The Centralised Monitoring System (CMS) is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. It has been set up by the Centre for Development of Telematics (C-DOT) and is operated by the Telecom Enforcement Resource and Monitoring (TERM) cells under the Department of Telecommunications (DoT). Like the NATGRID, the CMS has also been developed by the government to strengthen the security structure of the country.
Post the 26/11 terrorist attacks in Mumbai, a need was felt for greater coordination between law enforcement and security agencies. CMS is one of the multiple projects that the government initiated in 2009 in order to fill the gaps in India’s internal security structure. The project was approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011.
The estimated budget for the project was 400 crore INR however the actual cost of the project is said to be higher.
The project, which was first envisaged in 2009, was delayed multiple times and finally operationalised in 2013 however the implementation is being done in phases.
What is CMS?
CMS aims to automate the process of lawful interception & monitoring of telecommunications. Before CMS, law enforcement agencies had to approach individual telecom service providers (TSP) for interception of communications of targets such as suspected terrorists or criminals. However, CMS aims to remove or bypass the middle man, i.e., TSPs, and allow the law enforcement agency to monitor the target through a central system.
In order to bypass the TSPs, the CMS was provided unfettered access to the existing Lawful Interception Systems (LIS). LIS was a frequently used uniform platform for law enforcement agencies to track and gather cell and internet records. All service providers in the country were required to have LIS installed in their premises. Interception through LIS happened by interception requests which were made by law enforcement agencies to the Nodal Officers of the TSPs. However, under the CMS, the TSPs were made to integrate the LIS with Interception Store & Forward (ISF) servers. These servers are connected to the Regional Monitoring Centres (RMC) of CMS allowing them direct access to all intercepted data of the TSPs. These RMCs can be accessed directly by any participating law enforcement agency through the CMS, surpassing the need to contact TSPs and essentially automating the entire process. Whereas before the government had to request that user information be monitored and turned over to the authorities, under CMS the Indian government can “tap into communications at will without telling the service providers.”
On August 7, 2013, in response to a parliamentary question, the Minister of State in the Ministry of Communications and Information Technology Milind Deora stated that the envisaged salient features of CMS are as follows:
- Direct Electronic Provisioning of target number by a Government agency without any manual intervention from Telecom Service Providers (TSPs) on a secured network, thus enhancing the secrecy level and quick provisioning of target.
- Central and regional database which will help Central and State level Law Enforcement Agencies in Interception and Monitoring.
- Analysis of Call Data Records (CDR) to help in establishing linkage between anti-social /anti-national elements.
- Research and Development (R&D) in related fields for continuous up-gradation of the CMS.
The participating law enforcement agencies of the CMS are:
- Intelligence Bureau (IB)
- Central Bureau of Investigation (CBI)
- Directorate of Revenue Intelligence (DRI)
- Research & Analysis Wing (RAW)
- National Investigation Agency (NIA)
- Narcotics Control Bureau (NCB)
- Enforcement Directorate (ED)
- Central Board of Direct Taxes (CBDT)
- Directorate of Signal Intelligence
- Commissioner of Police, Delhi
What are the privacy concerns surrounding CMS?
Interception through CMS will thus be done by these agencies directly without any need to approach individual service providers.
On August 7, 2013, in response to a parliamentary question the Minister of State in the Ministry of Communications and Information Technology Milind Deora stated:
“To take care of the privacy of citizens, lawful interception and monitoring is governed by the section 5(2) of Indian Telegraph Act, 1885 read with rule 419A of Indian Telegraph (Amendment) Rules, 2007 wherein oversight mechanism exists in form of review committee under chairmanship of the Cabinet Secretary at Central Government level and Chief Secretary of the State at the State Government level. The same mechanism is applicable for the interception under the CMS Project also. Additionally, there is an inbuilt mechanism of check and balance as Security Agencies/Law Enforcement Agencies cannot provision the target and the provisioning agency cannot see the content.”
In the absence of a data protection law in India and without any intermediaries in place, the process through which interception would be done under the CMS lacks transparency. This means that the general public will not know if and when a person’s data has been intercepted. It would also be difficult to ascertain whether there was a valid reason for this interception. A practice of mass surveillance could be adopted wherein large groups of people have their data intercepted without a valid reason. Since these interception authorisations will be done by the government agencies internally, there will be no way of knowing about them and whether they were done for a valid reason, let alone questioning or challenging them.
The prevailing legal regime regarding privacy can thus be reduced to the decision of the Hon’ble Supreme Court in Justice K.S. Puttaswamy vs Union of India (2017 10 SCC 1) which states that any justifiable intrusion by the State into people’s right to privacy, which is protected under Article 21 of the Constitution, must conform to certain thresholds which include legality, necessity, proportionality and procedural safeguards.
The threshold of legality requires that the intrusion must take place a defined regime of law i.e. there must be an anchoring legislation, with a clear set of provisions. The CMS does not have any anchoring legislation and thus fails to meet this threshold.
The threshold of procedural safeguards requires that there is an appropriate independent institutional mechanism, with in-built procedural safeguards aligned with standards of procedure established by law which are just, fair and reasonable to prevent abuse. As stated above, the CMS has an in-built mechanism of check and balances. While we can appreciate the spirit of this measure, it is not sufficient to quell any privacy concerns as there is no independent oversight. Independent oversight is necessary to ensure that invalid interception requests are not authorised by law enforcement agencies.
Surveillance laws in India and a need for reform
The Indian Telegraph Act, 1885, deals with interception of calls under Section 5(2), and the Information Technology (IT) Act, 2000, deals with interception of data under Section 69. Under both laws, only the government, under certain circumstances, is permitted to conduct surveillance. Security of the state is a common reason under both the provisions pursuant to which the government can issue orders for surveillance. However, it was felt that these provisions lack procedural safeguards which would ensure that they are used by the government in a justified manner. Thus, the government enacted specific rules [ rule 419A of Indian Telegraph (Amendment) Rules, 2007 and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009] under which orders for interceptions of communication can only be issued by the Secretary in the Ministry of Home Affairs and orders for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource can only be issued by the Union Home Secretary or State Secretaries in charge of the Home Departments. However, as can be seen above the Government has now authorised upto ten agencies for purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the IT act.
The present surveillance architecture in India is thus too weak and can be seen to be prone to mass surveillance. Hopes were set on the upcoming Personal Data Protection Bill to provide some level of protection however as the draft stands currently, Clause 35 of the Bill empowers the Central Government to exempt by an order, ‘any agency’ of the government from all or any provisions of the data protection law if it is in the interest of the sovereignty and integrity of India, the security of the state, friendly relations, public order and to prevent incitement to the commission of an offence.
It is our view that these existing exemptions are too vague and broad and must be narrowly tailored. A complete chapter on surveillance reform needs to be inserted in the present PDP Bill. Government agencies responsible for carrying out surveillance and interception as part of their law enforcement functions must be clearly identified, notified, and bound by the provisions of the Bill. In addition to a stronger data protection law, India also needs a separate legislation to regulate surveillance by the government to ensure that state sponsored mass surveillance does not become a reality in India.
Who will ‘watch the watchmen’?
This look into CMS is the second part of IFF’s new series called Watch the Watchmen. Through this series we aim to look into and analyse the looming surveillance technology threats in India.