Project documents relating to the new Centralized Monitoring System (CMS) reveal the government’s lethal and all-encompassing surveillance capabilities, which, without the assurance of a matching legal and procedural framework to protect privacy, threaten to be as intrusive as the U.S. government’s controversial PRISM project.

These capabilities are being built even as a debate rages on the extent to which the privacy of Indian Internet and social media users was compromised by the PRISM project. A PIL petition on the subject has already been admitted by the Supreme Court.

The documents in the possession of The Hindu indicate that the CMS project now has a budgeted commitment nearly double that of the Rs. 400-crore estimate that senior officials mentioned in a recent briefing to the media. Once implemented, the CMS will enhance the government’s surveillance and interception capabilities far beyond ‘meta-data,’ data mining, and the original expectation of “instant” and secure interception of phone conversations.

The interception flow diagram, hitherto under wraps, reveals that the CMS being set up by C-DoT — an obscure government enterprise located on the outskirts of New Delhi — will have the capability to monitor and deliver Intercept Relating Information (IRI) across 900 million mobile (GSM and CDMA) and fixed (PSTN) lines as well as 160 million Internet users, on a ‘real time’ basis through secure ethernet leased lines.

The CMS will have unfettered access to the existing Lawful Interception Systems (LIS), currently installed in the network of every fixed and mobile operator, ISP, and International Long Distance service provider. Mobile and long distance operators, who were required to ensure interception only after they were in receipt of the “authorisation,” will no longer be in the picture. With CMS, all authorisations remain secret within government departments.

This means that government agencies can access in real time any mobile and fixed line phone conversation, SMS, fax, web-site visit, social media usage, Internet search and email, including partially written emails in draft folders, of “targeted numbers.” This is because, contrary to the impression that the CMS was replacing the existing surveillance equipment deployed by mobile operators and ISPs, it would actually combine the strength of two — expanding the CMS’s forensic capabilities multiple times.

Even where data mining and ‘meta-data’ access through call data records (CDRs) and session initiation protocol data records (SDRs) — used for Internet protocol-related communications including video conferencing, streaming multi-media, instant messaging, presence information, file transfer, video games and voice & fax over IP is concerned — the CMS will have unmatched capabilities of deep search surveillance and monitoring. The CMS is designed to have access to call content (CC) on multiple E1 leased lines through operators ‘billing/ mediation servers’. These servers will reveal user information to the accuracy of milliseconds, relating to call duration, identification and call history of those under surveillance. Additionally, it will disclose mobile numbers and email IDs, including pinpointing the target’s physical location by revealing cellphone tower information.

Nationwide surveillance

The Hindu’s investigation has also unveiled the mystery relating to the CMS’s national rollout. Contrary to reports about it being active nationwide, only Delhi and Haryana have tested “proof of concept” (POC) successfully. Kerala, Karnataka and Kolkata are the next three destinations for CMS’s implementation. Till 2015, two surveillance and interception systems will run in parallel — the existing State-wise, 200-odd Lawful Intercept and Monitoring (LIM) Systems, set up by 7 to 8 mobile operators in each of the 22 circles, plus the multiple ISP and international gateways — alongside the national rollout of CMS. The aim is to cover approximately one dozen States by the end of 2013-14.

On November 26, 2009, the government told Parliament that CMS’s implementation would overcome “the existing system’s secrecy which can be easily compromised due to manual interventions at many stages.” In January 2012, the government had admitted to intercepting over 1 lakh phones and communication devices over a year, at a rate of 7,500–9,000 per month.

Privacy vs. security

Currently two government spy agencies — the Intelligence Bureau (IB), and the Research and Analysis Wing (RAW) — plus seven others, including the Central Bureau of Investigation (CBI), the Narcotics Control Bureau, DRI, National Intelligence Agency, CBDT (tax authority), Military Intelligence of Assam and JK and Home Ministry — are authorised to intercept and monitor citizens’ calls and emails, under the guidelines laid down by the Supreme Court, The Indian Telegraph Act 1985, Rule 419(A) and other related legislation.

Given the major technological advancements in monitoring and enhanced forensic capabilities in surveillance, coupled with the change in procedure which mandates the interception authorization to be kept secret between two government departments with no scope of a transparent public disclosure of who is being monitored, for what purpose and for how long, privacy and free speech activists are protesting and raising many questions. The government, meanwhile, is proceeding undeterred.