STRANGE FRUIT

The Indian governments pursuit of BlackBerry reveals inconsistencies in its policy on privacy and security. Prashant Iyengar reports

Over the past few years, the stand-off between Research in Motion (RIM), the owners of BlackBerry, and the Indian government has been keeping telecom policy-watchers entertained. Email, web traffic and PIN messages are encrypted on BlackBerry devices and cannot be intercepted by security agencies. The government has been insistent in its demands that RIM make facilities available to enable interception in real time. Failure to do so would, it alleges, threaten Indias national security. Furthermore, politicians point out, all other telecom operators in India have complied with this demand. The clinching argument, so far as the government is concerned, is that China, Saudi Arabia and the UAE have been reported to have access, and India does not want to be excluded. RIM responded to these demands first by denying that it was technologically possible, and then by offering half-measures which have not impressed the government. Like the fruit which only grows in cold climates, BlackBerry mobile phones are rare in India. More than 800m Indians use mobile phones, while there are only a million BlackBerry users. So why is this controversy important in India?

132

strange fruit

There are a million BlackBerry users in India and more than 800m mobile phones Ahmadabad, India, 27 August 2010 Credit: Ajit Solanki/AP

BlackBerry services were launched by several telecom networks in India in 2004. No concerns were raised by the government about intercepting data until 2008. In March that year, Tata Teleservices (TTSL), a new telecom service provider, sought permission from the Department of Telecommunications (DoT) to offer BlackBerry services on its network. The Unified Access Services licence (UASL), mandatory for all telecom providers since 2004, contains a clause forbidding them from employing bulk encryption equipment in their network unless prior approval is obtained from the DoT. Curiously, none of the major service providers including the staterun BSNL which had been offering BlackBerry services since 2004 had considered it necessary to obtain permission under this clause. A further clause requires licensees to provide the necessary facilities for continuous monitoring of the system. However, inspection would ordinarily be carried

133

privacy is dead

out after reasonable notice except in circumstances where giving such a notice will defeat the very purpose of the inspection. The DoT not only declined TTSL permission to offer BlackBerry on the grounds that BlackBerry services do not have scope for lawful interception, but then issued instructions to all mobile service providers asking them not to connect or provide/run certain BlackBerry services unless the required monitoring systems are in place. This set in motion a threeyear period of hectic dialogue, first between the telecom operators and the government, and then directly between Research in Motion and the government. In January, RIM bowed to pressure and offered the government access to consumer services, including its messenger services. However, the company still insisted that it was technologically impossible to offer interception of encrypted communications that travelled over their corporate enterprise servers, since these were controlled entirely by their clients. The government has termed this solution unsatisfactory and insisted that RIM turn over the keys to corporate email services. RIM has sought a period of two years to develop a solution that would enable interception of their enterprise email. The government has neither rejected nor acquiesced to this demand. In March, an article appeared in TechDirt suggesting that the government was ready to soften its stance and assume responsibility for building technologies for intelligence agencies for monitoring and interception purposes. At the same time, the media reported that RIM had been given till the end of the month to fully comply with the governments requirements or face a ban. That date has passed without any further action. Anyone familiar with the Indian state will know that it has an indifferent record of enforcing strict compliance within the letter of the law. Our courts do not, for instance, insist that evidence be obtained lawfully by police officers, by strictly following procedures laid down in the Criminal Procedure Code. Instead, illegal searches and wiretapping have been held to be mere irregularities, and evidence obtained may still be admissible. Another regrettable feature of the Indian criminal justice apparatus is the failure of the intelligence machinery at all levels. Despite the heavy investment and rhetoric about the deployment of advanced surveillance technologies, rarely have these been useful in preventing crimes. The Mumbai attack in 2008, when Pakistani militants took guests hostage in the Taj Hotel, itself presents a sorry case study in how the government and security agencies sat on credible intelligence reports about imminent terrorist attacks. It is not the inadequacy of intelligence mechanisms in India,

134

strange fruit

but the unwillingness of security agencies to act upon such information that has led to the persistence of crime. The governments stern insistence on compliance in the case of BlackBerry therefore seems somewhat incongruous with both how the state normally operates and its demonstrated incapacity to deploy technology effectively for purposes of national security. The DoTs disproportionate position in its dealings with RIM may partly also be the fallout of the Mumbai attack (some of the militants were BlackBerry users). Envy might be a motive too: other countries have been more successful at arm-twisting RIM into compliance. Last August, BlackBerry agreed to the monitoring of email and instant messaging data services in Saudi Arabia. UAE has now banned individuals and small businesses from using the most secure BlackBerry settings, a retreat from its previous threat of a total ban. The restrictions will also apply to all phone companies in the country. In India, RIM now appears to be paying the price for its initial obdurate stance, whereas most other telecom service providers have facilitated government monitoring. Nokia, for example, set up an enterprise server in India last year to enable government monitoring. In terms of consumer privacy, the BlackBerry controversy does not significantly worsen the average citizens existent right to privacy. Theoretically, all mobile users are already susceptible to interception by the DoT. The opening up of BlackBerry users to government surveillance merely countervails the relatively enhanced privacy of a small group. Telecom service provider Reliance Communications told the supreme court earlier this year that 30,000 interceptions took place yearly between 2006 and 2010. It may be ultimately futile to rely on a technological solution to fix what is clearly a systemic problem. It will be interesting to see how the government now deals with online services such as Gmail and Skype which employ higher encryption standards than permissible under law. A number of factors may shield them from government action: first, the fact that other branches of the government such as the Reserve Bank of India, which regulates the banking industry, and SEBI, which regulates stock trading prescribe and require high browser encryption in excess of the 40bit encryption permitted by the DoT, for operations that fall within their purview. Attempting to enforce strict adherence to their encryption norms might draw the DoT into an inter-departmental fight, in which it would be sparring far above its weight. Second, regardless of what the policy requires them to do, Google has, of its own volition, proven to be compliant with official requests for taking

135

privacy is dead

down material and assisting in criminal investigations. This may prove to be an additional factor in their favour. Finally, the ubiquity of Gmail and Skype (in contrast to BlackBerrys marginality) may shield them against any stiff measures, as the government has on occasion altered its policy in the face of its inability to regulate popular technologies. This happened in the early part of the last decade when the DoT was forced to permit Voice over Internet Protocol (VOIP) calls between PCs in the face of the growing popularity of such software. So there is some hope yet that the government may revise its prescriptions on encryption technology, which would protect Gmail and Skype.
Prashant Iyengar 40(2): 132/136 DOI: 10.1177/0306422011411631 www.indexoncensorship.org

Prashant Iyengar is a practising lawyer based in Bangalore. He is a consultant at the Center for Internet and Society and lead researcher for Privacy India, an affiliate of Privacy International

136