Milind Deora, India’s Minister of State for IT thinks that the Central Monitoring System (CMS), which is essentially India’s version of PRISM, “is a good tool” which will “ensure and protect your privacy”. On a Google Hangout last week with him, I asked Deora about the IT Act, the IT Rules, India’s Identity project (Aadhaar), and the CMS and other systems the Indian government is setting up for tracking SMS, GPRS usage, Phone Calls, Location, and what users are accessing and downloading. Please note that this was held a day before the disclosures around PRISM.

For those unable to view the video, Deora said that no law is perfect, there are issues with implementation, they’re open to suggestions, but above all, Deora said – bizarrely – that the CMS is being set up to safeguard our privacy from mobile operators,and protects the national security of the country. He said that with processes set up, the officer in charge will not have access to information, politicians will not get access. He did not respond to the question on India’s privacy law (that it doesn’t exist).

Apart from that, Deora said I’m misinformed. The context of my questions:

1. India’s IT Act, it’s Section 66a and IT Rules are draconian, the government has promised to amend them (read this), but kept deferring making any changes, despite the issue being taken up by a committee (read this) and Parliament (read this, this, this and these notes on a live discussion), and a public interest litigation (read this). They’ve issued an advisory on Section 66a (read this), a clarification on the IT Rules which wasn’t enough (read this) but the law and the rules remain draconian, and susceptible to misuse. The IT Ministry has the power to change the rules, but hasn’t done it so far. In fact, like Deora in the Q&A, it has defended its rules (read this). We’ve repeatedly pointed towards the need for transparency and specificity (read this) as a solution. Despite Deora giving assurances about there being rigor in finalizing the IT Act, it was passed without debate, a knee-jerk reaction in an atmosphere of fear (read this).

One common refrain from this government (and Deora in this Q&A) has been that they’ve used wordings from international laws to draft Indian laws – that is true but misleading because it’s easy to choose selectively to remove safeguards; laws need to be looked at in their totality, not just sentence by sentence.

2. India is setting up a Central Monitoring system (read this) for tracking what we say or text over the phone, write, post or browse over the Internet, getting direct access from telecom operators and ISPs. Last year, we had reported on a home ministry tender for the same (read this). In 2011, we found a Tender Document from the Delhi Police which had details of setting up the CMS (read this). Update: the IT Act allows government to snoop, and yet safeguards have not been established (read this). An RTI we filed (read this) informed us that the government wants telecom operators to improve location sharpness.

3. The Mumbai Police has set up a social media monitoring cell, which, strangely, has been tracking torrents (read this).

5. Aadhaar, India’s not quite flawless (read this) unique identity project, created circumventing Parliament as per a Parliamentary committee (read this) will eventually link all your databases together, across government services, and what is worse, the data will be given to private companies – National Information Utilities, with 51% private ownership – read this.

6. All of this is being done before India has passed a Privacy law (read this), and even if a Privacy law does come into place, how safe do you feel, and do you think the government executives will not circumvent the law, or create loopholes that they can use once they know what they need from it, after the systems have been deployed?

My contention is that there is a legal and technological framework for surveillance that is being created and deployed right now without proper approval of Parliament, and without Parliamentarians in India paying adequate attention to it. Having technological safeguards is not enough – they can and will be circumvented.

Having legal safeguards is not enough – even if laws are put into place, the government will create loopholes because they want this power (look at the IT Rules and Aadhaar). You can really rely on the government or the police to abuse the power that they give themselves (read this). Deora spoke of safeguards, but there are no rules for the appropriate section of the IT Act – section 69b (read this)

What prevents the government in power from harassing individuals who challenge them (including those from opposition parties) on the basis of National Security? Where does “National Security” end and “Government Security” begin, and what do we do about a trigger-happy CERT-IN blocking dissent without any transparency?

You decide – am I misinformed, or is Milind Deora misinformed or misleading?

The Only Solution

The only solution is what the UK did with its Identity project (read this): dismantle these projects, no matter how much money has been spent on them, because the risk to civil liberties is too great. There is a need to dismantle the UID Project, the National Population Register, the Central Monitoring System, change the IT Act and IT Rules, and create a privacy law. It is also bizarre for Deora to suggest that information which the government has access to through mobile networks and ISPs will not also be available these service providers.

So, Milind, I do not agree that this monitoring should be, as you said, “the exclusive domain of the government”, because I don’t trust the law enforcement agencies, this government and the governments to follow.

We’d be happy to publish a response to this post, if you wish to clarify further.

*

Ps:

– Milind Deora on Twitter

– Gizmodo India has also written about this – Milind Deora Actually Believes That CMS Will Protect Your Privacy