Category Archives: Uncategorized

Telecom Trends In India 2014

Telecom Trends In India 2014Perry4Law Organisation (P4LO) is on the forefront of providing various techno legal trends of India since 2006. The latest to add to this list are Cyber Security Trends and Developments in India 2014 and Telecom Related Trends and Development in India 2014. The cyber security trends of India 2014 have also been covered here1 and here2.

In this work, Perry4Law’s Techno Legal Base (PTLB) is providing the summary of the telecom trends of India 2014. The telecom trend of India in the year 2014 witnessed a combination of progressive and regressive steps being taken by Indian Government.

On the progressive side the Telecom Commission of India has allowed satellite based mobile services in India in the year 2014. On the regressive side, the Indian Government has failed to protect civil liberties in cyberspace once again. In fact, telecom operator Vodafone revealed use of secret wires for government e-surveillance and eavesdropping worldwide, including in India.

Indian Department of Telecommunications (DoT) promised to investigate govt snooping allegations of Vodafone but it failed to do so till the end of December 2014. The dangerous central monitoring system (CMS) of India was also activated without any legal framework and Parliamentary oversight.

Similarly, the redundant and outdated telecom related laws remained on the statue book in the year2014. For instance, the telegraph and cyber law of India remained outdated, colonial and draconian in the year 2014. Similarly, encryption related dedicated laws in India are also missing till the end of December 2014.

Further, new lawmaking was also missing in the year 2014. For instance, there is no dedicated laws regarding cell phones and their dealings in India and the same continued till the end of December 2014 as well. In particular, the cell site data location laws in India and privacy issues are still not redressed by Indian Government so far.

India is also one of the countries where phone tapping is possible without any court order/warrant. This is a serious civil liberty violation that continued in the year 2014. A lawful and constitutional interception law in India is urgently needed. Privacy rights in India in the information era (PDF) have still not been recognised by Indian Government.

Overall, the telecom trends of India in the year 2014 were far from satisfactory. Rather they were on the negative side of development that must be taken care of by Indian Government in the year 2015.

Illegal International Racket Using Unauthorised Gateways To Divert The VOIP Calls Landing In India Busted

Illegal International Racket Using Unauthorised Gateways To Divert The VOIP Calls Landing In India BustedTelecom related issues faced many challenges in the past. However, the regulatory environment for telecom sector of India is fast changing now.  Telecom security policy of India is also in pipeline that may streamline many telecom related issues in India.  The Telecom Commission has also approved satellite based mobile services in India. Satellite phones may also be allowed to be used by adventure tourists where no telecommunication connectivity is available in India.

Few areas in the field of telecom sector are still problematic in nature. For instance, Voice over Internet Protocol (VOIP) has always been a problematic aspect in India. Intelligence agencies of India have been insisting that Internet Telephony and VOIP service providers must establish servers in India. Further, Intelligence Bureau (IB) of India is also expediting the testing of VOIP interception system in India.

Meanwhile, crackdowns on illegal VOIP activities continue in India. In one such latest crackdown, the cyber crime wing of Cyberabad police arrested six persons on the charge of running an illegal international racket by setting up unauthorised gateways to divert the VOIP calls landing in India. The accused were using illegal VOIP gateways and diverted the international calls originating from cheap network providers in Pakistan, Middle East, US and UK.

According to the Police, those who receive such calls will have to pay lesser charges as against what the actual provider charges and will also not come under the government scanner.

The international VOIP grey traffic is purchased as per the daily prevailing rates from international carriers. The modus operandi used by illegal grey operators includes arranging international traffic from various VoIP operators across the globe and terminating it on their own illegal VoIP gateways using broadband connections. This traffic is then distributed to the domestic destination numbers using GSM SIMs, CDMA RUIMs and Public Switched Telephone Network (PSTN) connections.

Proposed National Telecom Security Policy Of India 2014 Must Be Balanced And Constitutional

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe Telecom Security Policy of India 2014 was originally discussed by the Congress led Government. However, the Congress Government faced a defeat in the elections and now it is for the Narendra Modi led BJP Government to come out with a Telecom Security Policy for India. The Telecom Security Policy declared by Congress was defective on numerous counts and now we have to see what BJP led Government would do in this regard.

If we consider the media reports, the Central Government has proposed a new Telecom Security Policy of India. It has made few changes to the Policy declared by Congress Government. The National Telecom Security Policy is unlikely to include measures on standards that would protect public health and safety. The Government authorities have deleted the portion that emphasised rules regarding “public health and safety” in the revised draft of the Telecom Security Policy. The issue of radiations from mobile towers in India is a controversial one and the proposed Policy seems to be ignoring that aspect.

The proposed Policy has made it sure that Law Enforcement Agencies of India would be allowed to request interceptions and e-surveillance activities. Of course, in order to exercise this power, there is a dire need to modernise the Police force of India. Similarly, a lawful and constitutional interception law in India is also needed to make such requests immune from legal attacks. With the proposal to allow satellite based mobile services in India, a “Techno Legal Framework” must be formulated by the Government as soon as possible. Such a Legal Framework must be “Constitutionally Sound” and not just a collection of “Legal Jargon” as was done during the Congress Government time.

Recently Vodafone declared that Indian Government has been using Secret Wires to indulge in e-surveillance. This approach of Indian Government is definitely violation of Fundamental Rights of Indian Citizens. Realising the gravity of the situation, the Department of Telecommunication (DOT) has been ordered to investigate the issue. However, the stand of Narendra Modi Government regarding e-surveillance projects like Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India is still not clear. This would create troubles for the Government as well as for the Telecom Security Policy in the near future.

For instance, the draft Telecom Security Policy prescribes that cellular operator will mandatorily have to allow Law Enforcing Agencies to intercept calls, messages, and any other communications and the access to monitor it in real time, while keeping the communications secured. However, there is no Constitutional Lawful Interception Law in India as on date and this requirement would be a violation of Fundamental Rights of Indian Citizens.

The revised draft Policy also states that telecom service providers should endure that user data is not revealed or duplicated or copied or shared with recipients other than those designated by the sender, and should ensure that user data is not being routed outside the infrastructure within India when the end points of communication are inside Indian territory. This requirement would strengthen the Privacy Rights in India of the Indian Citizens. Privacy Rights in India in the Information Era require a totally different strategy and this provision would strengthen the same. This provision is also required to comply with the provisions of the Public Records Act, 1993.

Telcos will also be required to ensure authentication of end user, authorised access to services and attribution of activities and payloads to end users. However, this is not an easy task especially when Authorship Attribution in Transborder Cyber Crimes cases is very difficult to maintain. India is not very good at use of Cyber Forensics Practices. There is an urgent need to develop Cyber Forensics Investigation Solutions in India that are missing as on date. Indian law Enforcement Agencies must also understand that an IP Address should not be the Sole Criteria for Arrest and Conviction in India. The Cyber Forensics Trends and Developments in India (PDF) do not support the type of responsibilities attributed to Law Enforcement Agencies by the propose Telecom Security Policy. Even Regulations and Guidelines for Effective Investigation of Cyber Crimes in India are missing.

The proposed policy also directs that the attribution in the form audit, forensic and tracking mechanisms should ensure tracking of inappropriate use, criminal activities and enforcement of IT and cyber security laws of the Government. Earlier, the Government had differences with Blackberry over the encrypted message and email services the firm provides to customers. Fearing that such encrypted services can be used to plan and execute terrorist strikes, India had also threatened to ban the providers of such services if they failed to accommodate the legitimate demands of Law Enforcement Agencies.

It has been claimed that Silent Circle can provide safe, secure and encrypted electronic and wireless communications to its clients and Law Enforcement agencies may find it difficult to crack its encryption. However, we cannot effectively tackle encryption related issues till we have Encryption Policy of India (PDF) in place that must be based upon a dedicated Encryption Law of India. We also need dedicated Cyber Security Laws in India to manage cyber security relate issues. The Cyber Security Trends in India (PDF) have proved that India has a Poor Cyber Security Infrastructure. Intelligence Agencies Reforms in India must also be undertaken as soon as possible.

The proposed Telecom Security Policy of India must address all these issues in order to be “Balanced and Constitutional”. However, from media reports it is not clear whether the proposed Policy covers all these issues or not.

Telecom Commission Approves Satellite Based Mobile Services In India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe Telecom Commission is an essential and core segment of Indian Department of Telecommunications (DoT). It has been playing a major role in bringing order to the chaotic telecom situation existing in India. The Commission along with the DoT manages the policy formulation, licensing, wireless spectrum management, administrative monitoring of PSUs, research and development and standardization/validation of equipment etc.

The Telecom Commission was constituted by the Government of India vide Notification dated 11th April, 1989 with administrative and financial powers of the Government of India to deal with various aspects of Telecommunications. The composition of the Commission consists of a Chairman, four full time members, who are ex-officio Secretary to the Government of India in the Department of Telecommunications and four part time members who are the Secretaries to the Government of India of the concerned Departments.

One of the areas covered by the Commission pertains to satellite based services management in India. The Satellite phones are permitted in India only with specific permission from DoT. Presently use of specific types of International Mobile Satellite Organisation (INMARSAT) terminals is only permitted as per details available under the link INMARSAT.

In a welcome move, the Telecom Commission has given the approval for introducing satellite based mobile services in India. The approval comes after a recommendation from the Telecom Regulatory Authority of India (TRAI) to introduce a regulatory mechanism to govern satellite phones. Initially, the services will be offered by Bharat Sanchar Nigam Ltd through a partnership with INMARSAT. INMARSAT provides its satellite services with a constellation of four satellites which are located in the Geo-stationary earth orbit.

Currently, in India, the satellite services of INMARSAT are used by maritime users through the Tata Communications Ltd under its international long-distance licence. Some limited numbers of users of land mobile have also been permitted by the DoT on a case-to-case basis.

Satellites provide telephone and broadcasting services, covering large geographical areas. A satellite-based communication system provides an ideal solution for connecting remote and inaccessible areas. In addition, satellite communication is widely used for the transmission of emergency traffic, such as distress and safety messages, to and from vessels at sea or remote locations.

While the INMARSAT services cater to maritime communication, the Government had envisaged satellite services, namely, Global Mobile Personal Communication by Satellite (GMPCS) in the new telecom policy 1999. Under this licence, satellite-based communication services were permitted. However, establishment of GMPCS Gateway in India by the licensee was a mandatory license condition, which dampened interest from potential investors. This required substantial financial expenditure which was not feasible to be recovered from the limited number of users.

Now the regulatory environment for telecom sector of India has changed and there is good sense in making such expenditure. The FDI Policy in telecom sector of India 2014 (PDF) is also conducive for investment purposes. Indian government has also given approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF). This is in conformity with the policy of India government to encourage electronic system design and manufacturing in India. The new merger and acquisition (M&A) guidelines issued by Indian government is also seen as a pro active step by many telecom stakeholders. These developments would encourage establishment of GMPCS Gateway in India by the concerned licensee and widespread use of Satellite Based Mobile Services in India.

Until now, DoT was giving permission to procure the INMARSAT handsets and taking services from a foreign service provider was given to meet the requirement of paramilitary forces and disaster management. However, there are security related limitations in this arrangement.  There is a possibility of monitoring of calls outside the country as the earth station is located outside the country. In view of the above drawbacks, the Defence forces have not procured these handsets. They are continuing to use the old terminals. However, as declared by the INMARSAT, some of these old terminals will cease to be supported by their satellites from September. Thus, the decision by the Telecom Commission to permit BSNL to offer satellite services could help tide over the problems.

Indian Department Of Telecommunications Would Investigate Govt Snooping Allegations By Vodafone

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIt is no more a secret that Governments across the world are indulging in e-surveillance and eavesdropping using technology and telecom infrastructures. India is no exception to this practice. Rather India is one of the most endemic e-surveillance nations in the world. The draconian laws like Telegraph Law and Indian Cyber Law are helping Indian government and intelligence agencies to indulge in unreasonable and unfettered e-surveillance at anytime and at any place. There is also an urgent need to bring intelligence agencies reforms in India as the intelligence infrastructure of India is in big mess.

Recently, the telecom giant Vodafone revealed existence of secret wires to facilitate e-surveillance by various Governments. It has been reported that even India has been using this service to indulge in e-surveillance. We have no constitutionally sound e-surveillance laws in India (PDF) as on date. Even e-surveillance policy of India is missing and there is a complete chaos in this regard. We have no telecom security policy of India as well that can prevent unauthorised e-surveillance and security threats against telecom infrastructure of India.

India has become notoriously infamous for her e-surveillance exercises and India cannot afford to maintain this negative image any further. This is the reason why Narendra Modi Government may be analysing the e-surveillance projects like The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India.

In line of this approach, the Communications and Information Technology Minister Ravi Shankar Prasad on Tuesday said the Department of Telecommunications (DoT) would look into allegations made by Vodafone regarding use of secret wires by India along with other countries.

The Congress led Government was well known for its “Anti Constitutional and Pro Surveillance” approach. Only time would tell whether Narendra Modi led Government would continue this approach or bring order in the chaos created by the Congress led Government.

Whatever the case may be, we need to ensure civil Liberty Protection in Cyberspace for Indian Citizens “At All Costs and By All Means”. The digital life of Indian citizens is not at all safe and is open to various forms of e-surveillance and eavesdropping. In the absence of support form Indian Government, Self Defence is the only viable option left before Indian Citizens to safeguard their digital lives. The initiatives titled PRISM Break and Reset the Net are worth exploring in this regard as a “Starting Point”.

Vodafone Confirms Existence Of Secret Wires For Government E-Surveillance And Eavesdropping Worldwide

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBFrom time to time media has reported that intelligence agencies around the world are using backdoor access to computers, servers and telecom infrastructures. Special equipments and arrangements have been made to grant intelligence agencies direct access to various infrastructures so that they can indulge in e-surveillance at will.

The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India are the Indian versions of this practice. This is possible as we have no dedicated privacy laws in India. There is also no need to get a court order or warrant to tap telephone in India as it is purely an “executive act”. This result in illegal phone tapping and e-surveillance activities at mass scale in India that cannot be reported or ascertained due to limitations placed under various Indian laws.

We need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc and come up with better laws so they remain Constitutional. These laws have become an instrumentality to violate Civil Liberties in Cyberspace of Indian Citizens by both our politicians and intelligence agencies of India. Further, there is an urgent need to maintain a “balance” between law enforcement requirements and civil liberties protection in India.

In United States (U.S.), James Clapper had confirmed that NSA has been targeting foreign citizens for surveillance. Radio waves and Malware have also been used by NSA for world wide e-surveillance. Malware like FinFisher are increasingly being used for global electronic spying, e-surveillance and eavesdropping. Further, GCHQ and NSA have intercepted and stored webcam images of millions of innocent Internet users.

While the White House has limited options in this regard yet courts in different States of U.S. have shown their sensitivity towards e-surveillance and privacy violation issues. In fact, U.S. government has been seeking an order from FISA court for extended storage of telephone metadata and call records.

Although this practice of intelligence agencies of various nations was well known yet no company or individual came forward for long to expose the same. Edward Snowden came forward with the largest disclosures about illegal e-surveillance by intelligence agencies around the world. Now Vodafone has made some disclosures about the dark side of e-surveillance by intelligence agencies.

Vodafone, one of the world’s largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond. The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people. The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a “nightmare scenario” that confirmed their worst fears on the extent of snooping.

Direct-access systems do not require warrants, and companies have no information about the identity or the number of customers targeted. Mass surveillance can happen on any telecoms network without agencies having to justify their intrusion to the companies involved. Industry sources say that in some cases, the direct-access wire, or pipe, is essentially equipment in a locked room in a network’s central data centre or in one of its local exchanges or “switches”. Government agencies can also intercept traffic on its way into a data centre, combing through conversations before routing them on to the operator.

Vodafone’s group privacy officer, Stephen Deadman, said: “These pipes exist, the direct access model exists. “We are making a call to end direct access as a means of government agencies obtaining people’s communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used”.

Encryption Laws In India

Encryption Laws In IndiaEncryption has become an indispensable technology these days. Whether it is online banking, e-commerce or e-governance services, encryption is commonly used in all these services. Encryption ensures authenticity and legality to various transactions provided the same is done within permissible limits and in accordance with the applicable laws of India.

Unfortunately, we have no dedicated encryption law of India and encryption policy of India (PDF) as on date. This has made the entire scenario very complicated. In fact, as on date most of the online service providers in India are in active violations of the encryption related laws, regulations and compliance requirements.

Cloud computing and virtualisation service providers are also violating the laws of India relating to encryption and cyber law due diligence (PDF) requirements. Even the telecom security policy of India has failed to address the encryption related issues properly. The cyber security trends of India (PDF) have also highlighted the inadequacies of cyber security of India and a part of the same is attributable to inadequate encryption and decryption capabilities of India.

Provisions pertaining to encryption usages in India can be found in the by license conditions (PDF) of telecom service providers. Thus, telecom companies and internet service providers (ISPs) cannot used more than the prescribed limits of encryption in India unless certain regulatory conditions are duly complied with. Similarly, the Information Technology Act, 2000 (IT Act 2000) also incorporates some provisions pertaining to encryption but they have remained dormant and ineffective till date.

Any individual or company that wishes to deploy encryption levels beyond the permitted ones would be potentially making himself/itself liable to legal action in India. It would be a good idea to ensure techno legal compliances in this regard before launching a project based upon encryption in India.

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And Broadband

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And BroadbandRouter and modems insecurity is a major cause of concern for governments around the world. Cyber criminals are targeting routers and modems used by home users’ for a broadband connection. In most of the case the routers and modems come with standard login and password credential for practical reasons and convenience. The manufacturers of routers and modems expect the end user to change their login credentials and password. However, a majority of home users do not change such crucial information and this make the routers and modems vulnerable to various cyber attacks.

Amid growing threats of cyber attacks and hacking of websites, the Department of Telecommunications (DoT) has prescribed the security measures to be adopted in ADSL Modems to safeguard against misuse (PDF). These security measures must be adhered to by internet service providers (ISPs) of India within 60 days of the formulation of these measures. This is asking too little from the ISPs as there are other major telecom security issues in India that are still not redressed properly. The truth is that Indian telecom networks are highly vulnerable to cyber security threats.

DoT has noted that crackers have been exploiting vulnerabilities in the asymmetric digital subscriber line (ADSL) modems. The ADSL modems are usually installed by broadband service providers at homes and offices. DoT has written to all ISPs to “assist customers to change the password, including by physical visits”. It has also come out with a new set of guidelines for ISPs that must be implemented by May 2014 to ensure security of almost 1.5 crore fixed-line broadband users.

The ADSL modems are presently supplied by vendors with default set up of user ID and password as “admin’. The default password needs to be changed to a strong password by customer at the time of installation of modem to avoid unauthorised access to modem. The ISP executive visiting customer for installation of modem should ensure this.

The protocol ports in ADSL modem on WAN side [for example, FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP] be disabled. These ports may be used by the hackers to enter into the ADSL modem to misuse/compromise the ADSL modems by way of implanting the malware, changing the DNS entries in the modem.

In other instructions, the ISPs have been asked to devise a “mechanism to upgrade the firmware of the ADSL modems remotely by ISPs”. For this, the ISPs need to have separate login password, which is not possible in the present system of ADSL modem design. The DoT has asked the ISPs to tell their customers to check their online daily usage, and if any unexpected high usage of data is noticed, they may bring it to the notice of the ISP concerned. Customers should also be advised to switch off their modem when not in use. Readers of this blog may see the document (PDF) for a detailed analysis.

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom Networks

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom NetworksGovernments around the world are stressing upon stringent cyber security breach disclosures norms but telecom companies are opposing the same on cost and other burdensome regulatory reasons. Nevertheless the governments across the globe are working in the direction of forcing the telecom companies to disclose the cyber security breaches.

There is no universally acceptable international cyber security treaty (PDF) and countries across the globe have adopted a national approach toward cyber security. However, the way sophisticated malware are developed by nations as a cyber warfare and cyber espionage weapon, this national approach is of little help and significance.

India has also decided to formulate a cyber security breach disclosure norm in the past. However, keeping in mind the slow pace at which Indian government works in the field of cyber security, this may take few more years before this much required security practice is actually implemented in India.  The cyber security trends in India 2013 (PDF) have underlined many crucial cyber security lapses of India.

Indian government has already formulated the cyber security policy of India that intends to cover some of the crucial cyber security aspects of the nation. However, the cyber security policy has not been implemented till now and it may take few more years before some action can be expected in this regard from Indian government.

Indian government has also tried to spread cyber security awareness in India. It has mandated that a cyber security brochure must be essentially supplied along with hardware to spread cyber security awareness among Indian consumers. However, telecom and hardware vendors are not happy with this direction and they are postponing this requirement for one reason or other.

Meanwhile, the National Security Council Secretariat (NSCS) has urged the Reliance Jio Infocomm to become part of an industry platform which shares information with the government on potential cyber security threats to the country’s telecom networks. The NSCS says “it is important to involve Reliance Jio in sharing information on potential cyber threats, trends and incidents to enable the government to take suitable counter measures”.

The matter was recently discussed at an internal meeting of the Joint Working Group on cyber security chaired by NSCS secretary and Deputy National Security Advisor Nehchal Sandhu. The NSCS is the apex agency looking into India’s political, economic, energy and strategic security concerns and works closely with the Prime Minister’s Office (PMO).

India’s security establishment wants regular leads on potential cyber security threats from Reliance Jio as it is the sole holder of a pan-India 4G permit and is slated to roll out high-speed broadband services later this year on the long term evolution (LTE) technology standard. Last month, Jio also entered the voice segment by buying 1800 MHz band spectrum in 14 regions for nearly Rs 11,000 crore as a precursor to launching 4G services on the frequency band.

In the meeting, the telecom department’s security chief Ram Narain said that Jio is mandated by license conditions (PDF) to share information on potential cyber threats. Besides, the national telecom security policy of India 2014 may impose more stringent obligations than the licence conditions. As the foreign telecom companies are facing the heat of cyber security and telecom security in India, this is a good opportunity for Indian telecom companies to extend their commercial base in India. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India.

Clearly, the intentions to ensure critical infrastructure protection in India (PDF) are taking a concrete shape. The National Technical Research Organisation (NTRO) has been assigned the task of protecting the critical infrastructure of India.

As Reliance Jio is still not part of any of the telecom industry bodies like the GSM’s Cellular Operators Association of India or the CDMA’s Association of Unified Telecom Service Providers of India (Auspi) who have both supported creation of the Information Sharing and Analysis Centre (ISAC), the agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

The latest developments come at a time when the telecom department is framing testing standards for telecom gear to shield networks from potential cyber attacks. India is also readying a cyber security framework, a cyber security policy and a National Cyber Coordination Centre (NCCC) that will monitor metadata on cyber traffic flows.

Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndia literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.