June 27, 2013

Beyond Snowden: US surveillance system a useful model for democratic, terror-hit India

The following article appeared in the Economic Times on June 27, 2013.

Edward Snowden, who leaked details of the US National Security Agency's PRISM electronic surveillance programme, is now in Moscow, where he has become embroiled in a sometimes farcical cat-and-mouse game involving several countries.

But the high drama surrounding Snowden obscures the important debate on government surveillance. The only response to the US intelligence agency accessing users' information from internet companies has been outrage, in the US and around the world, including in India. But the issue is about a lot more than Snowden's fate and anger at Big Brother.

FINE BALANCING ACT
At its core, the issue of digital privacy is about reconciling three somewhat contradictory objectives. The first is the government's responsibility to ensure the security of the state and its citizenry. The second is individuals' right to privacy and opportunity. And the third is the preservation of a conducive business climate, in this case, for internet firms that often provide services to users for free.

Thus, gathering vital intelligence might impinge on individuals' privacy, ensuring citizens' rights may mean sacrificing business interests, promoting internet access could necessitate concessions on security, and so forth. Each state has to find its own balance between security, privacy and a favourable business climate based on the nature and severity of the security threats it faces, its legal regime and system of governance, and its economic landscape.

A perfect solution is impossible. But a state can nonetheless strive for an optimal balance between its competing priorities. Unfortunately, on each measure - security, privacy and business climate - India's efforts can be said to have fallen short.

SHORT ON SECURITY
Take security. All states, especially those facing major security threats, must at times conduct surveillance on individuals to gather critical intelligence, including electronic surveillance, in a world where information is increasingly becoming digital. In fact, a state that does not have adequate electronic surveillance capabilities is failing in its security duties.

While details about India's surveillance capabilities are not all public, it appears to be lagging in this respect. Its shortcomings were deeply exposed during the 26/11 attacks in Mumbai, when the perpetrators used voice over internet protocol (VoIP). That led to the fast-tracking of the Central Monitoring System (CMS), theoretically capable of monitoring a wide variety of communications, including various online activities, wireless phone conversations and text messages, and satellite communications. CMS has been repeatedly delayed due to inadequate infrastructure, and is not expected to be activated until December, almost a year later than previously envisioned.

India also falls short on the matter of data privacy. Whereas the US makes strict legal divisions between spying on individuals in the US and those abroad, the distinction in India is less clear, meaning there is greater leeway for the state invading - and possibly abusing - the privacy of individuals it is supposed to protect. The Information Technology Act - specifically Section 69 and its attendant clauses - is extraordinarily wide-ranging, empowering both central and state governments to "exercise powers of interception".

LEAKY DIGITAL PIPE
Finally, the Indian government's relationship with private internet companies has been contentious, to the detriment of the broader business environment. Telecom licences disadvantage the private sector vis-a-vis government. And while representatives of internet companies argue that they regularly comply with court orders, they bristle at seemingly arbitrary requests to interfere with online data.

Such tussles have placed the government at loggerheads with many major digital service providers, so much so that a view in official circles is that digital communication is a nuisance, rather than a crucial resource for a fast-developing, services-oriented economy.

For all its obvious faults, PRISM, offers India a model for how to fashion a regime that goes some way towards assuaging various stakeholders, including the government, individuals and the private sector. That, naturally, assumes that adequate checks and balances are put in place and proper procedures are implemented.

From the perspective of internet users and companies, a system that enables the transfer of information upon specific request is preferable to the government's unfettered access to servers. Such an arrangement protects the majority of users' private information while minimally inconveniencing internet companies. From the government's standpoint, the loss of direct access is more than compensated by the convenience of not having to sift through vast quantities of raw intelligence.

Observers in India and elsewhere should be paying attention to emerging details about the PRISM programme. But rather than lambasting it as Big Brother gone wild, they should look at it as a model - however imperfect - of how a modern, democratic society tries to reconcile its conflicting objectives and make necessary compromises between stakeholders on the issue of digital privacy.