This article is a reaction to the Government of India’s directive to telcos to install surveillance equipment as reported in the Times of India on September 19, here. The views expressed herein are the author’s own.
Big brother treads softly, but surely. The Government of India has asked Internet service providers (ISP) to monitor Internet traffic. It wants to read your emails; eavesdrop on your VOIP conversations; judge you by your blog posts and online rants; monitor your downloads/uploads; track your visits to adult sites and, generally, keep tabs on your shopping and surfing habits… and you!
Our fundamental rights guarantee us the freedom of expression. We take pride in proclaiming we are the largest democracy in the world, but our actions are blatantly undemocratic in nature. Personally, I believe this sort of action is a result of ignorance of computing / Internet — a widespread trait in the corridors of power.
Over the years, we have lived through clarion calls for bans on various public Websites, search engines and online maps in the name of security, “Indian” morality, cultural values and more. These are knee-jerk reactions and proclamations by people who do not know what they are talking about. A threat to their power is all that bothers these ignoramuses, and the reasons are not too far back in history – Egypt, Libya, Tunisia and our home grown Anna Hazare, have spawned popular uprisings that have overthrown regimes or shaken them to the core.
The Indian Home Ministry wants to monitor and log all details relating to communication and activity, but do they know what they are asking for? When we consider the math – we have 100 million Internet users. At the rate of one measly email a day (at a 70 kb average size), this translates to 6.5 TB per day. Add a 100 kb attachment on 25% mails, and this jumps to 2.33 TB per day. Add surfing habits, blogs, chat, adult stuff, junior stuff, and we are talking Petabytes on a daily basis.
The investment in storage space, backup, storage systems and disaster recovery is a bonanza only for the vendors. What’s in it for the telecom company? A 100 crore+ investment, and the responsibility to ensure the capture, storage and security of tons of data?
With nothing to expect in return, this activity cannot expect any priority by the host telco. Can we expect anyone to (diligently and seriously) look into this pile every day? Have we considered factors relating to risk and competence? This data can be misused. Who will have access, and how will it be analyzed? Are there trained personnel? Where will it be stored? How will the analysis be shared, and with whom?
If it was about national security, intelligent action will be welcome, but the lack of action is so obvious, it hurts. Consider these few examples — a ship drifts from Oman to Mumbai, and the security establishment learns about it when watching the morning news on TV. A nation lived through the horror of 26/11, and the mandarins are still squabbling over purchase of bullet proof jackets. Responsible disclosure of vulnerabilities in government policy and websites does not result in any action; the Prime Minister’s Office/ Ministry of External Affairs are repeatedly compromised, and lame excuses like virus attacks are given out… and the government continues to live in a state of blissful cyber promiscuity.
Sometime back, the telcos were asked by TRAI to conduct a know-your-customer (KYC) exercise for all users, and we all flocked submit papers and photographs. Many a subscriber made multiple trips, while others lost their connections for want of paperwork. Eventually, the sham was exposed in May 2011 when a fire destroyed cellphone application forms at an operator’s warehouse in Ahmedabad. Only 40% had been scanned since 1996!
Monitoring internet traffic is not the panacea and is just another knee-jerk figment of ignorant fancy. Serious effort must go into building and empowering a Cyber Police force with proper training, good equipment and an effective online as well as offline intelligence network. Good old fashioned policing, national pride, trust, decent human values and knowledge will help build the security infrastructure and response.
The Internet is a medium that embodies the concepts and values of freedom – of thought, action and empowerment. The Indian Government should be promoting these values, and not running scared.
It is a free and open medium, owned by none, that cannot be fettered by any single government’s wishful thinking.
China is a true example of failed attempts to muzzle the internet. Concepts of kill-switch, traffic shaping, Internet monitoring, whitelisting, blacklisting and such, in the hands of a Government, can be equated to prohibition. History is witness to the fact that crime and corruption are the fastest growth sectors during times of ban.
Unfortunately, in our part of the world, such power moves are rarely withdrawn. So get ready to participate in the Indian version of the cyber-Truman show. Thank God they forgot PSTN lines and the Postal Department.
About the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM and more. He is currently a VP (Information Security) with Grid Infocom. Bareja is involved in training and conducts regular online mentoring sessions, as well as maintains thefaqproject.com for InfoSec certifications. You can connect with him at firstname.lastname@example.org.
This was first published in September 2011