This is the 8th article in our Spies Without Borders series. The series looks at how the information disclosed in the NSA leaks affect internet users around the world.
As we have discussed throughout our Spies Without Borders series, the backlash against the NSA’s global surveillance programs has been strong. From Germany, where activists demonstrated against the mass spying, to Egypt—allegedly one of the NSA’s top targets—where the reaction is largely the same: “I’m not American, but I have rights too.”
Indian commentators are no exception. A piece in the Financial Times stated that the revelations highlighted the “moral decline of America,” while another in the Hindu berated India for its “servility” toward the U.S.
But the revelations about the NSA’s spying activities have also created an opportunity for Indian activists to speak out about their own country’s practices. As Pranesh Prakash, Policy Director for the Centre for Internet & Society argues in a piece for the Economic Times, Indian surveillance laws and practices have been “far worse” than those in the U.S. Writing for Quartz, Nandagopal J. Nair agrees, saying that “India’s new surveillance network will make the NSA green with envy.”
The U.S. has in fact refused Indian requests for real-time access to internet activity routed through U.S.-based Internet sites, and U.S. companies have also stood up to privacy-violating demands. Other companies, such as RIM—the company that owns BlackBerry—have cooperated with the Indian government.
Regulatory privacy protections in India are weak: Telecom companies are required by license to provide data to the government, and the use of encryption is extremely limited. As we have previously explained, India service providers are required to ensure that bulk encryption is not deployed. Additionally, no individual or entity can employ encryption with a key longer than 40 bits. If the encryption surpasses this limit, the individual or entity will need prior written permission from the Department of Telecommunications and must deposit the decryption keys with the Department. The limitation on encryption in India means that technically any encrypted material over 40 bits would be accessible by the State. Ironically, the Reserve Bank of India issues security recommendations that banks should use strong encryption as higher as 128-bit for securing browser. In addition to such limitations on the use of encryption, commentators have also raised concerns about the process for lawful intercept.
The latest attempt at surveillance by the Indian government has been roundly criticized as “more intrusive” than the NSA’s programs. In the New York Times, Prakash explained the new program, the Centralized Monitoring System or C.M.S.:
With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.
Notably, India does not have laws allowing for mass surveillance; rather, lawful intercept is covered under the archaic Indian Telegraph Act of 1885 [PDF] and the Information Technology Act of 2000 (IT Act). Under both laws, interception must be time-limited and targeted.
In the Times piece, Prakash also lambasts the IT Act, which he says “very substantially lowers the bar for wiretapping.”
All of this points to the fact that our fight for privacy is a shared global challenge; or as a columnist for India’s Sunday Guardian recently put it: “We're all now citizens of the surveillance state.”