The issue of legal interception of services like BlackBerry, Nokia emails, Skype and Gmail has to be seen in larger perspective. There are two school of thoughts here. The first is the American thought which places national security above privacy while the second, that of the EU, places higher importance on privacy. Technology and cryptology have to be seen in this broad perspective where, for instance, the US has a very advanced level of cryptology. In India, the basic issue is: If I need something related to security, should I get access to it or not? To me, the answer is that it is the service providers? job to give whatever is required. The government is not interested in what encryption technology is employed by the service providers in the process.
Specific to BlackBerry, the government?s demand for interception isn?t as big as it has been made out to be. Of more than 800 million mobile phones, we want the interception of only around 10,000 numbers. When we demanded the interception key for BlackBerry messenger services from RIM, they first said they don?t have any such key. When we exerted pressure, they gave us a solution. Today the said messages can be intercepted by us with a time lag of two hours; they assure us that this would be on a real time basis by January 2012. For BlackBerry enterprise service, RIM again says there?s no key available with it, the security agencies need to go to the enterprises where the servers are located, ask them for keys for interception. Practically speaking, what they are saying isn?t correct. RIM provides the solution only when apt pressure is applied on it.
In the US, under pressure from the security agencies since President Obama uses a BlackBerry, they have given access to their servers. In fact, the agencies in the US have put their own 240-bit encryption on the BlackBerry server covering Obama and 14 key people in his administration. In China, all BlackBerry handsets shipped in have been inserted with a software by the government, which ensures that all communication on the devices also goes to the government. In India, they say that they cannot provide us with a solution and we need to go directly to the enterprises. There are 900 business enterprises in the country and we are not interested in going to them for this. It is not our job and we do not want to get into it. I don?t deny that security agencies need to build better decryption capacities but that will take time and in the interim, it does not absolve RIM of its responsibility to provide a solution. Here, I would like to point out that Nokia has set up their server in India and the legal glitches are being sorted out. Further, there?s a wrong perception that any ban on BlackBerry enterprise services would halt e-commerce, BPO and banking services in India. We treat the two categories separately.
The demand that BlackBerry provides a solution is genuine. If they have not done so till date and we have not banned them, it is because so far we do not have any suspicion with regards to anybody who?s using the services. If tomorrow a suspicion arises, there?s no option but to ban them and any other service that falls in the same league and does not provide interception facilities as demanded by us.
The author recently retired as Union home secretary
(As told to Anandita Singh Mankotia)
Few countries control citizens? access to popular telecom services and applications, which India wishes to block. However, it would be naive to say that this is obviously wrong. Security agencies must be judged by their effectiveness, not the company they keep.
It is unfair to compare India?s security agencies with their international counterparts. Few countries face the kind of challenges that India?s security agencies face. Unlike in any of the countries with whom we compare this matter, virtually all of India?s borders have seen subversive activities. Whatever their causes, internal tensions related to economics, religion, community and caste are pervasive. So India?s security agencies must address a level of threat that few of their overseas peers face. India arguably needs extraordinary measures to address its unique security concerns.
But this cannot justify arbitrary measures, especially if there is a cost associated with them. Stopping BlackBerry messaging is a case in point. The product has wide appeal amongst business users and now, interestingly, among teenagers who find it particularly convenient and cheap for email and messaging, especially amongst closed user groups. The Indian government wants BlackBerry to share keys that will allow it to ?read? BlackBerry?s encrypted messages. However, BlackBerry says it possesses no keys to share since it is the users who create and use such keys.
A ?solution? could be for BlackBerry to stop offering the specific service altogether. The government can argue, with justification, that its security agenda must take precedence over commercial consequences to BlackBerry even if the concerned feature is one that gives it a unique advantage over its competitors. But such action makes little sense. There are several other cheaper options today to send encrypted messages. Almost any smartphone user?India has several million such phones that are even cheaper than BlackBerries?can download free software that allows one to do just that. Android?s Pretty Good Privacy (PGP) is an example.
Also easily available are more sophisticated and robust techniques like using steganography, which encrypts messages within graphics, movies, songs etc. These are even more difficult to decrypt.
Security agencies reportedly also have concerns about services like push email. Push email delivers email on a device as it arrives, without the user explicitly downloading it. They also object to Skype and similar applications that offer virtually free local and international calls. Both are widely used. The latter would hurt budget conscious individuals and businesses but it will be impossible to monitor the several substitutes.
India?s security needs are real and deserve priority. India is entitled to stop any service or technology if it compromises its security. However, controls that hurt legitimate users while leaving gaping holes that crooks and terrorists can exploit make little sense. Actions of India?s security establishment often fail to stand up to scrutiny. Have they identified the real problems and addressed them effectively? That is the issue, not their decisions per se. All democracies need effective mechanisms that can validate the quality of expertise and work in security agencies. We do too.
The author is a telecom consultant mahesh.uppal@gmail.com