By Prasanto K. Roy
The United States National Security Agency, Prism, its clandestine mass electronic surveillance data mining programme and whistleblower Edward Joseph Snowden. Back home, the Amit Shah tapes and the Central Monitoring System. You’d think, 2013 was the year of government-sponsored snooping. But you ain’t seen nothing yet.
India – still years behind the US in this arena – is desperately trying to catch up in 2014. Here’re five ways you’ll probably get snooped on electronically, in India.
CALL DATA RECORDS
This is the most likely way a government department can snoop on you. By asking your phone company for your “call data records” (CDR). Those are the details of your phone calls: who you spoke to, how frequently and for how long, and the mobile locations for both parties, among others.
There are nearly a dozen Indian organizations (such as the Income Tax Department), apart from the police, who are allowed to do this.
So you think you have “nothing to hide”? And they’re not listening to what you’re actually saying? But most people do have things to hide – not all of them illegal.
One government officer got the call records for a man being investigated for tax issues, but misused the data – which showed frequent calls to a married lady – for some blackmail.
Let’s say you’re in India and you make a friend in Pakistan over Facebook. And you call her a few times from your phone. What you discuss is irrelevant: the government snoops will just flag the pattern: several calls to one Pakistan number. If they were actually listening to the call, they’d know that your chat is innocuous, but they’re not, so they’ll assume the worst.
What do you do? Use Internet-based systems like Skype for frequent long-distance calls. They’re much more difficult to intercept, and usually cheaper.
SOCIAL MEDIA PROFILING
This is easy to do when targeting one person. But it takes “big data” tech to profile large groups.
The problem for citizens is that all this information is available to anyone, not just to government agencies.
What you say and do on social media paints a clear picture of you.
Password crackers look for clues in your social media activity: names of your cat, or son, or favourite song or poet. Most people use passwords drawn from objects of interest to them, and these stick out on social media. On top of that, most people use the same passwords across multiple accounts.
And repeatedly, posts on Twitter, Facebook and elsewhere have resulted in arrest under the IT Act’s section 66A.
What can you do? Check your privacy settings on Facebook so that everyone can’t see your posts. Avoid posting personal information. Avoid using passwords that have anything visibly to do with you.
People worry a lot about this, but it’s actually not so easy for the Indian government to do this legally.
Most popular email services are US-based, with servers located outside India, and do not fall under Indian jurisdiction.
There is no easy way to intercept a Gmail message you send from a web browser. (The US agency NSA taps directly into those servers under the Prism programme.)
This does not mean your email is safe. The problem of “phishing” (acquiring login, password, credit card and other details) is so rampant that most Indians will lose an email, banking, or other account to hackers, at some point. You get an email supposedly from Gmail or your bank, saying you need to validate your account. You enter your login and password, and someone steals your account.
India is the fourth most phishing-attacked nation globally. A recent survey by EMC says phishing scams cost Indian firms $53 million in just July-September 2013.
So can the government take over your email account this way? Not legally. But, yes, rogue individuals could “phish” and break into your email.
The only people safe from government snooping are terrorists. They use encryption, making it difficult to crack their messages. More and more people now will begin to do the same thing.
The people most vulnerable to targeted phishing attacks are government officials who, in India, tend to use Gmail and Hotmail extensively, and are simply not trained in security.
A big treasure-trove of information is the set of photos you upload on to social media sites like Facebook – and their metadata.
Many mobile phones and cameras tend to location-tag photos. Your photos record time and location, usually from GPS data.
This could let outsiders pinpoint the exact location of, say, your kids at different times of the day.
So disable location-tagging of your photos.
Even then, photos will reveal a great deal about you, your friends, the places you go to, the things you do. Take care to not share your online photo albums too freely – keep their viewing rights restricted.
The most popular way to snoop, in the movies. The most cumbersome, in real life.
Designated officials in the Indian agencies that have the mandate to snoop have to file a request with their heads, with details of the target, and why the tapping is necessary. The head then applies to the home secretary for permission under the Indian Telegraph Act, 1885. And unlike with CDRs, it can never be done post facto in India. It needs advance preparation and time. And it needs manpower – to listen in.
In the United States, the NSA uses a great deal of technology for call monitoring. It reportedly stores every telephone call, and it scans samplings of calls (or specific groups of calls) for patterns and trigger words. Storing the calls allows it to go back in time and scan for something later.
India, too, has embarked on a massive surveillance technology programme called CMS, which aims to gather data from phone calls and the internet, for every citizen.
How well this will work is difficult to say, but it’s certain to collect way more data on you, the citizen, than on terrorist and criminals.
And what is as clear is that surveillance of citizens, by governments, is going to get bigger in 2014.
And that if you’re using any kind of electronic medium for communicating, you’re a target for snooping.