THE DATABASE NATION, a.k.a India's State Surveillance
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 126 | |
| Author | ||
| License | CC Attribution - ShareAlike 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/33436 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
re:publica 201424 / 126
15
19
22
26
29
31
33
34
35
41
42
49
50
58
68
71
72
74
78
84
87
88
89
91
93
97
100
102
105
106
107
108
109
110
112
119
121
122
123
125
126
00:00
Data acquisitionDatabaseState of matterRule of inferenceWechselseitige InformationComputer animationLecture/Conference
00:35
Casting (performing arts)Event horizonWaveLecture/Conference
01:00
MereologyDatabaseInformationCentralizer and normalizerSystem identificationLecture/Conference
02:11
Ideal (ethics)DatabaseInformationAuthorizationTraffic reportingCentralizer and normalizerNumberMultiplication signRight angleComputer animationLecture/Conference
03:03
Row (database)Form (programming)MassCASE <Informatik>LeakParameter (computer programming)Lecture/Conference
03:26
Cellular automatonType theoryLecture/Conference
04:08
MassNumbering schemeMachine visionTelecommunicationLecture/Conference
04:49
Right angleFrequencyInformation securityInformation privacyData analysisParameter (computer programming)FrustrationMechanism designData miningSoftware2 (number)Lecture/Conference
05:50
Information privacyInformation privacyContext awarenessComputer animationLecture/Conference
06:25
Information privacyWave packetCASE <Informatik>InformationLecture/Conference
07:06
Information privacyForm (programming)Traffic reportingContext awarenessLecture/Conference
07:33
Mobile WebInformation privacyExplosionInformationEuler anglesInformation privacyTraffic reportingState of matterStatisticsGroup actionInternetworkingComputer animationLecture/Conference
08:12
FacebookMobile WebBlogDigital libraryTotal S.A.InternetworkingMedical imagingInternetworkingOrder (biology)Physical lawOffice suiteWireless LANSheaf (mathematics)InformationMobile WebSoftwareInfinityForm (programming)Lecture/ConferenceProgram flowchart
09:26
Sheaf (mathematics)Right angleExpressionMessage passingLecture/Conference
09:56
EmailMessage passingSheaf (mathematics)Sheaf (mathematics)Solid geometryPhysical lawComputer animation
10:24
CASE <Informatik>Special unitary groupOcean currentTwitterIncidence algebraSheaf (mathematics)Lecture/Conference
11:28
Insertion lossCASE <Informatik>Factory (trading post)Sheaf (mathematics)FacebookLecture/Conference
12:01
InformationComputerTransmitterSheaf (mathematics)Sheaf (mathematics)ExpressionCopyright infringementRight anglePhysical lawInformationIntercept theoremEncryptionSymbol tablePrisoner's dilemmaNeuroinformatikComputer animation
12:41
Level (video gaming)InformationSheaf (mathematics)Block (periodic table)Group actionWebsiteEncryptionPhysical lawAuthorizationMessage passingMereologyKey (cryptography)Prisoner's dilemmaCybersexInformation securityLecture/Conference
13:39
Parameter (computer programming)Euler anglesVapor barrierEncryptionArchaeological field surveyPrisoner's dilemmaQuicksortForm (programming)EmailLevel (video gaming)Lecture/Conference
14:36
InternetworkingNumberRule of inferenceRadical (chemistry)CybersexOperator (mathematics)Figurate numberNeuroinformatikInstallation artSystem identificationLecture/ConferenceMeeting/Interview
15:34
NeuroinformatikInformationTelecommunicationSpacetimeObject (grammar)Intercept theoremCASE <Informatik>Axiom of choiceInternetworkingPhysicalismPhysical lawIn-System-ProgrammierungSoftware
16:11
Semantics (computer science)TelecommunicationSoftwareCASE <Informatik>EncryptionQuicksortComputer hardwareIn-System-ProgrammierungTravelling salesman problemInternet service providerLecture/Conference
16:38
EncryptionIn-System-ProgrammierungMassCentralizer and normalizerEncryptionPhysical systemBitStudent's t-testGradientQuicksortComputer animationPanel paintingLecture/Conference
17:19
InformationInformation securityDatabaseDifferent (Kate Ryan album)Software developerFlow separationMeeting/Interview
17:50
Local area networkIntegrated development environmentData Encryption StandardSimulationComputer networkSystem programmingMultiplication signSoftwareDatabasePhysical systemState of matterNumbering schemeTrailPersonal digital assistantExecution unitComputer animationMeeting/Interview
18:28
Physical systemNumbering schemePhysical lawIntercept theoremOperator (mathematics)Lecture/Conference
19:04
Operator (mathematics)Physical lawInternetworkingIntercept theoremTelecommunicationMobile WebPhysical systemSoftwareNumbering schemeLink (knot theory)Key (cryptography)Price indexGateway (telecommunications)Type theoryState of matterIn-System-ProgrammierungLatent heatLecture/Conference
20:03
Interrupt <Informatik>System programmingCASE <Informatik>In-System-ProgrammierungMassTelecommunicationInternetworkingState of matterCausalityComputer animationLecture/Conference
20:34
Computer networkMathematical analysisPhysical systemPhysical systemNumbering schemeInclusion mapWordMathematical analysisComputer hardwareKey (cryptography)In-System-ProgrammierungLecture/ConferenceComputer animation
21:34
Regulärer Ausdruck <Textverarbeitung>Physical systemCentralizer and normalizerNumbering scheme1 (number)Right angleLecture/Conference
22:01
TelecommunicationHybrid computerPhysical systemProcess (computing)ExpressionRight angleCanadian Mathematical SocietyInformation privacyCentralizer and normalizerImplementationLecture/Conference
22:27
Physical systemPartition (number theory)Lecture/Conference
22:56
Physical systemServer (computing)Content management systemPhysical systemTravelling salesman problemInternet service providerPhysical lawCanadian Mathematical SocietySoftwareDialectService (economics)Server (computing)Different (Kate Ryan album)Decision support systemFraunhofer-Institut für Informations- und DatenverarbeitungLecture/ConferenceComputer animation
23:29
DatabaseSoftwareDialectPhysical systemTravelling salesman problemCentralizer and normalizerOffice suiteCASE <Informatik>Chemical equationInformationLecture/Conference
24:24
Data miningCanadian Mathematical SocietyChemical equationPhysical systemScaling (geometry)Incidence algebraMassLecture/Conference
24:56
Numbering schemeElectronic mailing listBiostatisticsData managementMetric systemMeasurementIRIS-TFingerprintPRINCE2Incidence algebraRight anglePhysical systemIdentifiabilityLecture/Conference
25:39
DatabaseIdentifiabilityNumbering schemeMatrix (mathematics)CASE <Informatik>AuthorizationMassCentralizer and normalizerType theoryGroup actionDigitizingCybersexInformation securityLecture/Conference
26:13
Computer programNumbering schemeService (economics)Information technology consultingAddress spaceInformation securitySound effectComputer programmingTheoryPhysical systemState of matterRootPlastikkarteCentralizer and normalizerImplementationLecture/ConferenceComputer animation
26:58
Forcing (mathematics)Physical systemInformation securityService (economics)Link (knot theory)Numbering schemeMetric systemBiostatisticsImplementationLecture/Conference
27:52
ImplementationRegulator geneInformation privacyGroup actionExpert systemService (economics)Instance (computer science)Physical lawTraffic reportingCivil engineeringLecture/Conference
28:38
Information privacyLevel (video gaming)Civil engineeringPhysical lawEncryptionPredictabilityGoodness of fitOpen sourceSoftwareTelecommunicationLecture/ConferenceComputer animation
29:25
Identity managementInformation privacySelf-organizationInformation securityDigitizingElectronic program guideVisualization (computer graphics)CuboidTerm (mathematics)Reverse engineeringMeeting/Interview
29:57
SpacetimeDigitizingOnline chatInformation securityInformationWeightLatent heatMultiplication signLecture/Conference
30:53
Data acquisitionComputer animation
Transcript: English(auto-generated)
00:15
Hi, thank you very much for being here today. My name is Maria and this is Kaustubh. We both work with Tactical Tech here in Berlin.
00:23
The research we'll be talking about today is based on our independent research which we haven't actually done with Tactical Tech, but it has to do with our mutual surveillance footage as well that way. So essentially, we'll be talking about surveillance in the largest democracy in the world. Although India is a fascinating country in many ways,
00:42
unfortunately, there is widespread surveillance in the country. Kaustubh, could you please tell us about surveillance in the largest democracy in the world? It's a shame I can't see anybody. I'd love to be able to wave, wave, wave. Yeah, so we're going to talk about a few things
01:02
that have been happening in India over the last few years. 2008 especially was a very historical year for us in India. Two things happened. One of them was something that makes us very, very sad even today. There were these large terrorist attacks in the city of Bombay, where a bunch of gunmen came
01:22
in to various parts of the city and shot people in cold blood in public places. We've had several other events like that. Maria is going to talk about it in a second. But one of the things that happened after these terrorist attacks was the Indian government very quickly amended the IT Act,
01:41
which now enables the Indian government to collect and build these large databases of personal information, which enable centralized identification, surveillance, and so on.
02:03
Historically, we've known that building large databases of personal information of citizens is a terrible idea. We've seen terrible things happen when this information can be misused by government authorities or people who can
02:20
unlawfully gain access to this information. We've also historically seen large databases of people, centralized databases of people being used to exterminate communities. So why is it that a country, which is the largest democracy in India when it comes to the number of people who live there, 1.2 billion as of the last census,
02:45
adopting such a totalitarian concept? We'll try and ask some of these questions and report on what we know so far over the course of the next 15 or 20 minutes. There's a lot to talk about. We don't have a lot of time, but we'll try our best.
03:02
Right, so what's the main reason for applying widespread surveillance all over the world? Over the last year, we've heard so much about surveillance from Snowden's leaks and so on. Why do governments argue that they apply mass surveillance? Well, usually it's to fight crime and terrorism. That's usually the case, right? Or at least that's the argument from the governments.
03:22
Well, actually in India, I mean, unlike most countries, which don't really have high terrorist attack risks, in India, terrorism actually is a major issue. In the sense that at least 800 terrorist cells are currently operational in India. Over the last 25, 27 years, since 1987, there have been 30 major terrorist attacks.
03:45
And actually, the Mumbai 2008 terrorist attacks are probably the landmark. They're kind of like the 9-11 of India. So actually, India does have a major issue with terrorism. It is a huge problem there. So the government of India does argue that the main reason why they're
04:01
applying this widespread surveillance in the country is to tackle crime and mainly terrorism. So with regards to this, governments all over the world, including Indian governments, are applying mass surveillance schemes. And then what we can see basically is that a large proportion of the population all around the world, including the population in India, are accepting this.
04:22
And why is that? Well, if you go around asking people how they feel about surveillance and if they're okay with it, I think most people, and when I say most people, I mean all over the world, and including Indians, will probably argue, hey, I'm not a terrorist. I have nothing to hide. So what if they, you know, so what if I'm under surveillance if they're onto my communications?
04:44
So I'd just like to ask a question here to the audience. And please try and be honest. Is there anyone here who feels that they're not special or important enough to be under surveillance? If so, please raise your hand. No one?
05:01
One person? Right. Two or one? Or you can't see? Okay, so two people think that they are not special or important enough to be under surveillance. Interesting. Particularly interesting actually because the majority of you don't think that, which is quite a good thing. And in the sense that the way I perceive it at least, I think that this argument,
05:21
this very frustrating mainstream argument is a type of psychological coping mechanism when dealing with security. And at the end of the day, it's not really up to us to define, to determine if we're important or special enough. It's really up to data analysts. It's really up to data mining software, which determines how important or non-important our data really is.
05:46
So that was one myth with regards to that. The second myth about privacy is that... There's a general consensus, not just in India, but worldwide,
06:02
that privacy is not a very important societal value in the Indian context. A lot of Indians also argue, they're saying privacy is a very Western concept and we don't really care about privacy, especially when it comes to digital freedoms, the way the West talks about it.
06:23
In fact, Simon Davies said this recently. He said he defines something called the Indian train syndrome. And it's very common for me to be on a train or in a public place in an Indian city or a town where I am asked very personal questions. A lot of people are. And in most cases, you are very happy to share that information with other people.
06:45
It could be something ranging from, are you married? How many kids do you have? How much money do you earn? And these are not considered very offensive questions. But I argue that, OK, maybe privacy is configured differently in society in India,
07:04
but it is not dead, especially when it comes to digital freedoms. There's an amazing department in the India Institute of Technology in Delhi who put out a really amazing privacy awareness report last year.
07:21
And one of the things that they say is, a lot of people buy secondhand phones in India. A lot of people sell their phones. It turns out over 70% of Indians who are selling their phones care enough to delete all their personal data from their phone. This is just one of the statistics from various ways people engage with technology
07:42
and what they think about privacy in India. It's a great report. I totally recommend anyone who wants to understand issues of surveillance and privacy in India to read it. Can you speak into your mic? Am I not speaking into my mic? OK, I can try. Right, so this is some data from We Are Social,
08:01
and essentially what they're showing is how many people in India live in rural communities and urban communities, how many people have access to the internet, and how many have mobile phones. As we can see from this data, actually only 17%, which is quite a small percentage, of Indians have access to the internet, which is why many people in the West and in India argue that surveillance in India
08:22
is rather an elitist issue and doesn't really concern the majority of our population. But then actually if we think about 17% of our population, which consists of more than a billion people, 17% is actually more than 200 million people. So it's actually a lot of people who have internet and a lot of people who can potentially be affected by surveillance.
08:40
But more importantly enough, as you can see, roughly 73% of our population have mobile phones. And let's not forget that nowadays most people do access the internet through their mobile phones. And most surveillance in India is carried out through the surveillance of mobile networks. So this is, I think, somewhat interesting and important information to bear in mind.
09:02
So in order to understand surveillance in India and probably anywhere else in the world, we probably would have to look at the legal regime. So in India there are several laws which regulate surveillance, like the Indian Telegraph Act, the Indian Post Office Act, the Indian Wireless Telegraph Act, and so on. But I'd really like to draw your attention to the Information Technology Act.
09:21
And that's because it entails certain sections which are deemed to be somewhat controversial, particularly Section 66A. There's been a huge debate in India with regards to this section because it's considered to potentially infringe upon the right to freedom of expression in the country. In particular, this section states that any individual who posts or somehow engages
09:46
and writes an offensive message online will be punished. That itself is, I think, rather concerning or maybe really concerning because it doesn't really define what an offensive message is.
10:01
So you don't really know in India if what you're writing can potentially be perceived to be offensive by the government or any other agencies who are looking at your data. And it could potentially lead to abuse. So in the face of it, the reason this section of the law exists is because it's supposed to protect innocent citizens from harassment online.
10:24
Now, that's probably a good thing, that there is something that one can go to and say, I am being harassed. But we've seen a lot of recent cases where the 66A has been misused by political outfits and leaders. I can think of one specific case which is almost, yeah, it's extremely surprising.
10:47
There's a certain gentleman in the city of Chennai in South India who tweeted to his 16 followers, one six, saying that the son of the current finance minister of the country
11:01
has amassed more wealth than a certain other politician called Robert Vadra. The next day, the cops were at his door, and he was arrested and detained for questioning because this specific politician reported harassment when that tweet was posted. That's just one of the things, and there's been some more serious incidents recently.
11:25
Right, so actually there have been many cases over the last years where this section of the law, 66A, has been used to arrest and prosecute people. One recent example, actually, is this case in Mumbai, which occurred in November 2012, where essentially following the death of a politician, Bal Thackeray,
11:43
Mumbai was shut down. And a woman, the woman in the picture in particular, she posted on Facebook a comment which was basically criticizing the shardan of Mumbai following the death of this politician. And then the woman next to her basically liked the post. And because they kind of dared to post something like that and liked it, they were arrested.
12:04
So this is just one example of several which shows how this section of the law can potentially be used to arrest and prosecute individuals when really this is just an infringement on the right to freedom of expression.
12:22
Another section of this same law of the Information Technology Act is section 69, which has received a lot of criticism in India. The main reason for this is because section 69 allows for the interception of all information transmitted through a computer resource. So it allows for the monitoring, interception, and decryption of information. Now in particular, section 69A allows for certain information online to be blocked,
12:45
which actually has led to the blocking of many websites and very high levels of censorship in India, which is all technically legal under the section. Then section 69B allows not only for the interception, monitoring, and decryption of information,
13:01
for cyber security purposes, but in general. And with regards to decryption, essentially what this section of the law says is that users are required to disclose their encryption keys. In particular, if you for example are using PGP, which I hope you are, and if you're doing so in India, and the authorities for whatever reason
13:23
think that your activity is somewhat suspicious, they are legally allowed to ask you to disclose your private encryption key, which means that you have to give up your passphrase, which is really concerning basically. And the concerning part of that is that if you don't do that, you can potentially be sent to prison for up to seven years,
13:42
and you might even be liable for a fine. So with regards to this, while I was in India, I was training certain activists to use various forms of encryption. And what many activists said was, okay, I'd love to learn to use PGP. I'd love to encrypt my emails. I need to do that. But what if I forget my passphrase?
14:01
What if I forget my private key? What if I lose it, or whatever? And then for whatever reason, the government asks me for it. And then I just don't give it to them, not because I don't want to, you know, cooperate, but because I genuinely don't have it. So a lot of Indians, a lot of activists would argue that, oh, I'm afraid to use encryption because I might actually be prosecuted based on this law.
14:21
Which is quite sad, I think, because that kind of, that's a huge barrier, I think, in the country from mobilizing people to use encryption, which is very essential that we do, especially with regards to all the surveillance that we're going to talk about today. Another thing I want to talk about is a lot of Internet access in public places in India,
14:43
especially cyber cafes that exist in large numbers in many Indian cities and towns. And a recent ruling in 2011 called the IT Rules of 2011, also very popularly known as the Cyber Cafe Rules of 2011, now requires every cyber cafe operator or owner to install surveillance equipment on their premises.
15:06
Not only do they have to check your identification document when you walk in and make a note in a paper register about who you are, they also take a picture of you before they let you anywhere near an Internet terminal.
15:23
And this is basically surveilling a good 30 to 40% of people who are accessing Internet on computers in India, because all of these people are using the Internet in public places.
15:42
And it is not just monitoring their communications, but actually their physical body as you're walking in and out of a space. Right, so that was just a brief on the Information Technology Act, which is probably the law in India regulating surveillance, which is worth mentioning the most.
16:00
But then again, there's also the license agreements. So most surveillance is carried out because ISPs and TSPs monitor and intercept their networks. But in many cases, it's not really their choice. In many cases, or actually in most cases, not only in India, but all over the world, but especially in India, they're required to do so, because they have to comply with certain license agreements. And if they don't monitor their networks, if they don't install the hardware and the software to do so,
16:23
they just can't operate. So in India, there are various license agreements, which basically require ISP and TSP providers to monitor communications. In particular, for example, there's the ISP license agreement, which, among other things, prohibits bulk encryption and prohibits encryption which exceeds 40 bits, which is really low and rather concerning.
16:43
And then there are other license agreements, like the new UAS license agreement, which essentially requires ISPs and TSPs to enable the installation of mass surveillance systems, like the central monitoring system, which I'll refer to later on.
17:02
One more thing that they recently did is create a system called NATgrid, short for the National Grid. Yeah, sorry, I'm really terrible with abbreviations. But what the NATgrid aims to do is a lot of government agencies have maintained
17:21
their separate databases of personal information of citizens over the last several years. The NATgrid aims to link these into one combined databases and then give access to this linked database to 11 different security agencies, intelligence agencies in the country.
17:42
That's a recent development that is really, really scary, because in India we have kind of enjoyed the idea of having our data really distributed as far as the government is concerned for a very long time now, but that's very, very quickly changing with the NATgrid being implemented. So apart from NATgrid, we also have other data collection schemes in India,
18:02
like the crime and criminal tracking networks and systems, CCTNS, which essentially what it does is that it links the databases of 14,000 police departments all across the 35 states and territories of India. So on the one hand, one could argue that, hey, this is a great system because it enables police to do their work better by attempting to detect potential criminals and so on.
18:28
And sure, it might be effective. But what I think is really concerning about this is the idea of centralizing data and having just a few government agencies have the monopoly of access to such data, which is even more concerning with the rest of the schemes which we'll get to.
18:44
So I think along with the data collection schemes, we also have various surveillance schemes in India. Now, the lawful intercept and monitoring systems have been basically operating in India since 2009 following the big Mumbai 2008 terrorist attacks. However, the problem is that most schemes in India are widely carried out in secret,
19:05
which means that we pretty much only found out about these schemes recently, in particular now a few months ago in 2013. Now, these lawful intercept and monitoring systems, they're basically being used for both mobile communications and for internet communications. In particular, mobile operators in India have already deployed their own lawful intercept and monitoring systems
19:25
at their premises, and they're basically intercepting all communications running through the networks. And then what the government of India has done is that they have deployed their own lawful intercept and monitoring system at the international gateway of ISPs. Now, having done that, that essentially means that they're able to have indiscriminate access
19:45
to all internet traffic in the country. It means that they have a type of always live link, which gives them access to all of it. By having access to all this data, they try to detect specific suspicious keywords and key phrases, although we don't know which keywords and key phrases they look out for, which is kind of scary, to say the least.
20:07
But anyhow, I think what's really concerning is that by doing so, they bypass ISPs and get access to such data. In most cases, they probably do so without ISPs' knowledge or consent or whatever, and it's very likely that all this mass surveillance of internet communications in India is being carried out without court oversight,
20:25
which brings a lot of questions with regards to legality and whether this has been used to abuse data and so on. So, Maria was talking about keywords that are found suspicious and used by certain surveillance schemes to target people.
20:43
This is a new system called Netra that actually we know very little about, except that the Intelligence Bureau of the country has been piloting this since earlier this year, January, February. Netra is, as we know, a hardware solution that's plugging straight into ISPs in India,
21:03
which does real-time analysis of all traffic, voice and text, and tries to basically target certain individuals based on the phrases and keywords that they're using.
21:22
I'm not going to mention what the keywords or the phrases are, but that's some examples of what we've found in some documents that we've been able to lay our hands on. So, I'm sorry to overwhelm you, but there are more surveillance schemes in India, apart from the ones that we've already mentioned.
21:40
So, a relatively new one, which is actually not new, it was applied again following the Mumbai terrorist attacks, as most surveillance schemes around the world, right? This started off in 2009, but it's mostly been operational over the last months, and we've only recently found out about it, in particular, literally a year ago. The central monitoring system, like the name says, is a monitoring system which is deeply centralized,
22:04
and which aims at intercepting all communications in India. A lot of activists in India have already protested against this. There's the Stop CMS activist group, for example, which basically argue that the central monitoring system potentially infringes upon the right to privacy, freedom of expression, and so on.
22:23
So, what we know about the CMS, amongst various things that we know about it so far, is that, for one, the government has already invested at least 72 million dollars in the implementation of the system, which is quite interesting, I think, given that, you know, they obviously have a lot, like mentioned before, terrorism is a big problem in India,
22:42
so, on the one hand, you could argue that, hey, this is a reasonable investment, you know, to tackle crime and terrorism, but on the other hand, it's like, wow, India has a lot of great issues, like poverty and so on. Why invest so much money when it could be invested elsewhere, and how effective has this actually been? Well, I guess we'll see that over the next years, won't we?
23:01
So, what is the CMS and how does it work? So, essentially, TSP providers in India have already had law for deception systems install the premises of the last years. Now, the difference is that these law for deception systems are now being integrated with intercept, store, and forward servers, ISF servers. What these servers do is that they basically automatically transmit all the data from TSP's network to regional monitoring centers.
23:28
So, there are various regional monitoring centers all over India, and all interceptor data from TSP networks are automatically transmitted there. Then, these regional monitoring centers are all linked to the central monitoring system, which has the massive centralized database.
23:42
What this means, basically, is that unlike in most countries, or unlike the past, where law enforcement would have a warrant or something and go to nodal officer and request them to intercept particular information, now, this is not the case. Now, law enforcement agencies in India are able to bypass TSP's and they're able
24:03
to have direct access to all this intercept data through the central monitoring system. And again, it's very unclear if there's any court oversight with regards to this. To my knowledge, this system lacks all legal backing. Sure, it is specialized, it is mentioned in the license agreement, but it still lacks legal backing.
24:22
It's completely unregulated, and it's really unclear who will be able to do the checks and balances if this is ever misused. So, it turns out we have just two more minutes and we wanted to talk about a few more things, but that's the scale of what kind of monitoring is happening in India, how many people are affected by the CMS.
24:41
Just the CMS. Yeah, this is a quote I completely agree with. I've always tried to argue with large systems using what Shnayar said. It's basically never worked. There aren't many incidents where this kind of mass surveillance has actually prevented any terrorist attacks,
25:02
like the Indian government claims it would. We're just going to very quickly tell you about a welfare system that the Indian government's been implementing over the last few years, and then we'll hopefully try and wrap up in the next minute or so. Right. Okay, sorry, so very quickly, and if I speak too fast, please raise your hand, because I tend to speak quickly.
25:22
So, the UID, along with other schemes, we have data collection surveillance schemes, we also have a biometric data collection scheme. The UID is the world's largest biometric data collection scheme, and what it does is it collects biometrics and demographic data, biometrics as in iris and fingerprints. Now, this basically serves as a unique identifier for all other surveillance schemes,
25:43
in the sense that you collect all the data about people and then you're able to verify that the data actually belongs to that person based on the biometrics, or supposedly, but that's a huge issue because in many cases, technology is infallible. This is run by the authority, it has a massive centralized database. As you can see, India really loves the idea of centralizing their surveillance, centralizing their data collection,
26:03
which in my opinion is not the best idea in the world, well actually I think it's a bad idea, because centralized data essentially means that it kind of serves as a type of honeypot potentially for cyber attacks, so security-wise, it doesn't seem that effective. Generally speaking, the UID is considered to be voluntary, although in practice, I think it's rather mandatory,
26:23
because for example, a lot of people can't get access to cash-free programs and other social, other government benefits, unless they're registered with a UID. And also in Maharashtra, which is a state in the west of India where Mumbai is, up until recently, people could not even get married unless they were registered with a UID,
26:41
unless they had ADAR cards, which basically means that although in theory it's voluntary, it's actually pretty mandatory. Other than the whole idea of centralized systems that the UID is trying to implement to collect personal data, there's some other worries about the privatization of the implementation. The Indian government has been hiring large corporations to implement most of these systems,
27:05
and one example I can give you is a company called L1 they work with, who claim on all their public documents that they service the US defense and national security forces. What's worrying for me as an Indian citizen here is why is the government consistently demonstrating
27:23
these links with corporations which have clear relationships with foreign intelligence agencies, and how do I then expect my government to protect my data if I don't know whose hands it is in eventually. Right, so the bad news are that in India there are lots of data collection schemes,
27:43
a biometric scheme, lots of surveillance schemes. Unfortunately, most of the schemes have been carried out widely in secret, and unfortunately most of them lack legal backing, and they lack public and parliamentary debate prior to the implementation. However, the good news is that there's actually been a lot of effort in India to create privacy laws,
28:01
which will regulate data and regulate surveillance. For example, the Department of Personnel and Training in India has recently come up with this draft privacy bill, which is very much in compliance with the privacy principles, which are included in the report by the group of experts on privacy. However, I do hope that they further review this bill, and that it is basically more in compliance with the privacy principles.
28:24
And then we can see a lot of initiative as well from the civil society sector. For example, the Centre for Internet Society in Bangalore, they've drafted their own bill. So we can see a lot of initiative from both the government and the civil society sector to create a privacy bill in the country, which will regulate all these issues that we mentioned and protect people's privacy.
28:41
We hope to go through with that. And it's great that there's so much effort from civil society and activist outfits and policy level advocates to try and regulate how data protection and privacy laws can protect individual freedoms and corporate freedoms in the country.
29:01
But there are things we can do today to try and protect ourselves. And one of the things I just want to talk about is the use of good open source encryption, which is not as difficult as it usually sounds. All of us are really capable, in my opinion, of using open source software that helps us encrypt
29:22
and safeguard our communications and data. I very quickly want to mention a toolkit that I've been involved with for a little while called Security in a Box, which is a toolkit published by the organization that both Maria and I work with, Tactical Technology Collective. What this does is helps activists, journalists, or anybody else understand and manage their digital privacy risks
29:47
and also tries and makes this technology more accessible through booklets and guides that we publish. We are at Republica in large numbers, and we've been running digital security clinics
30:02
for the last couple of days in the space called Reclaim the Net. If you have any questions about what tools and tactics you can use to protect yourself from surveillance, do come talk to us. We're also running some specific sessions around various issues at the clinic.
30:20
If you have any other questions, I think we don't have any time for questions, but Maria and I will hang out just outside this space if you want to come say hello and talk to us more about anything we've spoken about. It's unfortunate that we had such a short slot and we had to rush through this, but there is a lot more information we would like to talk about.
30:41
And we'll hopefully find a quiet corner and have more chats this evening. Thank you.