The recent allegations by Peiter Zatko, a former Twitter Inc executive, that the Indian government had “forced” Twitter to hire government agents and allow them access to the company’s user data, have once again brought to the fore the issue of cyber surveillance by the state on its citizens.
In an exclusive interview with Frontline, Srinivas Kodali, researcher and hacktivist with the Free Software Movement of India, spoke on cyber surveillance and its fallouts. Kodali’s research work focusses on digitisation in India, looking at digital infrastructures, cybersecurity, surveillance, and privacy. He is associated with various internet communities and digital rights movements in India. As part of these communities, he has been advocating digital rights, privacy, and accountability of digital systems.
“What we are witnessing now is the idea of spycraft becoming part of statecraft, where the nation state uses it against its own citizens... It uses the issue of nationalism and national security to do things which are actually illegal and unconstitutional,” he said. Excerpts:
The allegations by Peiter Zatko, former Twitter Inc employee, have once again brought to the fore the issue of cyber surveillance by the state on its citizens. We have earlier heard allegations of using tools to break WhatsApp encryptions; of trying to use Aadhaar for voter profiling; the Pegasus phone hacking controversy; and now this. What do you think is really happening here and who is the state’s target?
A kind of spycraft has always existed among nation states to spy on enemies, by that we mean other nation states and their actors. What we are witnessing now is the idea of spycraft becoming part of statecraft, where the nation state uses it against its own citizens.
It is not just being used against certain targeted individuals, as in the Pegasus case, but is being extended to everyone in the population; where everyone is a suspected mole, spy, terrorist or a criminal.
The state wants a profile of everyone and this is becoming part of its regular day-to-day governance; hence my observation that spycraft is becoming statecraft.
Does the government really need to do this?
In the 1970s, we saw the Watergate scandal in the US, which brought down the Nixon administration and forced the U.S. Congress to create the Senate Intelligence Committee, ensuring that their spy agencies did not use their systems on U.S. citizens.
This changed after 9/11. If we look at what is happening in India, the Pegasus moment was like what happened in the Watergate scandal; but, unfortunately, we are unable to regulate our surveillance agencies. In the U.S., it was not just Congress that was trying to regulate the agencies, but U.S. citizens too protested actively against the Nixon administration; and the U.S. media followed up on the scandal and revealed details. A lot of factors led to accountability in the U.S. We are not seeing that happen in India.
With regards to the complaint on how India was able to plant a spy inside Twitter in the midst of the NRC [National Register of Citizens] protests: Anyone who understands Twitter and geopolitics would be familiar with how Twitter played a major role during the Arab Spring. Around 2010-11, Twitter created this uprising across West Asia where people were rising up against dictators. They were using Twitter to organise these angry, leaderless protests. They were trying to overthrow regimes. The U.S. government made Twitter accessible to these people even as their respective governments tried to block it. In fact, Obama is believed to have requested the then CEO, Jack Dorsey, to ensure that Twitter was available to people in West Asia.
Now, if you compare this with the NRC protests, they too were leaderless protests. There were a lot of people coming out in the streets expressing solidarity. We saw Muslim women coming out in protest. The government was a bit clueless about understanding what was happening, how these people were coming together, and what was happening behind the scenes.
With the rise of encrypted systems like WhatsApp, Signal and other platforms, it was becoming difficult for the government to understand on-the-ground politics. If it was happening through phones, the government could have tapped and understood who the leaders were.
In such a decentralised protest, it is important for the government to identify those leading it. In this case, a significant number of people were protesting on Twitter, and the government needed to know who they were by being inside Twitter. So they forced Twitter to give them access.
They may not have understood the entire picture, but they definitely had a sense of who the key actors were. I was on Twitter during the NRC protests, explaining the role of Aadhaar, the role of NRC, why we were doing the CAA [Citizenship (Amendment) Act]. People who did not know each other were communicating with each other. The government needed to get inside Twitter to access direct messages that were not available to them unless they were inside Twitter.
There was also the role of foreign actors. You don’t know whether there were organisations from Pakistan fuelling this. I am not alleging they were, but am looking at it from a nation state’s point of view. This was not limited to Twitter. One can say it was done across platforms.
ALSO READ: Aadhaar fiasco
It has been reported recently that people are being coerced to link their Aadhaar card to their voter ID, even though it is supposed to be voluntary. How far can Aadhaar linkages facilitate unwanted cyber surveillance?
Let us consider the role of Aadhaar now. It is the foundation for Digital India. Now, if you look at foundations of the Internet, they were always based on anonymity, not identity. In India we are pushing for identity, which takes away privacy.
Anonymity in the Internet was put in place by design. That is not happening with Digital India. There is a reason for this. It came after the Mumbai attacks, when India decided to push Aadhaar in 2009. The National Population Register and Aadhaar came up simultaneously—one from an economic angle, and the other from a political, national security angle.
See to what end the entire Aadhaar setup expands: It started with subsidies, then expanded to payments, to health, data, and now voter ID. Where does this setup end?
If you look at the reports of consultations the Indian government is doing to amend the Registration of Births and Deaths Act, you will see that the end goal is to essentially track every individual from her birth until her death. They are calling it Predictive Governance, where the government will proactively give you everything you need before you ask for it; for example, upon turning 18, you will automatically receive a voter ID from the government.
By linking everything with Aadhaar, it claims it can do better governance. But this will lead to a totalitarian society because the government knows every individual’s profile, and dissent against the government will become very difficult.
Anything linked to Aadhaar eventually ends up with the Ministry of Home Affairs, and the policing and surveillance agencies. They carried out the Samagra Kutumba Survey (Integrated Household Survey) in 2014, in which they went door-to-door collecting all the information of everybody in Telangana and all the data were shared with the police.
Data-driven governance has also created a lot of problems for people due to errors. We saw in the NERPA (National Electoral Roll Purification and Authentication) programme, a lot of names were left out of the rolls. A certain political party in the 2019 election wanted to use it for voter profiling.
In Puttaswamy vs Union of India (2017), the Supreme Court made it clear that fundamental rights cannot be taken away citing national security, and in the same case the right to privacy was declared a fundamental right. Yet, allegations of violation of the right to privacy through cyber surveillance abound. How should this be dealt with?
It is people who make the nation. Protecting the nation without protecting the people is meaningless. A lot of us perceive the right to privacy more as a collective right than an individual one.
We cannot waive away a fundamental right. The government is essentially saying that rights can be waived for national security; the idea of national security is being introduced in everything. Where does it stop? It is cited to deny basic public information through RTI. It is used by every bureaucrat to deny information which could basically expose corruption.
But nowhere has national security been defined. I believe at some level this was demanded of the court that the boundaries of national security be defined. In the Pegasus case, the interim order by Justice N.V. Ramana says national security is not defined, and hence cannot be used for pretty much everything.
Much as we need boundaries in national security, I don’t foresee that happening until there is a change of government. Right now, we have a government which is very nationalistic, or rather, uses a mirage of nationalism to do things which are actually illegal and unconstitutional.
People need to understand that institutions like the Supreme Court and the executive act at people’s will. There is a reason why courts are unable to enforce the fundamental right to privacy even though they recognise it as one: there is not enough support for it, and there is a lot of support for national security.
This fight between privacy and national security will continue until people realise that national security can be misused. In the case of the Watergate scandal, there was a public outcry; but with Pegasus that did not happen in India. Until that happens, things will remain the same.
What are the other ways the government can carry out cyber surveillance against the people?
After the Mumbai attacks of 2008, the Government of India built a lot of infrastructure. They wanted to address intelligence failures. The idea of NATGRID (National Intelligence Grid) was to link 22 different databases and create a large database of all Indian citizens. Now, at least 80 different government databases are linked through Aadhaar.
We have the Central Monitoring System (CMS), which is about interception of telephonic conversations. Certain keywords would be picked up and the call would be recorded for further processing.
We started digitising policing and set up the Crime and Criminal Tracking Network & Systems (CCTNS). Pretty much everything you do online, the government can have access to it.
ALSO READ: Dystopias by design
Is there any way a person can guard herself against such a widespread possibility of invasion of privacy?
The most you can guard is your phone call and messages through certain encrypted apps. Anything and everything you do is forcefully tracked because private organisations are by law required to share this information with the security establishment.
How necessary is a proper data protection law for India?
Call me a cynic, but I don’t believe that a privacy law alone can help; technology can help. The real issue is enforcement. It has been five years since the Indian courts recognised that the right to privacy is a fundamental right. But we have not seen any large-scale enforcement of the right.
For any data protection law, the government will continue to ensure that exceptions for national security remain. What they promise is protection from things like online fraud and commercial exploitation. But it is not guaranteeing that the government’s agents will stop harming you.
So, at a fundamental level, Indians need to question the state and its powers. Until people fight back for their rights, the situation will not change. We need social change on the ground. I don’t think court orders can ultimately fix things. As long as people keep accepting it as a good thing, things will continue to be the same.
COMMents
SHARE