Digital forensic engineer and consultant Prashant Pandey approached the SC last year for a CBI inquiry into the rampant use of illegal software to tap phone conversations and obtain call data records (CDRs). The software, his petition claimed, was available to anyone who could pay, and he alleged that government agencies had acquired the software for Rs 5 lakh-Rs 50 lakh paid monthly to a US firm. He spoke to Uttam Sengupta. Excerpts:
Has there been any movement on your petition to the Supreme Court?
In the court, no. We are still awaiting the first hearing. But Military Intelligence got in touch me. Initially they wanted me to drop them as a party but after I explained the case and demonstrated what was happening, they agreed with me that it was a serious issue concerning national security and not just privacy of individuals.
Has there been any response from the Government or other agencies?
In its response Madhya Pradesh Government admitted that it had bought and used the softwares known as CRA-I and CRA-II sold by the US based company. The day I filed the petition, the court had acquired an assessment by an independent lab of the said company’s website which showed the softwares as the company’s products. After they were served notice by the court, they took down mention of the softwares from their website.
Last year you claimed to have demonstrated the operation of the illegal software to Supreme Court judges...
Yes, I demonstrated the operation to the judges and also to officers from Military Intelligence (MI) who had got in touch with me.
When did you first become aware of the illegal software?
I first learnt about this software around 2011-12. It was during mining the data for the police, ATS and other agencies that I finally joined the dots and learnt the software’s full potential, functions, source codes, location, data server, clients/user records, IP Address, Mac Address, ISPs, Domain Owners etc. I also noticed various international IP addresses from various locations on the globe.
You claimed that the software is also being used by bookies for illegal betting... how did you learn it?
I have seen this software in the laptops of bookies when I accessed them remotely while working for the police. It is a jackpot for them because their entire business is based on mobile phones and they are getting access to names, numbers, locations and the ability to intercept calls. I had complained to the cyber cell but the complaint was ignored. As per my information Rajasthan Police had also arrested a renowned bookie ‘Amit Soni/ Sanwer’ with a laptop having this software.
You claimed as many as 4,000 police personnel in Madhya Pradesh alone are using the software. How did you arrive at this figure?
In 2012-13 the number of registered users on the local server of the company selling the software was 4647, of which around 3970 were using government IP address/ internet connections that mostly belonged to M.P. Home Dept. i.e. Police Dept. There could be a margin of 2-3% error in my calculation though.
A year after you filed your petition, in June, 2016 we checked the website of the US based company you mentioned in your petition and found that they had removed all reference to their products CRA-I and CRA-II…
Yes, they took it down after I filed the petition. But the apex court had assigned an independent lab to give it a report on the website and it had clearly mentioned that the softwares were listed on the company’s website at that time. Also, the Madhya Pradesh Government in its reply to the Supreme Court has admitted buying and using the software.
How are you so sure that among individuals placed under illegal surveillance have been judges, bureaucrats, journalists, industrialists and businessmen?
The software/server host the entire data base of almost all the telecom service providers in the country which includes all the names and figures you mentioned. A sample database/ data have also been submitted by me to the Supreme Court. There’s no check point written in its source code that I could see. Hence it seems almost impossible to identify and recognise the data collected by various users.
What happens if someone buys the software but defaults in making further payments?
Precisely what happens after the expiry date of your antivirus application-- it refuses to update the definitions. Likewise the software will fail to connect the link between user and data if payments are not made every month.
How does information about the location of transmission towers help anyone and how can it be misused?
The entire data base of all the cell Id’s in the country along with all of its technical details, geographical co-ordinates, latitude-longtitude, transmitter make and other configuration and identification details are hosted on servers. The information can be a goldmine for all kinds of activities, both commercial and subversive.
You mention the threat to national security. How can his software be a threat?
The software provides access to information on every mobile user in the country including scientists, military officials, ministers, law enforcement Officers, researchers, suppliers and contractors, bureaucrats and experts among them. This may be of interest to foreign spying agencies.
Another aspect is the availability of cell Id database of our country as a whole for all the companies. Cell Id database provides complete details of every base transmitting/receiving tower station along with detailed configurations and geographical locations. In times of national emergency like war, forces inimical to us can use the information to shut down or derail communication. This is why I made MI (Military Intelligence) also a party to the case.
If as you say this software is available so freely, what would have prevented foreign governments and agencies from making use of it?
Access requires dual steps. First through the approved IP Address, User Id & Password. Or access can be provided to foreign agencies by the company itself, one of the existing users etc. Money can open many doors.
How do you respond to charges that you have leaked data made available to you by investigating agencies for your personal gain?
I firmly deny leaking any data of investigating agencies. It requires two people for a leak, one who holds the data and another who received it. For this charge to hold, they will have to identify and book both. It can’t be an arbitrary exercise.
How are people blackmailed with the information? Haven’t you also been accused of blackmail?
The call records data of various suspects in many cases from 2009-10 which were being analysed by Madhya Pradesh Police through the said software were also saved on the said server which could be used by anyone with access to it. That is also a source of my information which I have never disclosed to anyone barring the court. If I wanted to blackmail anyone with said data, why would I submit them before the court?
A shorter, edited version of this appears in print