Look who wants to read your emails

The government's desire to access Blackberry emails draws concern over potential misuse and abuse of civil liberties, writes Amit Bhattacharya

The Times of India
Sunday, March 16, 2008

By Amit Bhattacharya

When Canadian company Research In Motion (RIM) launched BlackBerry in 1999, within no time the revolutionary mobile device that enabled users to browse the Net, read emails in realtime and send fax documents earned the nickname, CrackBerry, an allusion to its notoriously addictive features. There is wry irony, therefore, in the government's own "crackberry" operation to acquire the keys that would give it power to decode and access the millions of emails sent and received by BlackBerry subscribers.

Like all secure internet services, RIM uses an encryption code that scrambles the email messages sent out from a BlackBerry device and then unscrambles it again when the message reaches its target. Only, Blackberry uses a highly complex algorithm for the purpose -- a 256-bit advanced encryption standard (AES) process. Cyber experts say Indian intelligence agencies have decryption software that's at least two generations older. The Intelligence Bureau (IB) can, it is believed, decode messages with an encryption level of up to 40 bits though informed sources say it's in the process of acquiring a bit more advanced software. (According to cyber security experts, there's a rigid decryption technology hierarchy in the world: The US has the most advanced software, Europe gets tech that's one generation behind and countries like India have even older decoders.)

So, if intelligence agencies cannot crack BlackBerry's email code, they can still do one of two things -- get the government to force RIM to scale down its encryption code to 40 bits, or better still, ask for the "keys" that will unlock the code. These are the contours of the standoff between the government on one side, and RIM and the telecom operators who provide BlackBerry services on the other. Though the government's reported threat of blacking out the service in India has receded after a meeting last Friday between the parties concerned, the stakes were high as a ban would have hit more than 4 lakh BlackBerry users. RIM is still required to provide a solution that will enable security agencies to "access" its email traffic.

Inherent in the controversy was an issue that got little attention: Why should the government be seeking the right to snoop on all BlackBerry users? Says cyber law expert Pavan Duggal, "This issue, I feel, is the first chapter of a controversy that will have many ramifications. What's being sought here is blanket surveillance. The intelligence agencies would have access to all the emails going through all BlackBerries in the country. One understands the security concerns, and ISPs have been cooperating with the government on this, but such overarching powers go against people's constitutional rights and can be challenged in court as violation of Article 21 of the Constitution, which guarantees the right to life."

Duggal says section 69 of the IT Act, 2000, does give the government the power to intercept electronic information, but such sweeping surveillance is clearly stretching the law. "And, what impact will it have on e-commerce? People will be extremely concerned about sending business details through the Net."

In the 1990s, the Supreme Court lay down a detailed procedure for tapping of phones by the government in the PUCL vs GOI case. The judgment marked a clear line between actions that are legal and those that aren't. Experts feel the absence of a similar encryption law in the country is allowing the government space to move into fuzzy territory. The task of formulating this law has now been given to the National Technical Research Organisation, an apex body on cyber security issues. But stakeholders in the IT sector say other laws too need to be upgraded.

For instance, says Rajesh Chharia, president of the Internet Service Providers' Association of India, "the licencing norms for ISPs were created in 1998-99. Accordingly, licences issued to ISPs forbid encryption above 40 bits. Today, a 40-bit code can be cracked in no time. A browser like Internet Explorer 7 has a 128-bit code. So, any web provider using an encryption of over 40 bits has to provide the keys to the government."

This, of course, means that the government has the means to track transactions and correspondences in these websites -- an access it doesn't have in the BlackBerry platform since the ISPs providing these services were, for some reason, never asked to hand over the encoding key. So, is the Indian state turning Orwellian, intent on keeping a watchful on its flock in the breach of privacy norms?

"This is a huge exaggeration," says Maloy Krishna Dhar, former joint director, IB. "In practice, there never is any blanket search of cyber traffic. Intelligence agencies always conduct targeted searches. We have a list of suspected individuals and email IDs -- the numbers may run into thousands -- and the computer tracks activities of these persons. This itself is a huge task for a small organization like IB."

Dhar says certain compromises will have to be made because of the times. "It is a contradictory situation. We have high personal liberties and also a high level of security threat. BlackBerry, for instance, is a new tool in the hands of terrorists. To deal with that, there may be some curtailment in privacy."

Terror organizations are constantly changing their footprint and upgrading their technology, he says. "Today, if we have tracked, say, 555 webpages linked to the terror network, tomorrow they may all disappear and return modified. It's a nightmarish scenario for security agencies." Dhar admits that powers of surveillance can be misused. "That's a devil you have to live with. Unfortunately, the legal and political framework needed to check misuse of cyber-snooping by our politicians is lacking in the country," he adds.

That's a point many cyber experts are making. Can the intelligence agencies ensure fairplay? As Duggal puts it, "People may be willing to give up some of their civil liberties for dealing with the security threat to the country. But there should be a clear-cut policy framework and laws on what kind of invasion is lawful and what's not." Clearly, there's room for legislative action and transparency in cyberspace.