis used more secure methods to transfer the encryption keys between the SIM card manufacturers and Pakistani mobile operators. Mobile communications in India though seem to have been left wide open for the US and British spy agencies to monitor, and since such monitoring can’t be traced with the spies having the encryption keys themselves, it’s anyone’s guess about the extent of the monitoring done on Indian citizens, government employees, politicians and leaders and even members of Indian security agencies.