Monday, September 27, 2010
India’s Spy Plan Said to Deter Business
NEW DELHI — In the United States, law enforcement and security agencies have raised privacy concerns with a new proposal for electronic eavesdropping powers to track terrorists and criminals and unscramble their encrypted messages.
But here in India, government authorities are well beyond the proposal stage. Prompted by fears of digital-era plotters, officials are already demanding that network operators give them the ability to monitor and decrypt digital messages, whenever the Home Ministry deems the eavesdropping to be vital to national security.
Critics, though, say India’s campaign to monitor data transmission within its borders will hurt another important national goal: attracting global businesses and becoming a hub for technology innovation.
The most inflammatory part of the effort has been India’s threat to block encrypted BlackBerry services widely used by corporations unless phone companies provide access to the data in a readable format. But Indian officials have also said they will seek greater access to encrypted data sent over popular Internet services like Gmail, Skype and virtual private networks that enable users to bypass traditional telephone links or log in remotely to corporate computer systems.
Critics say such a threat could make foreigners think twice about doing business here. Especially vulnerable could be outsourcing for Western clients, like processing medical records or handling confidential research projects, information that is typically transmitted as encrypted data.
“If there is any risk to that data, those companies will look elsewhere,” said Peter Sutherland, a former Canadian ambassador to India who is now a consultant to North American companies doing business there.
S. Ramadorai, vice chairman of India’s largest outsourcing company, Tata Consultancy Services, echoed that sentiment in a newspaper column on Wednesday. “Bans and calls for bans aren’t a solution,” he wrote. “They’ll disconnect India from the rest of the world.”
Few doubt that India has valid security concerns. In recent years, attacks against India have included the use of sophisticated communications technology — as when the terrorists who stormed Mumbai two years ago communicated with their Pakistani handlers by satellite phone and the Internet. Or when Chinese hackers infiltrated India’s military computer networks this year.
But critics say that India’s security efforts, which they describe as clumsy, may do little to protect the country, even as they intrude on the privacy of companies and citizens alike.
“They will do damage by blocking highly visible systems like BlackBerry or Skype,” said Ajay Shah, a Mumbai-based economist who writes extensively about technology. “This will shift users to less visible and known platforms. Terrorists will make merry doing crypto anyway. A zillion tools for this are freely available.”
Senior Indian officials, though, argue that they have no choice but to demand the data that could help thwart and investigate terrorist attacks.
“All communications which is done by Indians or coming to and fro into India — and where we have a concern about national security — we should have access to it,” said Gopal Krishna Pillai, the secretary of India’s Home Ministry, which oversees domestic security.
During the Mumbai attacks, he said, officials could not gain access to some of the communications between the terrorists and their handlers.
Some legal experts indicate that Indian law — which has few explicit protections for personal privacy — is on the government’s side. But they also say India is trying to enforce the law in unnerving ways.
“The concern of corporate users and general users of BlackBerry is that if this is allowed, the government will become the single biggest repository of information,” said Pavan Duggal, a technology lawyer who practices before India’s Supreme Court. “And we have no idea how this information will be used and misused in the future.”
The Indian government has also clamped down on the importation of foreign telecommunications equipment, saying it wants to ensure that the technology does not contain malicious software or secret trap doors that could be used by foreign spies.
The technology and security debates playing out here are not new or unique to India.
During the 1990s, for instance, American security officials tried unsuccessfully to restrict the use of encryption because of worries that law enforcement would not be able to monitor communications. Now, in legislation the Obama administration plans to introduce next year, officials want Congress to require all services that enable communications — including encrypted e-mail systems like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically able to comply if served with a wiretap order.
Currently, other countries including the United Arab Emirates and Indonesia are trying to impose various measures similar to India’s.
The debate here, though, is complicated by the fact that despite private industry’s technology prowess in this country, in technologies like cryptography Indian law enforcement agencies still lag significantly behind their counterparts in the United States and other advanced countries.
The Indian government says it is intent on improving its code-cracking skills. But “in the interim, it has this very blunt instrument,” said Rajan S. Mathews, the director general of the Cellular Operators Association of India, a trade group. “It comes to the operators and says: ‘I’m going to make you responsible for giving me access,’ ” he said.
Mr. Pillai, the Home Ministry secretary, said the government was not opposed to the use of encryption to protect the privacy of legitimate electronic communications. But he said that as government-licensed entities, network operators were obliged to give law enforcement officials a way to decode messages when required or to block communications that they cannot decipher.
But network providers say they may not always have the technical ability to do that. In much of the world — including for business users in India — companies and individuals now often use encryption systems that generate new code keys for each message and lack a convenient master key that could unlock everything for government viewing.
Google, for its part, has enhanced the encryption for its Gmail service, making it harder for hackers and the Indian government to read messages. Mr. Pillai said his ministry had begun conversations with Google and Skype, the Internet phone company, which also uses strong encryption, to provide access to decoded data.
Representatives for Google and Skype said that they could not comment because they had not yet received formal demands from the Indian government.
Meanwhile, government officials have demanded that the maker of BlackBerry, Research in Motion of Canada, set up a server computer in India from which law enforcement agencies can gain access to unencrypted versions of messages when they need to. The government has given R.I.M. until the end of October to comply.
The company has said that it is willing to meet “the lawful access needs of law enforcement agencies.” But the company says it cannot provide unencrypted copies of messages of corporate users because of how the BlackBerry system is designed, noting that even R.I.M. cannot decode them.
“Strong encryption has become a mandatory requirement for all enterprise-class wireless e-mail services today,” R.I.M. said in a statement in late August, “and is also a fundamental commercial requirement for any country to attract and maintain international business.”
Vikas Bajaj reported from New Delhi, and Ian Austen from Ottawa. Heather Timmons contributed reporting from New Delhi. New York Times