2014 Annenberg-Oxford alumnus Maria Xynou takes a glimpse at India’s surveillance industry and issues with its regulation.
India is known worldwide for its geeks, but what most people probably don’t realize is that along with its booming IT industry comes its booming surveillance industry. As India has faced at least 30 major terrorist attacks over the last few decades, it remains extremely unclear whether the use of surveillance technologies by law enforcement agencies has effectively prevented and reduced crime and terrorism in the country. What is clear though is that companies in India are profiting from selling unregulated technologies to law enforcement agencies to spy on citizens’ lives in the name of “national security”.
A study based on a random sample of 50 security companies based in India shows that the following is produced and sold in the country:
- Internet monitoring software
- Data mining and profiling software
- Phone monitoring software
- Speech analysis / Voice recognition software
- Face recognition software
- Location monitoring software and hardware
- Visual surveillance (such as CCTV cameras)
- Aerial surveillance (drones)
- Biometric access control systems
Based on data collected from the study, the following pie chart illustrates which security solutions are produced the most by these 50 security companies:
In particular, it is evident that biometric technologies are produced the most, which is no surprise in light of the UID, India’s mass biometric data collection scheme. Phone monitoring software and internet monitoring solutions are also quite prevalent in the security industry. These tools likely aid India’s Central Monitoring System (CMS), Network Traffic Analysis (NETRA) system and various Lawful Intercept and Monitoring (LIM) systems.
The pie chart below illustrates the type of clients that purchase security solutions produced and sold by companies based in India:
From the random sample of 50 security companies, the majority appear to sell products and solutions to law enforcement agencies, intelligence and security agencies, the military and to the police. Specifically, many of these companies sell CCTV cameras to the police, drones to the Indian military, biometric systems to the Unique Identification Authority of India (UIDAI) and phone and internet monitoring systems to intelligence agencies. Interestingly enough, some companies sell relatively cheap spy products to the public, such as spy watches and spy sunglasses, which can theoretically be purchased by anyone who can afford them.
Since they are based on a random sample, however, the above charts are not necessarily representative of the whole of India or for the entire security industry in the country. While the sample data merely provide a glimpse of what type of security solutions are produced in India and to whom they are sold to, the charts do include information that probably shouldn’t be ignored: Unregulated security solutions, such as phone and internet monitoring systems, which are designed to capture mass volumes of data, are being sold to Indian law enforcement agencies. Such agencies have the authority to target and potentially prosecute individuals – especially in light of the absence of adequate safeguards.
Activists and political dissidents globally appear to be the primary targets of some of the most sophisticated surveillance technologies, even though this technologies’ use is supposed to be limited to criminals and terrorists. A few months ago, Privacy International reported that an Ethiopian political refugee in the UK was targeted by FinFisher spyware, as a Trojan was detected in his computer. In May 2013, spyware was detected in the laptop of an Angolan journalist at a human rights conference in Norway. Given the current lack of privacy legislation in India and the lack of transparency mechanisms for surveillance technologies, it is important to note the potential for Indian law enforcement agencies to target and spy on activists and political dissidents.
While surveillance in India is regulated, surveillance technologies are not. Out of the 50 companies in the random sample, only 6 companies state on their websites that they comply with international lawful regulations and standards, such as ETSI and CALEA. Other companies, such as Span Group, state that they comply with guidelines issued by the Department of Telecommunications of the Government of India. Such guidelines, however, are not legally binding. Additionally, India’s laws which regulate surveillance, such as the Information Technology Act 2000, require the interception of communications, but do not specifically regulate the use of various types of surveillance technologies.
Additionally, security solutions’ impact on human rights varies depending on their functions and the volumes and types of data they collect. Drones – used in India for reasons ranging from monitoring the poaching of rhinos in Assam to gathering intelligence on Maoist operations – have a completely different harm potential on human rights than CCTV cameras, for example, which are not weaponized and collect different types and amounts of data. Internet monitoring systems, such as those sold by Paladion Networks, which can monitor 10,000 targets concurrently also have a different harm potential on human rights, in comparison to GPS tracking devices.
As such, the regulation of various types of security solutions should explicitly depend on their harm potential towards human rights, and their regulation should not be restricted to broad and vague surveillance laws. For example, the various types of “intrusion software” (malware and rootkits) and “IP network surveillance systems” (Deep Packet Inspection systems) sold by Indian companies ClearTrail Technologies, Paladion Networks and Kommlabs Dezign, should be strictly regulated in compliance with the International Principles on the Application of Human Rights to Communications Surveillance.
Spyware, which is designed to remotely and secretly be deployed into a target’s computer and capture all personal data, poses a threat to privacy and other human rights. Such technologies can potentially be used by law enforcement agencies in India and abroad to target human rights activists and political dissidents. Export and import controls should be enforced on these technologies, and some countries and organizations already treat such technologies as “weapons.” For example, intrusion software and IP network surveillance systems have already been added to the control list of the Wassenaar Arrangement on Export Controls and for Conventional Arms and Dual-Use Goods and Technologies. India should participate in this multilateral export control regime to begin to control these technologies. Additionally, India should add “intrusive software” and “IP network surveillance systems” to its import and export control lists. This would not only help prevent the import of intrusive spyware, such as FinFisher and Da Vinci, but it would also help ensure that Indian companies, such as ClearTrail Technologies and Paladion Networks, are prevented from exporting intrusive technologies to repressive regimes.
Freedom of expression, the right to privacy, freedom of association and many other human rights are at stake as long as technologies which have the capability of taking full control of our devices remain unregulated. While it remains unclear if the regulation of such technologies will suffice in protecting our human rights adequately, it might be a decisive first step. India, the world’s largest democracy in terms of population, should take the lead.
Maria Xynou works on privacy-related projects at the Tactical Technology Collective (TTC) in Berlin. Previously, she worked in India with the Centre for Internet and Society (CIS) as a policy researcher on surveillance. Maria has interned with Privacy International and with the Parliament of Greece, and holds a MSc in Security Studies from the University College London (UCL).