India may have a long way to go before it can take up a project like the US National Security Agencys electronic surveillance programme PRISM to pry into private Internet communications with requisite court clearances. This is largely because the popular email and social networking service providers all have their computer servers located overseas.
Security agencies in India are,nevertheless,capable of carrying out electronic surveillance to a significant extent through mobile phone service providers,and to a lesser extent on emails. Among telecom engineers and cyber-sleuths,in fact,the revelations about the PRISM project have not come as a surprise.
It is a well-known fact in the telecom world that service providers work in close proximity with security agencies, says an engineer with a major US telecom networking firm.
Though Indian agencies have less leverage on Internet connections on account of most servers being located in the US,new,small initiatives are under way to bring such communications under security surveillance,typically in post-incident scenarios. Here is a look at the electronic surveillance landscape in India:
The basic law on phone tapping in India is enshrined in the Indian Telegraph Act of 1885,section 5(2) of which says that communications can be tapped by agents authorised by the central or state governments in the interest of the sovereignty and integrity of India,the security of the state,friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. As the law stands now,tapping has to be authorised by the home secretary of a state or,in the absence of the home secretary,by an official of the rank of joint secretary for a period of seven days; further tapping up to a period of 60 days will need the home secretarys seal. The tapping of phones is a fairly common police activity these days in cities such as Bangalore,with the lines of hundreds of persons who have criminal records,or who are suspected of involvement in illegal activities,being under constant surveillance. A special police data centre has,in fact,been established for storing and studying all forms of electronic surveillance data.
Among the most famous phone tapping cases involving criminals in recent times has been the surveillance carried out over mobile phones used in the Bangalore Central Prison in 2002-03 by Abdul Karim Telgi,convicted in the fake stamp paper racket,and which led to the unravelling of a countrywide network.
Call detail records
It is widely acknowledged in police and security circles that the analysis of the call details of an individual available to any authorised security official at the click of a button is one of the simplest ways of carrying out electronic surveillance on people. From the approximate time you retired for the night to the places you went in a week,all details can be ascertained from the CDR, says a senior police official with the Karnataka polices cyber crime cell.
Call detail records give security agencies a minute-to-minute fix on a persons location through cell tower information,whom they spoke to,and when and how many times. Through extended analysis of data for a long period,CDRs can provide a fairly good profile of a person.
Take the example of a government official suspected of corruption. From the CDR for his known cellphone,we found out whom he was communicating with. From cell tower information we found he was going to a particular location every weekend. From local land records we found that he recently bought land in the region at a price disproportionate to his source of income, says the cyber cell official.
Some groups of criminals,especially trained terrorists,have wised up to this situation and use covert means of communication and rarely carry cell phones on their person.
In the recent controversy over electronic surveillance in the United States under the PRISM project,one of the points officials made was that they were not listening in on conversations of citizens per se but were only collecting information.
Much of the tracking of emails by security agencies in India at present is mostly after an event. Real-time email tracking,however,is done to a small extent on the basis of Internet protocol addresses of individual computers. Efforts are on to deploy techniques such as Social Network Analysis to understand power structures between individuals through emails,especially in terrorism cases. The lack of access to servers that are abroad is seen as a major hindrance in investigating emails and social media networks.
There is a continuous stream of requests that go to service providers such as Google and Facebook for details of accounts. In the case of Indian service providers,we have a fair amount of access. If it is a matter of national security and the urgency is emphasised,Google usually complies,but in regular investigations it takes a lot of time, says a senior cyber cell official. Social networking sites,however,generally do not give permission to access their logs.
Credit card usage
Analysis of credit card usage data is another popular form of electronic surveillance. It is relatively easy to access the
data,which can help create a spending-likes-dislikes kind of profile for individuals under surveillance. It is typically used post-incident,however.