Dear Milind Deora, Prakash Javadekar Deserved The Truth
[Update: The article has been edited to update the correct spelling of BJP M.P Prakash Javadekar. The original version of this article used the spelling "Javadkar" based on the Rajya Sabha's official records, which we understand may not be correct.]
Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn't your typical politician.
At just 36, he's way younger than the average cabinet minister (64) or Member of Parliament (53). He's also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)
He's got his own website - www.milinddeora.in - which unlike most of his peer's websites, is fairly well-designed and constantly updated. He's also an avid user of social networks like Twitter (@milinddeora) and Facebook.
Oh, he's also a Blues fan and a pretty good guitarist.
In short, he's the kind of politician or minister many Indians would like to vote for.
And vote they do, in fact. Deora's won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent's votes during the 2009 elections.
Which is why it's surprising, and saddening, to see Deora trot out a patently false set of answers to how America's global dragnet of Internet surveillance is affecting the privacy of Indians.
On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:
(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA''s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country''s interests and the privacy of its citizens?
Javadekar's question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.
India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the "Boundless Informant" data mining tool that tracks the NSA's (the US' lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).
The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!
One would thus expect Deora to be seized of the urgency and concern behind Javadekar's questions. His answer was:
(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.
Here we have a member of Parliament asks India's Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US - ostensibly a friendly country - and all the Minister could do was cite newspaper reports?
What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?
But wait, Deora does go on to provide a few more answers:
(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.
Whew. That was reassuring. We expressed "concerns with regard to violation of any Indian laws relating to privacy of information" to the US during a "strategic dialogue meeting".
Let me guess what the US side responded: "Sure. We'll do that. Come back to us when you have a privacy law. Ha ha!"
As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:
What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.
The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.
The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.
Which brings me to the final part of Deora's response to Javadekar:
United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.
Dear Mr.Minister, either you have been lied to by your friendly "United States Official", or, well...
Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA's secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar's question which specifically mentions other tools like Boundless Informant.
Almost all of the big Internet companies revealed to be part of the NSA's global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the "Under This Program" dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:
Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.
In case you weren't aware of the NSA's obfuscation tactics Mr.Minister, here is another great piece on it from the Slate - "How to Decode the True Meaning of What NSA Officials Say"
Thus when your friendly US official tells you that "only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored" under PRISM, not "data content/content of emails", he or she is technically right.
Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture "nearly everything a typical user does on the internet". This includes emails, visits to websites, web searches and Facebook chats & private messages.
Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?
Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.
FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that's that for oversight.
And in the NSA's Orwellian world of doublespeak, large scale interception and storage of Internet communications isn't considered "collected" till such time one of their agents has had a chance to look at it. Which means if you're reading this post - the NSA's secret servers over the world and in India can coolly capture that and store it in vast databases for posterity - without it ever registering as a "collection" or requiring any approval from FISA courts.
Fact is, Mr.Minister, we "foreigners" (unless you belong to one of the four other countries that are part of the "Five Eyes" alliance, in which case you'll be treated with a wee bit more caution) , that is, us, are fair game:
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as "incidental collection" in surveillance parlance.
We expected better answers from you Mr.Minister - sorry, expect better.
Alas your recent answers don't inspire much trust, for instance when you tell us constant surveillance is "good for us" and "will enhance the privacy of citizens".
Or when you tell us that "Google Hangouts" - a service provided by a company that looms over nearly everything Indians do online - is a better medium to reach out to people than Parliament or Television.
We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.