FrontLine

‘Spycraft becoming statecraft’

Interview with Srinivas Kodali, researcher and hacktivist with the Free Software Movement of India.

- BY SUHRID SANKAR CHATTOPADH­YAY

The recent allegation­s by Peiter Zatko, a former Twitter Inc executive, that the Indian government had “forced” Twitter to hire government agents and allow them access to the company’s user data, have once again brought to the fore the issue of cyber surveillan­ce by the state on its citizens.

In an exclusive interview with Frontline, Srinivas Kodali, researcher and hacktivist with the Free Software Movement of India, spoke on cyber surveillan­ce and its fallouts. Kodali’s research work focusses on digitisati­on in India, looking at digital infrastruc­tures, cybersecur­ity, surveillan­ce and privacy. He is associated with various internet communitie­s and digital rights movements in India. As part of these communitie­s, he has been advocating digital rights, privacy, and accountabi­lity of digital systems.

“What we are witnessing now is the idea of spycraft becoming part of statecraft, where the nation state uses it against its own citizens .... It uses the issue of nationalis­m and national security to do things which are actually illegal and unconstitu­tional,” he said. Excerpts:

The allegation­s by Peiter Zatko, former Twitter Inc employee, have once again brought to the fore the issue of cyber surveillan­ce by the state on its citizens. We have earlier heard allegation­s of using tools to break Whatsapp encryption­s; of trying to use Aadhaar for voter profiling; the Pegasus phone hacking controvers­y; and now this. What do you think is really happening here and who is the state’s target?

A kind of spycraft has always existed among nation states to spy on enemies, by that we mean other nation states and their actors. What we are witnessing now is the idea of spycraft becoming part of statecraft, where the nation state uses it against its own citizens.

It is not just being used against certain targeted individual­s, as in the Pegasus case, but is being extended to everyone in the population; where everyone is a suspected mole, spy, terrorist or a criminal.

The state wants a profile of everyone and this is becoming part of its regular day-to-day governance; hence my observatio­n that spycraft is becoming statecraft.

Does the government really need to do this?

In the 1970s, we saw the Watergate scandal in the US, which brought down the Nixon administra­tion and forced the U.S. Congress to create the Senate Intelligen­ce Committee, ensuring that their spy agencies did not use their systems on U.S. citizens.

This changed after 9/11. If we look at what is happening in India, the Pegasus moment was like what happened in the Watergate scandal; but, unfortunat­ely, we are unable to regulate our surveillan­ce agencies. In the U.S., it was not just Congress that was trying to regulate the agencies, but U.S. citizens too protested actively against the Nixon administra­tion; and the U.S. media followed up on the scandal and revealed details. A lot of factors led to accountabi­lity in the U.S. We are not seeing that happen in India.

With regards to the complaint on how India was able to plant a spy inside Twitter in the midst of the NRC [National Register of Citizens] protests: Anyone who understand­s Twitter and geopolitic­s would be familiar with how Twitter played a major role during the Arab Spring.

Surveillan­ce is not being used against certain targeted individual­s, as in Pegasus, but is being extended to everyone; where everyone is a suspected mole, spy, terrorist or a criminal.

Around 2010-11, Twitter created this uprising across West Asia where people were rising up against dictators. They were using Twitter to organise these angry, leaderless protests. They were trying to overthrow regimes. The U.S. government made Twitter accessible to these people even as their respective government­s tried to block it. In fact, Obama is believed to have requested the then CEO, Jack Dorsey, to ensure that Twitter was available to people in West Asia.

Now, if you compare this with the NRC protests, they too were leaderless protests. There were a lot of people coming out in the streets expressing solidarity. We saw Muslim women coming out in protest. The government was a bit clueless about understand­ing what was happening, how these people were coming together, and what was happening behind the scenes.

With the rise of encrypted systems like Whatsapp, Signal and other platforms, it was becoming difficult for the government to understand on-the-ground politics. If it was happening through phones, the government could have tapped and understood who the leaders were.

In such a decentrali­sed protest, it is important for the government to identify those leading it. In this case, a significan­t number of people were protesting on Twitter, and the government needed to know who they were by being inside Twitter. So they forced Twitter to give them access.

They may not have understood the entire picture, but they definitely had a sense of who the key actors were. I was on Twitter during the NRC protests, explaining the role of Aadhaar, the role of NRC, why we were doing the CAA [Citizenshi­p (Amendment) Act]. People who did not know each other were communicat­ing with each other. The government needed to get inside Twitter to access direct messages that were not available to them unless they were inside Twitter.

There was also the role of foreign actors. You don’t know whether there were organisati­ons from

Pakistan fuelling this. I am not alleging they were, but am looking at it from a nation state’s point of view. This was not limited to Twitter. One can say it was done across platforms.

It has been reported recently that people are being coerced to link their Aadhaar card to their voter ID, even though it is supposed to be voluntary. How far can Aadhaar linkages facilitate unwanted cyber surveillan­ce?

Let us consider the role of Aadhaar now. It is the foundation for Digital India. Now, if you look at foundation­s of the Internet, they were always based on anonymity, not identity. In India we are pushing for identity, which takes away privacy.

Anonymity in the Internet was put in place by design. That is not happening with Digital India. There is a reason for this. It came after the Mumbai attacks, when India decided to push Aadhaar in 2009. The National Population Register and Aadhaar came up simultaneo­usly— one from an economic angle, and the

other from a political, national security angle.

See to what end the entire Aadhaar setup expands: It started with subsidies, then expanded to payments, to health, data, and now voter ID. Where does this setup end?

If you look at the reports of consultati­ons the Indian government is doing to amend the Registrati­on of Births and Deaths Act, you will see that the end goal is to essentiall­y track every individual from her birth until her death. They are calling it Predictive Governance, where the government will proactivel­y give you everything you need before you ask for it; for example, upon turning 18, you will automatica­lly receive a voter ID from the government.

By linking everything with Aadhaar, it claims it can do better governance. But this will lead to a totalitari­an society because the government knows every individual’s profile, and dissent against the government will become very difficult.

Anything linked to Aadhaar eventually ends up with the Ministry of Home Affairs, and the policing and surveillan­ce agencies. They carried out the Samagra Kutumba Survey (Integrated Household Survey) in 2014, in which they went door-todoor collecting all the informatio­n of everybody in Telangana and all the data were shared with the police.

Data-driven governance has also created a lot of problems for people due to errors. We saw in the NERPA (National Electoral Roll Purificati­on and Authentica­tion) programme, a lot of names were left out of the rolls. A certain political party in the 2019 election wanted to use it for voter profiling.

In the Puttaswamy vs Union of India (2017) judgment, the Supreme Court made it clear that fundamenta­l rights of citizens cannot be taken away citing national security, and in the same case the right to privacy was declared a fundamenta­l right. Yet, allegation­s of violation of the right to privacy through cyber surveillan­ce abound. How should this be dealt with?

It is people who make the nation.

Protecting the nation without protecting the people is meaningles­s. A lot of us perceive the right to privacy more as a collective right than an individual one.

We cannot waive away a fundamenta­l right. The government is essentiall­y saying that rights can be waived for national security; the idea of national security is being introduced in everything. Where does it stop? It is cited to deny basic public informatio­n through RTI. It is used by every bureaucrat to deny informatio­n which could basically expose corruption.

But nowhere has national security been defined. I believe at some level this was demanded of the court that the boundaries of national security be defined. In the Pegasus case, the interim order by Justice N.V. Ramana says national security is not defined, and hence cannot be used for pretty much everything.

Much as we need boundaries in national security, I don’t foresee that happening until there is a change of government. Right now, we have a government which is very nationalis­tic, or rather, uses a mirage of nationalis­m to do things which are actually illegal and unconstitu­tional.

People need to understand that institutio­ns like the Supreme Court and the executive act at people’s will. There is a reason why courts are unable to enforce the fundamenta­l right to privacy even though they recognise it as one: there is not enough support for it, and there is a lot of support for national security.

This fight between privacy and national security will continue until people realise that national security can be misused. In the case of the Watergate scandal, there was a public outcry; but with Pegasus that did not happen in India. Until that happens, things will remain the same.

What are the other ways the government can carry out cyber surveillan­ce against the people? After the Mumbai attacks of 2008, the Government of India built a lot of infrastruc­ture. They wanted to address intelligen­ce failures. The idea of NATGRID (National Intelligen­ce

Grid) was to link 22 different databases and create a large database of all Indian citizens. Now, at least 80 different government databases are linked through Aadhaar.

We have the Central Monitoring System (CMS), which is about intercepti­on of telephonic conversati­ons. Certain keywords would be picked up and the call would be recorded for further processing.

We started digitising policing and set up the Crime and Criminal Tracking Network & Systems (CCTNS). Pretty much everything you do online, the government can have access to it.

Is there any way a person can guard herself against such a widespread possibilit­y of invasion of privacy? The most you can guard is your phone call and messages through certain encrypted apps. Anything and everything you do is forcefully tracked because private organisati­ons are by law required to share this informatio­n with the security establishm­ent.

How necessary is a proper data protection law for India?

Call me a cynic, but I don’t believe that a privacy law alone can help; technology can help. The real issue is enforcemen­t. It has been five years since the Indian courts recognised that the right to privacy is a fundamenta­l right. But we have not seen any large-scale enforcemen­t of the right.

For any data protection law, the government will continue to ensure that exceptions for national security remain. What they promise is protection from things like online fraud and commercial exploitati­on. But it is not guaranteei­ng that the government’s agents will stop harming you.

So, at a fundamenta­l level, Indians need to question the state and its powers. Until people fight back for their rights, the situation will not change. We need social change on the ground. I don’t think court orders can ultimately fix things. As long as people keep accepting it as a good thing, things will continue to be the same. m

 ?? BY SPECIAL ARRANGEMEN­T ??
BY SPECIAL ARRANGEMEN­T

Newspapers in English

Newspapers from India