The Design & Technology behind India’s Surveillance Programmes
- Internet Governance
Udbhav Tiwari
20 January 2017
While the legal and policy avenues of state surveillance in India have been analysed by various organisations, there is very little available information about the technology and infrastructure used to carry out this surveillance. This appears to be largely, according to the government, due to reasons of national security and sovereignty.[1] This blog post will attempt to paint a picture of the technological infrastructure being used to carry out state surveillance in India.
Background
The revelations by Edward Snowden about mass surveillance in mid-2013 led to an explosion of journalistic interest in surveillance and user privacy in India.[2] The reports and coverage from this period, leading up to early 2015, serve as the main authority for the information presented in this blog post. The lack of information from official government sources as well as decreasing public spotlight on surveillance since that point of time generally have both led to little or no new information turning up about India’s surveillance regime since this period. However, given the long term nature of these programmes and the vast amounts of time it takes to set them up, it is fairly certain that the programmes detailed below are still the primary bedrock of state surveillance in the country, albeit having become operational and inter-connected only in the past 2 years.
The technology being used to carry out surveillance in India over the past 5 years is largely an upgraded, centralised and substantially more powerful version of the surveillance techniques followed in India since the advent of telegraph and telephone lines: the tapping & recording of information in transit.[3] The fact that all the modern surveillance programmes detailed below have not required any new legislation, law, amendment or policy that was not already in force prior to 2008 is the most telling example of this fact. The legal and policy implication of the programmes illustrated below have been covered in previous articles by the Centre for Internet & Society which can be found here,[4] here[5] and here.[6] Therefore, this post will solely concentrate on the technological design and infrastructure being used to carry out surveillance along with any new developments in this field that the three source mentioned would not have covered from a technological perspective.
The Technology Infrastructure behind State Surveillance in India
The programmes of the Indian Government (in public knowledge) that are being used to carry out state surveillance are broadly eight in number. These exclude specific surveillance technology being used by independent arms of the government, which will be covered in the next section of this post. Many of the programmes listed below have overlapping jurisdictions and in some instances are cross-linked with each other to provide greater coverage:
- Central Monitoring System (CMS)
- National Intelligence Grid (NAT-GRID)
- Lawful Intercept And Monitoring Project (LIM)
- Crime and Criminal Tracking Network & Systems (CCTNS)
- Network Traffic Analysis System (NETRA)
- New Media Wing (Bureau of New and Concurrent Media)
The post will look at the technological underpinning of each of these programmes and their operational capabilities, both in theory and practice.
Central Monitoring System (CMS)
The Central Monitoring System (CMS) is the premier mass surveillance programme of the Indian Government, which has been in the planning stages since 2008[7] Its primary goal is to replace the current on-demand availability of analog and digital data from service providers with a “central and direct” access which involves no third party between the captured information and the government authorities.[8] While the system is currently operated by the Centre for Development of Telematics, the unreleased three-stage plan envisages a centralised location (physically and legally) to govern the programme. The CMS is primarily operated by Telecom Enforcement and Resource Monitoring Cell (TERM) within the Department of Telecom, which also has a larger mandate of ensuring radiation safety and spectrum compliance.
The technological infrastructure behind the CMS largely consists of Telecom Service Providers (TSPs) and Internet Service Providers (ISPs) in India being mandated to integrate Interception Store & Forward (ISF) servers with their Lawful Interception Systems required by their licences. Once these ISF servers are installed they are then connected to the Regional Monitoring Centres (RMC) of the CMS, setup according to geographical locations and population. Finally, Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS) itself, essentially allowing the collection, storage, access and analysis of data collected from all across the country in a centralised manner. The data collected by the CMS includes voice calls, SMS, MMS, fax communications on landlines, CDMA, video calls, GSM and even general, unencrypted data travelling across the internet using the standard IP/TCP Protocol.[9]
With regard to the analysis of this data, Call Details Records (CDR) analysis, data mining, machine learning and predictive algorithms have been allegedly implemented in various degrees across this network.[10] This allows state actors to pre-emptively gather and collect a vast amount of information from across the country, perform analysis on this data and then possibly even take action on the basis of this information by directly approaching the entity (currently the TERM under C-DOT) operating the system. [11] The system has reached full functionality in mid 2016, with over 22 Regional Monitoring Centres functional and the system itself being ‘switched on’ post trials in gradual phases.[12]
National Intelligence Grid (NATGRID)
The National Intelligence Grid (NATGRID) is a semi-functional[13] integrated intelligence grid that links the stored records and databases of several government entities in order to collect data, decipher trends and provide real time (sometimes even predictive) analysis of data gathered across law enforcement, espionage and military agencies. The programme intends to provide 11 security agencies real-time access to 21 citizen data sources to track terror activities across the country. The citizen data sources include bank account details, telephone records, passport data and vehicle registration details, the National Population Register (NPR), the Immigration, Visa, Foreigners Registration and Tracking System (IVFRT), among other types of data, all of which are already present within various government records across the country.[14]
Data mining and analytics are used to process the huge volumes of data generated from the 21 data sources so as to analyse events, match patterns and track suspects, with big data analytics[15] being the primary tool to effectively utilise the project, which was founded to prevent another instance of the September, 2011 terrorist attacks in Mumbai. The list of agencies that will have access to this data collection and analytics platform are the Central Board of Direct Taxes (CBDT), Central Bureau of Investigation (CBI), Defense Intelligence Agency (DIA), Directorate of Revenue Intelligence (DRI), Enforcement Directorate (ED), Intelligence Bureau (IB), Narcotics Control Bureau (NCB), National Investigation Agency (NIA), Research and Analysis Wing (RAW), the Military Intelligence of Assam , Jammu and Kashmir regions and finally the Home Ministry itself.[16]
As of late 2015, the project has remained stuck because of bureaucratic red tape, with even the first phase of the four stage project not complete. The primary reason for this is the change of governments in 2014, along with apprehensions about breach of security and misuse of information from agencies such as the IB, R&AW, CBI, and CBDT, etc.[17] However, the office of the NATGRID is now under construction in South Delhi and while the agency claims an exemption under the RTI Act as a Schedule II Organisation, its scope and operational reach have only increased with each passing year.
Lawful Intercept And Monitoring Project
Lawful Intercept and Monitoring (LIM), is a secret mass electronic surveillance program operated by the Government of India for monitoring Internet traffic, communications, web-browsing and all other forms of Internet data. It is primarily run by the Centre for Development of Telematics (C-DoT) in the Ministry of Telecom since 2011.[18]
The LIM Programme consists of installing interception, monitoring and storage programmes at international gateways, internet exchange hubs as well as ISP nodes across the country. This is done independent of ISPs, with the entire hardware and software apparatus being operated by the government. The hardware is installed between the Internet Edge Router (PE) and the core network, allowing for direct access to all traffic flowing through the ISP. It is the primary programme for internet traffic surveillance in India, allowing indiscriminate monitoring of all traffic passing through the ISP for as long as the government desires, without any oversight of courts and sometimes without the knowledge of ISPs.[19] One of the most potent capabilities of the LIM Project are live, automated keyword searches which allow the government to track all the information passing through the internet pipe being surveilled for certain key phrases in both in text as well in audio. Once these key phrases are successfully matched to the data travelling through the pipe using advanced search algorithms developed uniquely for the project, the system has various automatic routines which range from targeted surveillance on the source of the data to raising an alarm with the appropriate authorities.
LIM systems are often also operated by the ISPs themselves, on behalf of the government. They operate the device, including hardware upkeep, only to provide direct access to government agencies upon requests. Reports have stated that the legal procedures laid down in law (including nodal officers and formal requests for information) are rarely followed[20] in both these cases, allowing unfettered access to petabytes of user data on a daily basis through these programmes.
Crime and Criminal Tracking Network & Systems (CCTNS)
The Crime and Criminal Tracking Network & System (CCTNS) is a planned network that allows for the digital collection, storage, retrieval, analysis, transfer and sharing of information relating to crimes and criminals across India.[21] It is supposed to primarily operate at two levels, one between police stations and the second being between the various governance structures around crime detection and solving around the country, with access also being provided to intelligence and national security agencies.[22]
CCTNS aims to integrate all the necessary data and records surrounding a crime (including past records) into a Core Application Software (CAS) that has been developed by Wipro.[23] The software includes the ability to digitise FIR registration, investigation and charge sheets along with the ability to set up a centralised citizen portal to interact with relevant information. This project aims to use this CAS interface across 15, 000 police stations in the country, with up to 5, 000 additional deployments. The project has been planned since 2009, with the first complete statewide implementation going live only in August 2016 in Maharashtra. [24]
While seemingly harmless at face value, the project’s true power lies in two main possible uses. The first being its ability to profile individuals using their past conduct, which now can include all stages of an investigation and not just a conviction by a court of law, which has massive privacy concerns. The second harm is the notion that the CCTNS database will not be an isolated one but will be connected to the NATGRID and other such databases operated by organisations such as the National Crime Records Bureau, which will allow the information present in the CCTNS to be leveraged into carrying out more invasive surveillance of the public at large.[25]
Network Traffic Analysis System (NETRA)
NETRA (NEtwork TRaffic Analysis) is a real time surveillance software developed by the Centre for Artificial Intelligence and Robotics (CAIR) at the Defence Research and Development Organisation. (DRDO) The software has apparently been fully functional since early 2014 and is primarily used by Indian Spy agencies, the Intelligence Bureau (IB) and the Research and Analysis Wing (RAW) with some capacity being reserved for domestic agencies under the Home Ministry.
The software is meant to monitor Internet traffic on a real time basis using both voice and textual forms of data communication, especially social media, communication services and web browsing. Each agency was initially allocated 1000 nodes running NETRA, with each node having a capacity to analyse 300GB of information per second, giving each agency a capacity of around 300 TB of information processing per second.[26] This capacity is largely available only to agencies dealing with External threats, with domestic agencies being allocated far lower capacities, depending on demand. The software itself is mobile and in the presence of sufficient hardware capacity, nothing prevents the software from being used in the CMS, the NATGRID or LIM operations.
There has been a sharp and sudden absence of public domain information regarding the software since 2014, making any statements about its current form or evolution mere conjecture.
Analysis of the Collective Data
Independent of the capacity of such programmes, their real world operations work in a largely similar manner to mass surveillance programmes in the rest of the world, with a majority of the capacity being focused on decryption and storage of data with basic rudimentary data analytics.[27] Keyword searches for hot words like ‘attack’, ‘bomb’, ‘blast’ or ‘kill’ in the various communication stream in real time are the only real capabilities of the system that have been discussed in the public domain,[28] which along with the limited capacity of such programmes[29] (300 TB) is indicative of basic level of analysis that is carried on captured data. Any additional details about the technical details about how India’s surveillance programmes use their captured data is absent from the public domain but they can presumed, at best, to operate with similar standards as global practices.[30]
Capacitative Global Comparison
As can be seen from the post so far, India’s surveillance programmes have remarkably little information about them in the public domain, from a technical operation or infrastructure perspective. In fact, post late 2014, there is a stark lack of information about any developments in the mass surveillance field. All of the information that is available about the technical capabilities of the CMS, NATGRID or LIM is either antiquated (pre 2014) or is about (comparatively) mundane details like headquarter construction clearances.[31] Whether this is a result of the general reduction in the attention towards mass surveillance by the public and the media[32] or is the result of actions taken by the government under the “national security” grounds under as the Official Secrets Act, 1923[33] can only be conjecture.
However, given the information available (mentioned previously in this article) a comparative points to the rather lopsided position in comparison to international mass surveillance performance. While the legal provisions in India regarding surveillance programmes are among the most wide ranging, discretionary and opaque in the world[34] their technical capabilities seem to be anarchic in comparison to modern standards. The only real comparative that can be used is public reporting surrounding the DRDO NETRA project around 2012 and 2013. The government held a competition between the DRDO’s internally developed software “Netra” and NTRO’s “Vishwarupal” which was developed in collaboration with Paladion Networks.[35] The winning software, NETRA, was said to have a capacity of 300 GB per node, with a total of 1000 sanctioned nodes.[36] This capacity of 300 TB for the entire system, while seemingly powerful, is a miniscule fragment of 83 Petabytes traffic that is predicted to generated in India per day.[37] In comparison, the PRISM programme run by the National Security Agency in 2013 (the same time that the NETRA was tested) has a capacity of over 5 trillion gigabytes of storage[38], many magnitudes greater than the capacity of the DRDO software. Similar statistics can be seen from the various other programmes of NSA and the Five Eyes alliance,[39] all of which operated at far greater capacities[40] and were held to be minimally effective.[41] The questions this poses of the effectiveness, reliance and proportionality of the Indian surveillance programme can never truly be answered due to the lack of information surrounding capacity and technology of the Indian surveillance programmes, as highlighted in the article. With regard to criminal databases used in surveillance, such as the NATGRID, equivalent systems both domestically (especially in the USA) and internationally (such as the one run by the Interpol)[42] are impossible due to the NATGRID not even being fully operational yet.[43]
Conclusion
Even if we were to ignore the issues in principle with mass surveillance, the pervasive, largely unregulated and mass scale surveillance being carried in India using the tools and technologies detailed above have various technical and policy failings. It is imperative that transparency, accountability and legal scrutiny be made an integral part of the security apparatus in India. The risks of security breaches, politically motivated actions and foreign state hacking only increase with the absence of public accountability mechanisms. Further, opening up the technologies used for these operations to regular security audits will also improve their resilience to such attacks.
[1] http://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law
[2] http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/
[3] https://www.privacyinternational.org/node/818
[4] http://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-india.pdf
[5] http://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf
[6] http://cis-india.org/internet-governance/blog/paper-thin-safeguards.pdf
[7] http://pib.nic.in/newsite/PrintRelease.aspx?relid=54679 & http://www.dot.gov.in/sites/default/files/English%20annual%20report%202007-08_0.pdf
[8] http://ijlt.in/wp-content/uploads/2015/08/IJLT-Volume-10.41-62.pdf
[9] http://www.thehindu.com/scitech/technology/in-the-dark-about-indias-prism/article4817903.ece
[10] http://cis-india.org/internet-governance/blog/india-centralmonitoring-system-something-to-worry-about
[11] https://www.justice.gov/sites/default/files/pages/attachments/2016/07/08/ind195494.e.pdf
[12] http://www.datacenterdynamics.com/content-tracks/security-risk/indian-lawful-interception-data-centers-are-complete/94053.fullarticle
[13] http://natgrid.attendance.gov.in/ [Attendace records at the NATGRID Office!]
[14] http://articles.economictimes.indiatimes.com/2013-09-10/news/41938113_1_executive-order-nationalintelligence-grid-databases
[15] http://www.business-standard.com/article/current-affairs/natgrid-to-use-big-data-analytics-to-track-suspects-1
[16] http://sflc.in/wp-content/uploads/2014/09/SFLC-FINAL-SURVEILLANCE-REPORT.pdf
[17] http://indiatoday.intoday.in/story/natgrid-gets-green-nod-but-hurdles-remain/1/543087.html
[18] http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece
[19] ibid
[20] http://www.thehoot.org/story_popup/no-escaping-the-surveillance-state-8742
[21] http://ncrb.gov.in/BureauDivisions/CCTNS/cctns.htm
[22] ibid
[23] http://economictimes.indiatimes.com/news/politics-and-nation/ncrb-to-connect-police-stations-and-crime-data-across-country-in-6-months/articleshow/45029398.cms
[24] http://indiatoday.intoday.in/education/story/crime-criminal-tracking-network-system/1/744164.html
[25] http://www.dailypioneer.com/nation/govt-cctns-to-be-operational-by-2017.html
[26] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data
[27] Surveillance, Snowden, and Big Data: Capacities, consequences, critique: http://journals.sagepub.com/doi/pdf/10.1177/2053951714541861
[28] http://www.thehindubusinessline.com/industry-and-economy/info-tech/article2978636.ece
[29] See previous section in the article “NTRO”
[30] Van Dijck, José. “Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology.” Surveillance & Society 12.2 (2014): 197.
[31] http://www.dailymail.co.uk/indiahome/indianews/article-3353230/Nat-Grid-knots-India-s-delayed-counter-terror-programme-gets-approval-green-body-red-tape-stall-further.html
[32] http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext
[33] https://freedomhouse.org/report/freedom-press/2015/india
[34] http://blogs.wsj.com/indiarealtime/2014/06/05/indias-snooping-and-snowden/
[35] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data
[36] http://economictimes.indiatimes.com/tech/internet/government-to-launch-netra-for-internet-surveillance/articleshow/27438893.cms
[37] http://trak.in/internet/indian-internet-traffic-8tbps-2017/
[38] http://www.economist.com/news/briefing/21579473-americas-national-security-agency-collects-more-information-most-people-thought-will
[39] http://www.washingtonsblog.com/2013/07/the-fact-that-mass-surveillance-doesnt-keep-us-safe-goes-mainstream.html
[40] http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
[41] Supra Note 35
[42] http://www.papillonfoundation.org/information/global-crime-database/
[43] http://www.thehindu.com/opinion/editorial/Revive-NATGRID-with-safeguards/article13975243.ece