Phone tapping case against ex-top cop raises questions of mass surveillance
A criminal case registered against former Mumbai Police Commissioner Sanjay Pandey by the CBI for allegedly tapping phones of employees of the National Stock Exchange (NSE), has once again thrown up issues of threat to individual privacy and lack of sufficient checks and balances on mass surveillance.
The case pertains to the interim period between Pandey’s resignation from the IPS and his subsequent return to the police force a decade later. In this time Pandey worked as a consultant to the National Stock Exchange (NSE) and allegedly kept scores of NSE employees under surveillance in connivance with the then NSE chief, Chitra Ramakrishna, on the grounds of ascertaining the NSE’s cyber vulnerabilities. Pandey’s firm iSec Security Pvt Ltd was hired by the NSE between 2009 and 2017 to keep a watch on brokers following suspicion that some employees were indulging in insider trading.
Pandey resigned from IPS in 2000, but returned to the service in 2011 after a long legal battle. After his return to IPS, his family members continued to operate iSec Security and were servicing the NSE until 2017. One of the things that is baffling is how Pandey, in his then capacity as a private individual, could access surveillance equipment and snoop on NSE employees as is alleged. Until the time CBI clarifies how the surveillance inside NSE was taking place, it is fair to deduce that either the mobile phones of NSE employees were tapped, or their office landlines or PBX extensions were under watch.
Since the advent of mobile telephony, security and intelligence agencies have been tapping mobile phones to derive information. When mobile telephony arrived in India in the late 90s, cloning of handsets was an easy way to tap someone’s mobile phone. Using the identity data of the mobile phone of the targetted individual, agencies would clone the phone and ask service providers to divert all calls arriving at or originating from the subject’s mobile phone to the clone. Eventually this system became a great irritant to service providers as there was no legal sanction to this process and different agencies would often compete for information and harangue service providers to share information with multiple agencies.
Improved mobile telephony made cloning redundant. From time to time the judiciary too came down heavily on rampant surveillance of private individuals, compelling the government to work out better checks and balance. Security providers too started dragging their feet when agencies made interception requests bypassing procedures. As per the Indian Telegraph Act, 11 institutions are eligible to tap phones as per a detailed procedure that has been chalked out. These agencies are: Intelligence Bureau, Research and Analysis Wing (RAW), CBI, National Technical Research Organisation (NTRO), Enforcement Directorate (ED), Narcotics Control Bureau (NCB), Central Board of Direct Taxes (CBDT), Directorate of Revenue Intelligence (DRI), National Investigation Agency (NIA), Directorate of Signal Intelligence and State Police.
While the central agencies have their own defined supervisorial structure to sanction tapping, in the states, a committee headed by the Home Secretary and comprising of members of Police and Revenue department, evaluate and sanction it. Service providers also seek advance sanction from this committee before acceding to requests for tapping. It is therefore intriguing how Sanjay Pandey, then heading iSec Security Pvt Ltd, and therefore a private person, accessed the surveillance machinery. Was it that Pandey’s firm took the help of the state police machinery?
Could it be that certain junior officers obliged their former boss? Even if one presumes this was the case, was this surveillance request vetted by anyone in the Maharashtra police, or was the procedure bypassed here too? In its FIR against Pandey and others, the CBI has alleged that NSE authorities hired Pandey’s firm on the grounds of periodic study of cyber vulnerabilities, and under this pretext, NSE authorities authorised Pandey’s firm to intercept telephones of NSE employees without taking permission of competent authority as per the Indian Telegraph Act.
The CBI has alleged that Pandey’s firm would provide transcripts of the interceptions to NSE authorities and in turn the firms received a one-time fee of Rs 4.5 crore. It is worth mentioning that the CBI alleges that Pandey’s firm intercepted PRI lines (or standard telephone lines) and not the intercom connections.
The former needs prior approval under the Indian Telegraph Act. The CBI version gives credence to the second possibility of junior officers enabling this operation. The NSE has a big infrastructure in Mumbai that houses hundreds of its employees. The NSE also has its own landline trunking equipment, which interconnects telephone lines of employees and the voice calls originating from these employees or terminating at them.
Such trunking equipment, or PBX as it is called in common parlance, is housed within the NSE premises, and tapping it by procuring relevant hardware and software is not an arduous task. The CBI has claimed that Pandey’s company used the web based server called the Red Server to carry out surveillance which in turn leads to questions like how PRI lines were allowed to be intercepted, who helped to procure the surveillance equipment, how the hardware manufacturer sold it to a private person and why the NSE bosses authorised it?
Is the present FIR against Pandey and NSE similar to the FIR registered by Maharashtra Police against former State Intelligence Chief, Rashmi Shukla for illegal interception? The answer is no.
Shukla, being the state’s intelligence chief, was entitled to order interceptions and had taken prior approval for the interceptions from the State’s empowered committee. The charge against her is that she fudged names of targets in the proposals to hide the fact that she was intercepting Opposition leaders which needs its own investigation.
In the present case, Sanjay Pandey was neither entitled, nor authorised to conduct interceptions. Another question that emerges following the CBI’s FIR is that if Pandey’s firm was maintaining surveillance on NSE employees, as alleged by CBI, did any crucial insider information get breached in the process?