Guest post by CP GEEVAN
On June 18 (Sunday evening in India), freedom-loving people across the world were shocked by the revelations of how a highly sophisticated and expensive digital technology, named Pegasus, a spyware sold by Israeli company NSO Group, has been systematically abused for years to spy on journalists, human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and even several heads of states. Regimes in several countries continue to criminally deploy such technologies to suppress democratic rights, curtail human rights, and organise surveillance on a massive scale. Such technologies are military grade weapons and are recognised to be precisely that. It is developed and sold by the NSO Group, a private company supported by Israel. As per NSO, they sell licences only to agencies authorised by a national government and approved by the Israeli government. Although it is being referred to as a software or malware, the spying system consists of an elaborate set of arrangements including a secure supporting backend maintained by the NSO Group.
The investigation, code-named Pegasus-Project, is the result of a massively collaborative effort of independent media houses like The Guardian, independent journalists, Forbidden Stories, a Paris-based non-profit media organisation, Amnesty International, academics in the field of cyber security and highly professional firms specialising in tracking digital crime. Other media houses like the Washington Post have also now joined the effort to defend democracy from the abuse of surveillance technologies. Perhaps, more may join the effort. The Pegasus Project includes more than 80 reporters from 17 media organizations in 11 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. The research carried out by the Citizen Lab of University of Toronto has also helped. The project managed to obtain more than 50,000 phone numbers selected as surveillance using Pegasus, actual or potential, from an unprecedented data leak. The investigators sifted through these records of phone numbers, which enabled them to take a peek behind the curtain of this surveillance weapon safeguarded by the state of Israel. An investigation like this had not been possible ever before.
What stands exposed is a series on past and ongoing organised crime by various states using technology developed supposedly to counter terrorism. The activities carried out by the states exposed in the investigation included rampant privacy violations to the extent of continuous real-time tracking of individuals, blatant abuse of technology to spy upon key individuals to subvert normal democratic processes in different countries to the extent of subverting the justice system and elections and at least one case linking the use of the spyware to the murder of Jamal Khashoggi, the Saudi journalist killed in Turkey. New evidence shows the spyware was actually used to target people close to Khashoggi, both before and after his death.
The Wire reported that the phone numbers of over 40 Indian journalists were on the leaked list linked to the use of Pegasus spyware and forensic tests have confirmed the presence of Pegasus spyware on several devices. The state-sponsored hacking in India of key individuals, leaders, activists, and those who are currently or earlier playing crucial roles in the most important institutions constitute a deadly threat to Indian democracy. This completely disrupts the normal functioning of India’s democracy in innumerable ways. While activists and leaders across the world have been identified as proven or potential targets of the NSO spyware, the deadliest use of this hacking weapon has been in India because it has been carried out explicitly to disrupt the functioning of every constitutional institution and undermine all the basic elements of a democratic system. The hacking has made a complete mockery of privacy and that in itself undermines all the basic rights. It seems India’s political parties are not responding to this with the seriousness it deserves. Hope the situation will change and all the opposition parties will come together at least temporarily to put an end to this abuse of power. It is indeed remarkable that Mr Rahul Gandhi of the Indian National Congress categorically stated that the Prime Minister of India has committed treason by authorising the assault on democracy, the home minister must resign and there should be a high-power judicial probe under the supervision of the Supreme Court of India.
It seems that even many of us, who have long suspected something of this kind has been going, have also failed to grasp the extent and depth of what has now been exposed. Confirming all our fears, we saw how the phones and computers of human rights activists, intellectuals and others were hacked to plant incriminating contents (Citizen Lab’s study and Arsenal Consulting’s forensic report). The simple fact that many of us seem to be overlooking is, while the hacking is both sophisticated and costly in terms of technology, it is downright crude when in it operational details. The end use is just like direct listening in or phone tapping of the past (snooping). Only difference is, these operations now encompass everything from voice conversations to data of all kinds. This is very different from what Edward Snowden had exposed, which is the power and significance tracking, compiling and analysing metadata. What we now have is an extensive surveillance system that employs large scale metadata gathering and real time data.
We know that the authoritarian state has invested massively in metadata gathering, storage and analysis infrastructure and other resources. While metadata gathering is largely automated and carried out by computing systems, the real time data needs human intermediaries to listen in and process. Pegasus is perhaps the most expensive digital spying arrangement, with the licences — per target or small group of targets — running into millions of dollars. Obviously, the authoritarian state that uses such expensive tools on a large scale must also be employing less costly tools on less important targets. Taken in total, all this requires considerable human resources to be deployed to listen in, keep track and share the intelligence gathered with multiple agencies.
One information that has come to light is that of the dramatic rise in the expenses of the National Security Council Secretariat (NSCS) under the watch of Mr Ajit Doval, the National Security Advisor and close associate of the Prime Minister. It seems not a mere coincidence that these increases begin after the preparatory talks in Israel by Mr Ajit Doval that preceded Modi’s visit to Israel in 2017. The union government increased the allocation for NSCS steeply to Rs 3.33 billion (333cr) from a mere 0.81 billion (81cr) in 2016-17. This dramatic increase included Rs 3 billion (300cr) under a new head ‘cyber security R&D’. In a tweet on July 23, senior counsel Prashant Bhushan pointed out that the actual expenditure of the NSCS for 2018-19 was a whopping Rs 8.12 billion (812Cr), which is equivalent to nearly US$125 million in that period. This means that in the two years from 2016-17, the expenditure of NSCS alone surged nearly 25-fold.
As of now very little is known on how the NSCS spends such huge sums. Officially, the role of NSCS is to support the National Security Council (NSC) consisting of the prime minister and the ministers of home, defence, and finance. Since the NSA advises the NSC, in effect the NSA is the head of the NSCS. The NSC comprises of the National Security Advisory Board (NSAB), which is an advisory board of non-government or retired specialists, and a Strategic Policy Group (SPG) that includes the secretaries of certain key departments, heads of the defence services and intelligence chiefs. As per a press release of December 18, 2018 on behalf of the Ministry of Home Affairs (MHA), the National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
Not much is available in the public domain about India’s surveillance architecture, and it became almost totally opaque after 2014. Broadly, as per what is available in the public domain, we can see that there are several major cyber security or what are government programmes that can carry out large scale surveillance. Much of what is summarised here comes from a study on India’s surveillance programmes by the Centre for Internet and Society and is based mostly on information in public domain before 2015. Some of the major ones are listed below and many have overlapping jurisdictions, often cross-linked for greater coverage:
- Central Monitoring System (CMS)
- National Intelligence Grid (NAT-GRID)
- Lawful Intercept and Monitoring Project (LIM)
- Crime and Criminal Tracking Network & Systems (CCTNS)
- Network Traffic Analysis System (NETRA)
- National Cyber Coordination Centre (NCCC)
- Cyber Swachhta Kendra (CSK)
In addition to these, various central investigating agencies employ varying degrees of digital monitoring technologies. Almost all of the data compiled, stored and analysed by these projects and entities are for the most part metadata or data pointing to other data. Metadata summarizes basic information about other data, almost like reference entries in an index or catalogue. For example, in plain language, the metadata for a particular phone call may include information such as what (type), from, to, when, location, how, which, why, etc.
CMS is primarily operated by Telecom Enforcement and Resource Monitoring Cell (TERM) within the Department of Telecom. The technological infrastructure behind the CMS largely consists of Telecom Service Providers (TSPs) and Internet Service Providers (ISPs) in India that are mandated to integrate Interception Store & Forward (ISF) servers with their Lawful Interception Systems as per licence terms. The meta data collected covers voice calls, SMS, MMS, fax communications on landlines, CDMA, video calls, GSM and data communications through internet. This allows state actors to pre-emptively gather and collect a vast amount of information, perform analysis and take action.
NATGRID is an integrated intelligence grid that links the stored records and databases of several government entities. Its purpose is to provide security agencies real-time access to citizen data sources across the country. These data sources include bank account details, telephone records, passport data and vehicle registration details, the National Population Register, the immigration, visa, registration and tracking of foreigners, and other such data residing in various government databases.
LIM is a secret mass electronic surveillance program for monitoring Internet traffic, communications, web-browsing, and all other forms of Internet data. The Centre for Development of Telematics (C-DoT) has been running this since 2011. Often, LIM systems are often operated by the ISPs themselves, on behalf of the government providing direct access to government agencies upon requests. In 2013, an investigation by The Hindu revealed that the Internet activities of India’s roughly 160 million users had been subjected to wide-ranging surveillance and monitoring, mostly illegally.
CCTNS is a system to enable the collection, storage, retrieval, analysis, transfer and sharing of information relating to crimes and criminals across India. At one level it links police stations and on the other various governance structures related to crime control. It also gives access to the intelligence and national security agencies. The system can profile individuals using their past conduct, which includes all stages of an investigation and not just a conviction by a court of law, which involves major privacy concerns. The CCTNS database is also linked connected to the NATGRID and other such databases which makes it easy to use the data for all kinds of invasive surveillance.
The NETRA mass surveillance project was developed initially by the Defence Research and Development Organisation (DRDO). The system is meant to detect communications having specified key words almost instantly from emails, instant messages, status updates and tweets. The system is also claimed to be to be capable of detecting specific audio signatures (akin to key words in text) from internet-based voice communications. The system was reportedly strengthened in late 2013 to monitor social media trends and identify source of specified content.
NCCC is a cyber security and e-surveillance project for screening communication metadata and co-ordinate the intelligence gathering activities of other agencies. In the absence of any legal framework and parliamentary oversight, the NCCC could encroach upon individual’s privacy and civil liberties.
The CSK is tasked with detection of anything deemed to be malware and providing tools for their removal or control. However, some of the activity or how these activities are carried out could impinge on privacy in the absence of transparent oversight mechanism.
The institutional landscape of surveillance in India is complex and extensive with hardly any accountability framework or respect for even the existing weak legal frameworks to protect the rights to privacy, life, and liberty. The Reporters’ Collective published a detailed article in March 2020 showing that the Modi government was going ahead full steam with the plans to build what is called 360-degree database to track everyone. The system is envisaged to automatically track when a citizen moves between cities, changes jobs, buys new property, when a member of a family is born, dies or gets married and moves to another home. In January 2020, the home minister claimed that there is no link between National Population Register, the National Register of Indian Citizens (NRIC) and scheduled decennial Census operations of 2021 after the central cabinet had approved Rs 39.41 billion for updating the National Population Register (NPR) and Rs 85 billion for Census 2021 operations. In an article in Kafila, this author had pointed out the larger design of surveillance inherent in the coercive digitalisation policies followed by the Modi government and how Aadhaar, NPR and NRC are all closely linked.
The interoperability of modern database systems means there is practically no limit to the data and seamless exchange across databases. There are reports of NITI Aayog looking at the options for geo-tagging land records, residences and integrating it other databases. Reporters’ Collective notes that documents obtained through the Right To Information Act suggest that National Social Registry (SECC Social registry) usually described as an innocuous or routine exercise to update the 2011 Socio-Economic Caste Census (SECC) will either be a single, searchable Aadhaar-seeded database or “multiple harmonised and integrated databases” that use Aadhaar to integrate religion, caste, income, property, education, marital status, employment, disability and family-tree data of every single citizen.
While the expenditure on India’s mammoth surveillance systems have increased dramatically after 2014, their details are not available anywhere. One of the tasks the Members of Parliament and civil society initiatives must pursue is to track the deployment of a massive system of spying by the state on its own citizens. As of now, we have no clarity about the agencies involved in large scale surveillance of the people of India by the Indian state. It seems to me that it must be considered as important as going after the criminal hacking by the authoritarian state to undermine judiciary, media and electoral processes.
Dr C. P. Geevan is Visiting Fellow, Centre for Socio-economic and Environmental Studies, Kochi. Email: email@example.com