Keyword-based monitoring can snoop in on emails, web-browsing, chat

Amid fresh controversy following reports of the U.S.’s Prism programme targeting the Brazilian President, and the impending launch of the Indian government’s own Central Monitoring System (CMS) project, an investigation by The Hindu reveals that the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring “privacy of communications”.

While the CMS is in early stages of launch, investigation shows that there already exists — without much public knowledge — Lawful Intercept and Monitoring (LIM) systems, which have been deployed by the Centre for Development of Telematics (C-DoT) for monitoring Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.

Secret monitoring

While mobile operators deploy their own LIM system, allowing “interception” of calls by the government, only after checking “due authorisation” in compliance with Section 5(2) of the Indian Telegraph Act read with Rule 419(A) of the IT Rules, in the case of the Internet traffic, the LIM is deployed by the government at the international gateways of a handful of large ISPs. The functioning of these secretive surveillance systems is out of reach of these ISPs, under lock and key and complete control of the government.

Following the leak of the Amar Singh tapes, the government had notified safeguards on February 7, 2006 for monitoring Internet traffic titled “Instructions for ensuring privacy of communications”, which mandates all ISPs to have “designated nodal officers” for communicating and receiving the “intimations for interceptions”. Nodal officers are required to hold meetings with the government to “seek confirmation regarding their (interception orders) authenticity every 15 days”. The safeguards include the need for 24x7 availability of “nodal officers”, and a procedure for monitoring traffic during “exceptions in emergent cases”.

However, in reality, these safeguards stand violated for the most part. This is because a majority of the Indian ISPs neither have the government’s LIM system installed nor do they have functional nodal officers — and, as a result, the ISP-level mandatory check for authenticating government’s monitoring orders to protect user privacy is absent. In effect, all Internet traffic of any user is open to interception at the international gateway of the bigger ISP from whom the smaller ISPs buy bandwidth.

Even where the LIM exists, the process of seeking authentication by nodal officers exists mostly on paper. Since the government controls the LIMs, it directly sends software commands and sucks out whatever information it needs from the Internet pipe without any intimation or information to anyone, except to those within the government who send the Internet traffic monitoring commands. No ISP confirmed as to whether they had ever received an “authorization” letter for interception or monitoring of Internet content.Further, unlike mobile call interception safeguards, where only a pre-specified, duly authorized mobile number is put under “targeted surveillance”, to prohibit misuse, in the case of Internet traffic, the government’s monitoring system, which is installed between the ISPs Internet Edge Router (PE) and the core network, has an “always live” link to the entire traffic. The LIM system, in effect, has access to 100% of all Internet activity, with broad surveillance capability, based not just on IP or email addresses, URLs, fttps, https, telenet, or webmail, but even through a broad and blind search across all traffic in the Internet pipe using “key words” and “key phrases”.

In practical terms, this would mean that security agencies often launch a search for suspicious words such as “mithai” (sweets) — a code often used by extremist organizations to describe an explosive. However since the monitoring is broad, blind and based on “key word” or “key phrase”, the LIM system, using “text search”, “check some search”, “serial scanning”, “wildcard search” software commands, etc., monitors the entire Internet pipe indiscriminately for all traffic of every and any Internet user for as long as it desires, without any oversight of courts and without the knowledge of ISPs.

This monitoring facility is available to nine security agencies including the IB, the RAW and the MHA. It is unclear whether future safeguards promised for CMS exist while monitoring Internet traffic today.

Though it is presumed that the provisions of Rule 419(A) are followed, no one within the government or the ISPs was willing to reveal as to who sends the “intimation for interception”, or who checks its authentication and who implements it, especially since the search is made on the basis of “keyword” across all traffic rather than a specified targeted surveillance.