புதன், 24 செப்டம்பர், 2014

NETRA: India’s planned Orwellian surveillance system



NETRA: India’s planned Orwellian surveillance system
by notacoda
5 September, 2014
http://notacoda.net/2014/09/05/netra-indias-planned-orwellian-surveillance-system/
NETRA (from the Sanskrit word नेत्र (netra), meaning “eye,” and a convenient ‘backronym’ for Network Traffic Analysis) is India’s planned Internet monitoring system. There have been no public comments by India’s executive leadership on NETRA, no statements have been made in Parliament that detail the system and no public literature exists that describe it. Until it is publicly acknowledged by a senior elected representative, it will remain a secretive surveillance measure. Except for a few news reports (for instance, here and here) crediting an anonymous bureaucratic source, all of which are substantially similar, no public information about NETRA exists.
>>  From the few news reports quoting the anonymous source, whose credibility is not publicly known, NETRA appears to be a keyword-based detection, monitoring, and pattern-recognition system for packetized data and voice traffic over the Internet. This means that it will cover most forms of electronic communications, including emails,tweets, blog posts, status updates, VoIP calls, instant messages, and so on. It will utilise deep packet inspection (DPI) software at several installed nodes at Internet Service Provider (ISP) locations across India. At the outset, there appears to be a functional overlap with at least a few aspects of the Central Monitoring System (CMS). The CMS is purported to be an automated telephone interception mechanism that requires the installation of interception, storage, and forwarding (ISF) servers at Telephone Service Provider (TSP) locations. The ISF servers will perform DPI to effect interceptions of packetized voice data since many voice communications are no longer streamed over a circuit-switched network (PSTN), although most are subsequently packetized. Netra is also the official name of an Indian aerial surveillance drone.
>>  NETRA is being developed by a laboratory of the Defence R&D Organisation (DRDO) called the Centre for Artificial Intelligence and Robotics (CAIR). In a selection trial conducted by the Ministry of Home Affairs, NETRA was favoured over a competing solution offered by the secretive National Technical Research Organisation (NTRO), India’s primary signals and technical intelligence agency, which does not have a website, and which recently separated from the primary external intelligence agency – the Research and Analysis Wing (RAW). NTRO’s offering was developed by Paladion, a private, Indian-promoted, information security company. Besides reportedly being buggy, the involvement of private companies over which it is more difficult to impose secrecy resulted in NTRO’s defeat and NETRA’s selection.
>>
>> Dragnet surveillance
>>
>> When it is operational, NETRA will enable non-targeted surveillance in respect of all internet traffic in India in real time (or with a minimal latency delay for DPI). This type of pervasive and non-targeted surveillance against an entire population is called dragnet surveillance. The distinction between the two is crucially important.
>>  Surveillance of any sort, and especially of communications, intrudes upon the right to privacy of individuals. In order to abridge this right to privacy, the laws of democratic countries demand that a minimum standard of criminal suspicion or public interest is met before personal communications can be intercepted. Different countries have different tests to determine this minimum standard of criminal suspicion, usually developed over many years by their constitutional courts. The nature of these tests will be examined in another post.
>>  All these tests require the state to demonstrate that the actions of a person indicate a high probability of criminality that can only be thwarted by temporarily abridging the right to privacy in order to intercept that person’s communications. Hence, privacy in communications can only be taken away by an individuated process that is predicated on a high probability of criminality. This is a targeted system of surveillance.
>>  However, dragnet surveillance is non-targeted. This means that everybody’s communications are intercepted without regard for their right to privacy or the lack of criminality. Put another way, everyone is assumed to be engaging in criminal activity. No individual tests are conducted to determine criminal suspicion. No minimum threshold of criminality is specified. Proponents of dragnet surveillance argue that it pre-empts crime by identifying persons whose actions indicate a high probability of criminality.
>>  There is a logical flaw here, it is this: In an entire population there are a few potential criminals. Both targeted surveillance and dragnet surveillance may reveal these potential criminals. Through targeted surveillance, a thorough investigation will identify these potential criminals and thereby justify surveillance of their personal communications. Dragnet surveillance may also identify these same criminals, but it will be achieved at the expense of the privacy of the entire population. By choosing dragnet surveillance over targeted surveillance, all we are essentially doing is condoning the lack of proper and thorough police work. And, at the same time, we are investing the same police force (or other law enforcement agency) with the power to violate the privacy of an entire population. In India, the problem is compounded manifold by systemic corruption, an overall lack of transparency, and untrained and ill-equipped law enforcement machinery.
>>  Privacy of Internet-based communications
>>  There are three primary legal questions that an examination of NETRA must answer. The first question is this: are Internet-based communications protected by a right to privacy? The privacy of electronic communications – which, according to the Information Technology Act, 2000 [this is a pdf document, html version here] (“ÍT Act”), are those made from a “computer resource” – has not been examined yet by India’s constitutional courts. No doubt, this will soon change. Until then, the landmark case of People’s Union for Civil Liberties (PUCL) v. Union of India (1997) 1 SCC 301 is highly persuasive. In PUCL, the Supreme Court of India, through Kuldip Singh, J, held that telephone conversations were private and their interception interfered with the right to privacy. To arrive at this conclusion, the Court observed that:
>>    Conversations on the telephone are often of an intimate and confidential character. Telephone conversation is a part of modern man’s life. It is considered so important that more and more people are carrying mobile telephone instruments in their pockets. Telephone conversation is an important facet of a man’s private life. (sic)
>>  If a (rudimentary) test of communications privacy could be deduced from PUCL, I think it would be this: Privacy inheres in verbal communications if the communications are (i) made in private, or made using means over which there is a reasonable expectation of privacy, (ii) made with the belief that they are intimate or confidential; and (iii) the means of communication is widely recognised. Certain Internet-based communications, such as email or instant messages, fulfil these criteria and are therefore protected from interception by the right to privacy.
>>  The fact that the Supreme Court has not declared a right to privacy in emails does not mean that other judicial authorities treat them as non-private communications. There are several instances of judicial and quasi-judicial authorities recognising and protecting the privacy of emails and similar electronic communications. For instance, Maharashtra’s Adjudicating Officer under the IT Act has enforced the privacy of emails and chat transcripts.
>>  Further, since NETRA overlaps in part with the CMS, as pointed out earlier, all data communications that are transmitted by TSPs (for e.g., from smartphones) are governed by the Indian Telegraph Act, 1885 [pdf] and their interception is hence covered by PUCL, which has already declared a right to privacy over them.
>>  Lack of constitutional procedure
>> This brings us to the second question that an examination of NETRA must answer: does it follow a constitutionally acceptable procedure? Since communications privacy is a part of the right to personal liberty that is protected by Article 21 of the Indian Constitution, it can only be taken away by a procedure established by law. In the landmark decision of Maneka Gandhi v. Union of India (1978) 1 SCC 248, the Supreme Court held that the “law” in question must satisfy additional constitutional tests for reasonableness and non-arbitrariness under Article 19 and Article 14 of the Constitution, and the “procedure” that it establishes must be “fair, just and reasonable, not fanciful, oppressive or arbitrary”.
>>  In PUCL, the Supreme Court measured the procedure to intercept telephone calls contained in the Indian Telegraph Rules, 1951, and concluded that it was not just, fair, and reasonable. However, instead of striking down the interception power, the Supreme Court read down the empowerment by prescribing fresh procedure to meet the command of Maneka Gandhi. Thereafter, the Centre exercised its subordinate legislative power to insert a new rule 419A in the Telegraph Rules [pdf] that eventually consolidated this procedure.
>>  In the case of Internet-based communications, the empowerment to intercept the content of messages is contained in section 69 of the IT Act. The empowerment is not dissimilar to its corresponding telephone-related provision under the Telegraph Act which was considered in PUCL. Section 69 of the IT Act allows the Centre or a State, through an appropriate officer, to issue a written order to intercept, monitor, or decrypt any information that is generated, transmitted, received, or stored in any computer resource. This is a broad empowerment that, without doubt, extends to the content of emails and other Internet-based communications.
>>  The procedure to effect such interceptions is contained in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 [pdf] (“Interception Rules”). Nothing in the Interception Rules permits the pervasive and continuous interception of all Internet users in India. Instead, the Interception Rules, not unlike rule 419A of the Telegraph Rules, sets out an individuated procedure by which competent authorities may order the communications interception of identified targets. The requirement of identified targets is clear; rule 9 of the Interception Rules states:
>>     The direction of interception or monitoring or decryption…shall be of any information as is sent to or from any person or class of persons or relating to any particular subject.
>>  It would be impossible to claim that the entire population of Indian Internet users constitute a class of persons whose rights that are protected by Article 21 can be taken away by non-targeted dragnet surveillance; this would disturb the principle of non-arbitrariness of state action that is protected under Article 14. Such a classification that is not based on intelligible differentia, which bears no nexus to the objective of the individuated interception empowerment, would be prima facie unconstitutional.
>>  In the absence of an empowerment to permit non-targeted interceptions and with the lack of just, fair, and reasonable procedure to conduct such dragnet surveillance, any state action to implement NETRA would be unconstitutional.
>>  Limits of executive authority
>>  This brings us to the third and last question of this post: do the executive powers of the Centre extend to the creation of a dragnet surveillance system such as NETRA?
>>  The competence of the Centre to govern by executive action is restricted to the extent of the executive power of the Union (Article 73 of the Constitution). Following the landmark 1955 Supreme Court case of Ram Jawaya Kapur v. State of Punjab AIR 1955 SC 549, it is settled that the extent of the Centre’s executive power is coterminous with the legislative power of Parliament even in the absence of controlling legislation in that field (“wider executive power”).
>>  This is in addition to the Centre’s subordinate executive power to give effect to legislation through statutory delegation (“subordinate executive power”). For foundational Supreme Court case law on the contours and limits of the Centre’s subordinate executive power, see In re Delhi Laws Act AIR 1951 SC 332, Harishankar Bagla v. State of Madhya Pradesh AIR 1954 SC 465, Rajnarain Singh v. Patna Administration Committee AIR 1954 SC 569 and Edward Mills v. State of Ajmer AIR 1955 SC 25.
>>  The wider executive power of the Union cannot be exercised over a matter that is controlled by parliamentary legislation. This was held in Bishamber Dayal Chandra Mohan v. State of Uttar Pradesh (1982) 1 SCC 39. This principle was affirmed in the 1990 case of Bharat Coking Coal v. State of Bihar (1990) 4 SCC 557 where the Supreme Court declared that the power of the executive to act is subject to the control of the legislature; hence, a statutory regime, where it exists, cannot be circumvented by the free exercise of executive power. In the case of content-based Internet communications surveillance, section 69 of the IT Act constitutes a statutory regime that occupies the field to preclude Centre’s exercise of the wider executive power to implement the NETRA system.
>>  The subordinate executive power emanates from the rule-making power under the IT Act contained in section 69(2) and section 87. Together, these provisions narrowly empower the Centre to issue rules to give effect to the targeted surveillance scheme that is envisioned by section 69. In exercise of these narrow powers, the Centre issued the Interception Rules. (It is a different matter that I believe that some provisions of the Interception Rules suffer from excessive delegation and are invalid; I will examine this in another post). The subordinate executive power is restricted to the exact extent of the delegation, this is an undisputed principle of administrative law.
>>  Hence, in the absence of a specific empowerment to conduct dragnet Internet surveillance, any state action in exercise of the Centre’s subordinate executive power to implement the NETRA system would be invalid.
>>
>> ----------------------
>> SPY : Govt taps over 1 lakh phones in India every year
>> PTI
>> 05 Sep 2014
>> http://tech.firstpost.com/news-analysis/govt-taps-over-1-lakh-phones-in-india-every-year-232436.html
>>
>> More than one lakh phone tapping orders are issued by the central government every year, but the total number of such interceptions can be of a ‘staggering scale’ after taking into account the directions from state governments, a new study has found.
>>  The study, ‘India’s surveillance state’, prepared on the basis of RTI replies given by the government, also found that 26 companies including foreign firms expressed interest in setting up Internet monitoring systems for the government. These included companies offering “far more potent surveillance technologies including phone interception, social media network analysis and data mining and profiling”.
>>  The study was conducted by Software Freedom Law Centre, a non-profit legal services organisation, and was released at recently held Internet Governance Forum in Istanbul. “…on an average, more than a lakh of telephone interception orders are issued by the central government alone every year. On adding the surveillance orders issued by the State Governments to this, it becomes clear that India routinely surveils her citizens’ communications on a truly staggering scale,” the 68-page report said.
>>  The state surveillance of citizens’ private communications is authorised by legislative enactments such as the Indian Telegraph Act and the Information Technology Act, which allow Indian law enforcement agencies to closely monitor phone calls, texts, e-mails and general Internet activity on a number of broadly worded grounds.
>>  The issue of phone tapping has often led to controversies in India including in 2010, when tapped conversations of corporate lobbyist Niira Radia with businessmen, politicians and journalists got leaked. Only a few agencies in India are authorised to tap phones and a rigorous screening process is said to be in place for grant of such authorisations.
>>  As per the report, Network Traffic Analysis (NETRA) storage servers will be installed at more than 1000 locations across India. The Controller of Certifying Authorities uses Section 28 of the IT Act, an ambiguous provision, to collect user data from technology companies. 

கருத்துகள் இல்லை:

கருத்துரையிடுக