Big brother's watchful eye

400 million Indians, for whom a green-coloured mobile application has become a part of daily life, learned last week that their go-to app for free messaging had been compromised by an Israeli spyware called Pegasus, which had been used to infiltrate targetted users discreetly. When WhatsApp had confirmed to Indian media that more than 100 Indian activists, journalists and members of the public were targetted in the April attack, a silent panic spread amongst Indians, with hundreds if not thousands switching to applications like Telegram or Signal, not wanting to touch the Facebook-owned messenger service with a ten-foot-pole.

But was this the first time that Indians were made aware of the fact that privacy in the online space had become a myth? Was this the first time people in the country started to doubt whether the government is trying to watch them? While it is true that certain incidents or certain vulnerabilities, when exposed create more panic and concern than others; there have been countless attempts by a number of governments just in India to try and implement large-scale, blanket surveillance programmes, most of which have succeeded and are here to stay.

Surveillance vs Privacy

In the backdrop of the September 11 attacks, the United States of America went into crisis mode. The American nation armed its National Security Agency to an extent where it has managed to build the largest mass surveillance network, comprising of a slew of projects with the intention and capability to detect terror attacks before they occurred, in the words of erstwhile President Bush. The terror attacks that followed in the Western world pushed countries to beef up surveillance systems and the 2008 Mumbai attack was that point of realisation for India.

India had already started work on designing mass surveillance networks before 2008, but the attacks accelerated the process and gave birth to programmes like the National Intelligence Grid (NATGRID), the Central Monitoring System (CMS) and DRDO's Network Traffic Analysis (NETRA). The technical capabilities of these surveillance systems were praised by intelligence officials in India at the time they were proposed, tested and asked to be implemented. But the biggest nugget of information was yet to be made public

When an unnamed whistleblower leaked a large tranche of documents in 2013, detailing how the monster of a surveillance system built by the NSA with the intention of upholding crucial national security was, in fact, being used to collect and analyse data of everyday Americans; the collective global population went into a frenzy, with legitimate concerns of maintaining privacy, freedom of expression and many other civil liberty issues. The fight that was for the longest time framed as one between being vigilant and letting enemy forces attack had now become one of Surveillance vs Privacy.

The Snowden leak revealed that the intention of designing mass surveillance systems was always to look inwards and not out. Following this, every critical examination of surveillance systems included the level of intrusion it would require on the ordinary citizenry. For India, the same concern for privacy came about when this government started expanding the mandate for Aadhaar, requiring citizens in the country to have one for a slew of government services.

Mass surveillance in India

The move, with a privacy matter already pending in the Supreme Court, put a lot of institutions in panic, with banks, insurance companies and telecom service providers requiring an Aadhaar number to offer their services. As a result, more than 700 million got one and linked their phone numbers, biometric prints, bank account details and a host of other personal information to the 12-digit identification number, before the SC ruled that linking Aadhaar for such services was not mandatory.

But as the Aadhaar row raged the privacy debate on in the country, the Indian government had already managed to set up world-class mass surveillance systems that cast as wide a net as possible to fish for data that might contribute to maintaining national security. Even before 2014, the CMS had undergone successful pilot sessions, with plans to implement it in every state. While there is very less information made public about how CMS operates, the official statement says that it is an effective way of monitoring "communications on mobile, landlines and the internet"; covering almost every mode of communication used in the current social landscape.

Moreover, systems like the National Intelligence Grid (NATGRID), that brings together databases of various intelligence agencies in the country for ready access to information on someone's bank acount/tax records, credit card history, visa/immigration records and air/rail travel history to 11 of the country's national agencies, had already been cleared by the UPA-II government and two of its four phases had been operationalised by 2014.

Furthermore, by 2013, one of the most intrusive mass surveillance programmes in India – DRDO's Netwrok Tracking Analysis (NETRA), had also been approved for usage by multiple law enforcement agencies. Earlier, it was just the Research and Analysis Wing and the Intelligence Bureau that had access to it. NETRA's capabilities were somewhat like that of NSA's PRISM. The system could intercept communication traffic on Skype, Google, Balckberry and a host of other websites on the internet to specifically single out keywords like 'bomb', 'blast' etc.

In fact, then Home Minister P Chidambaram had strong-armed Blackberry for almost a decade to host its servers in India, which would allow for effective interception. The tech company finally gave in and set up its first servers in Mumbai in 2013.

Facebook/WhatsApp

However, in the context of the recent Pegasus breach, that put Facebook and WhatsApp back on the map, it is interesting to note that Mark Zuckerberg had given in to the lure of using his platform for mass surveillance as far back as in 2009 itself.

When the PRISM leaks surfaced in 2013, slides made by the NSA to make the system public had shown that Google, Skype, Yahoo, Microsoft, YouTube, Apple and Facebook had already agreed to work with the US government to supply bulk user-data for surveillance. In fact, the Zuckerberg-owned company had submitted to the government's request in 2009, three years before Apple gave in. And Facebook's tryst with surveillance and intrusion of privacy in India started when Donald Trump was elected as the 45th President of the US.

When it was discovered that UK-based Cambridge Analytica (CA) had helped the Trump campaign compile nearly accurate data of Americans' voting behaviour and patterns, through their stolen Facebook and social media metadata; information was finally made public that millions of Indian Facebook users could have been affected by this data leak, and the IT Ministry here recommended that the Central Bureau of Investigation initate a preliminary enquiry against both Facebook and CA sometime last year.

The probe against Facebook gave the ruling party enough room to get a hold of social media in the country, which by then the saffron party had almost perfected in running its elaborate election campaigns. And now, as the WhatsApp-Pegasus breach has come to the forefront, with the government blaming the Faebook-owned company for compromising the privacy of Indian citizens, it has once again framed the argument as one between a government fighting for its citizens and a large private corporation.

And with the disclosure from Pegasus creators clarifying that the spyware is not sold to anyone but government agencies, it is also no secret that the Indian government is trying to get Facebook to divulge data on originators of chain messages that are forwarded through large WhatsApp groups.

In the face of this, it is quite clear that individual privacy is a thing of the past. But as the government continues to pry its way into the personal lives of its citizenry with all the world-class tools it has developed and acquired, one question remains: Is India cyber-secure? If so, how is it that a North Korean malware infiltrated the Kudankulam Nuclear Plant and the Indian Space Research Organisation?