Sunday, July 15, 2007

Security, Privacy and Indian Government

A couple of months ago I read the novel Digital Fortress by Dan Brown the celebrated author of Da Vinci Code. The novel is about a system built by National Security Agency (NSA), the top security agency of US government, how they gather intelligence in the internet world and the effort and resources put by NSA in doing all this. They built a system so powerful that it was able to monitor all the packets going from one device to another device on the internet in USA and use data mining tools that can lead to cops arriving at your home if you have sent a mail to a friend of yours which might be a joke that says "Lets kill George W. Bush on next Thursday". The processing power and tools required to do this kind of stuff is unimaginable by a normal citizen. But then the government has access to the largest funds in the country and it can source talent.

I was wondering if they really do something like this. If yes, are other governments doing this as well?

The answer to this is a big Yes. A few days ago I happened to attend a conference in Mumbai organized by Indian Banking Association on Banking security. I listened to a good set of speakers on various topics. One of the speakers was from Indian government Ministry of Home affairs, Directorate of Forensic science. He talked about the usual things in forensics, some steganography and then about the real thrilling and chilling stuff.

Here's the story:

Indian Government has the infrastructure that actually collects all the data from all the 8 ISPs in the state of Andhra Pradesh (may be other ISPs in all other states as well) in real time and send it to them. They have the capability of mining the data and taking decisions on the basis of that. So if you thought that you are at your office or home, sending mail to your business partner or girlfriend in total privacy with sufficient measures at your end like updated antivirus, updated anti-spyware, well configured firewall and very good security practices then you cannot be more wrong. Of course you knew that ISPs have all the data and law enforcement agencies could make use of that data any day but there is a difference in getting that data on demand and on need basis and getting it in real time. What would happen if there is no restriction on access to this data? Won't it be abused? One of my favorite lines to describe the situation is "Who will watch the watchers?".

When asked about use of tools like Tor to circumvent this kind of stuff he did not really respond. NSA also does this kind of stuff and uses softwares like carnival and magic yantra for the purpose.