In 2010, when telephonic conversations of lobbyist Niira Radia were leaked in the media, it drew a lot of attention to the nexus between senior journalists, politicians, and corporate houses. But lost amidst the brouhaha was the fact that law enforcement agencies were snooping into an individual’s private conversations.
While it’s common knowledge that security agencies world over tap into phones and emails, the extent and scale of such snooping activity got revealed after the recent exposé of the Prism project in the US.
According to international media reports, US security agencies have been snooping into data flowing through the networks of large Internet companies such as Google, Microsoft, Facebook and Yahoo looking for information related to law enforcement – ranging from terrorism to a missing child.
Facebook, for instance, said it received between 9,000 and 10,000 requests for data from all government agencies in the second half of last year. The social media company said less than 19,000 users were targeted.
This revelation has sparked off a global outrage over how far governments can eavesdrop and when it starts getting intrusive on individual privacy. The major concern is that the project clearly targeted Internet users outside the US as they are not protected under US privacy laws.
According to a report in the British newspaper The Guardian , the US National Security Agency’s data-mining tool, called Boundless Informant, collected the largest amount of online data from Iran, with more than 14 billion reports, followed by Pakistan with 13.5 billion. Jordan came third with 12.7 billion, Egypt fourth with 7.6 billion.
The US agency collected 6.3 billion reports from India, where there are only about 100 million active Internet users. The US authorities have claimed that they were doing this to protect American citizens from potential acts of terrorism.
Is it legal or not?
Until now it was widely believed that it was China which had an organised programme to snoop into international telecom networks through equipment supplied by the likes of Huawei and ZTE.
Interestingly, while China has banned American companies such as Google from operating in its territory, the US has put a block on Huawei selling core network equipment to American telecom companies. Could China also claim tomorrow that it was collecting data from international networks set up by Huawei and ZTE for its own security interests?
The key question is whether such data mining is legal or not. Internet companies such as Google and Facebook have come out saying that they have provided information only when the US security agencies had a court order permitting them to snoop into user accounts.
But how can a US court give permission to a US security agency to use American Internet companies’ network to tap into someone residing in India? This does not seem right, especially when the Indian citizen is not protected under US privacy laws.
Under US laws, security agencies can only access the metadata related to a phone call or Internet activity. This means if a US citizen sends out an email to his colleague, the law enforcement agencies can only record things like the time of sending and who the mail was sent to. They cannot read the contents of the letter unless they get a court order.
But this may not be the case with accessing the records of Internet users in India. In other words, if an India user feels that his Gmail account was being unfairly monitored he does not have any legal recourse.
Even if he approaches an Indian court he would not get any respite unless a Letter Rogatory is issued but this is not legally binding on the US authorities.
Awareness initiatives
To be fair, the Internet companies caught in the middle of all this have put out conditions relating to privacy on their Web sites but most users do not bother to read while signing up.
Here’s what Facebook, for example, states on its Web page on privacy: “We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so… Information we receive about you, including financial transaction data related to purchases made with Facebook Credits, may be accessed, processed and retained for an extended period of time when it is the subject of a legal request.”
Perhaps it’s time for Internet companies to be upfront in creating more awareness among users for otherwise it may be seen as betrayal of trust.
Cyber security and information gathering is a reality every government across the world has to deal with. Phone conversations, email records, and chat messages give security agencies vital clues to an ongoing investigation or a new threat.
The Indian Government is also embarking on a number of initiatives in this direction. There is a proposal to set up a National Cyber Coordination Centre that would carry out real-time assessment of cyber security threats and generate actionable reports/alerts for proactive actions by law enforcement agencies. This unit will scan Internet traffic data from different gateway routers of major ISPs at a centralised location.
The Department of Telecom is also planning to make it mandatory for telecom and Internet service providers to store data records of all subscribers through a technology called Internet Protocol Detail Record. There is also a move to make it mandatory for telecom companies to deploy technology that would pinpoint the location of a user to within 50 metres of a mobile base station.
Protect against misuse
While all of this is being done in the name of security, there has to be a simultaneous move towards ensuring that such mechanisms are not misused. The biggest fear is that governments could use data collected through such snooping activities for political reasons.
Therefore governments across the world should come up with clear privacy laws that spell out the conditions under which a user’s account can be monitored with full legal rights to challenge it. Internet companies should also move beyond offering only lip service to issues around privacy. The motivation to access user data can be security related, like in the case of US Prism project, or it can be purely business-oriented.
Internet companies’ entire business model is designed around how much it knows about your online activities. Google’s search engine, for instance, uses the information it collects about your online activity to push content relevant to you which, in turn, drives traffic on its network. The reality is that what you do online is tracked by multiple agencies. The Prism exposé has only helped bring out this fact from top-secret government files and board rooms to the drawing rooms of millions of Net users.