Sunday, Aug 14, 2022

Pegasus: Cyber Hygiene And Vaccination

On paper, we have a very well-established procedure through which lawful interception of electronic communication can be carried out for national security and in response to any public emergency.

Following cyber hygiene and using vaccinating tools is the only workable way forward if we want to defeat the virus of surveillance. Representational image

We are a nation of copious legalese-lengthy laws, complex by-laws and intricate rules which then are to be read with these laws and bye-Laws. If you have a disciplined legal mind to refer to all these backs and forth and have the intellectual fortitude to make some sense out of it, there are then the courts with their elaborate love for procedures of filing, issuance of notices, and adjournments to suit the convenience of the counsels. If you still have the stamina left to persevere to seek justice, you will find that the legal route generally favours the one whose interest is to deny, delay and obstruct. With that general caveat, no points for guessing what fate will meet the Pegasus controversy. Come next week, we will be talking about something else.

On paper, we have a very well-established procedure through which lawful interception of electronic communication can be carried out for national security and in response to any public emergency. Agencies of both the centre and the State are authorised to do so. The Protocol requires that the requests for these lawful interceptions of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act,1885 and section 69 of the Information Technology (Amendment) Act, 2000. Then keeping with the script of times, the Personal Data Protection Bill, 2019 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were also passed purportedly to protect your data and to empower you against miscarriage which can be handed out to you by perverse use of social media platforms by someone else.

Now the Standard Operating Procedure (SOP) mandates that each case of interception, monitoring, and decryption is approved by the competent authority i.e., the Union Home Secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 which means the same job is to be done by the Home Secretary of the State. 16 designated agencies are authorised to collect the data. The system of the check is then to be monitored on monthly basis by the Chief Secretary in the State and Cabinet Secretary in the Centre.

Now does it mean that the IB, RAW, DRI or State Police chiefs are lining up outside the respective Home Secretary’s office seeking permission to put X or Y under surveillance? The reality is that as a compliance measure or more as a smokescreen, the so-called permissions are routinely taken and given only in the obvious and non-controversial cases -suspected J&K terrorist, ISI Mole, proclaimed economic offender, etc Just to create some files to show that yes the acts are being complied with. As for the rest, in cases of an inconvenient journalist, a suspected party member, or a recalcitrant opposition leader, nothing ever is sought or given.

Technology does not kowtow to bureaucracy. In the ever-upgrading world of hacking, remote automated tools are swift and generally can be deployed with a click. In the real world, in the control rooms in the basements of intelligence agencies where millions of chatters are being monitored routinely, most of the time it is the “Daroga in-charge ”  who takes the call as to who goes under the scanner. If he stumbles into something interesting or incriminating from a non-suspect, it is kudos to him from the higher-ups. If it is a usual boring chatter of work and domesticity, the surveillance is quietly dropped.

Now active Law enforcement can ill afford the bureaucratic niceties of making an application, waiting for the Home Secretary to apply his mind (as they say in Government) and then convey it on the file which is then communicated by a junior officer in a formal letter to the concerned agency. By that time a few bombs would have gone off. In the world of Intelligence, “On-line, on-time”, prior and actionable intelligence is the only name of the game. Rest is fluff. The compulsions of this game are antithetical to the very principles of oversight and privacy. It is as true for totalitarian China as it is for the USA or India. The written ode to privacy, Human rights, and freedom may of course be loftier in pronouncements in India than in China. But the substance of surveillance in practice generically remains the same. 

With our exaggerated sense of self-importance, it may not do wonders to our ego, but the hard fact remains that compared to real disruptions, we the hacks, ex-civil servants, and activists of different hues are at best side players in this grand drama. No matter our forceful protestations, we are only on the list to join few minor dots in a larger play called the Statecraft. So, with the governments being what they are, we would do well to be more proactive in terms of protecting the turf on our own than being rendered as whimpering men of letters.

Our behaviour and response set raises a few pertinent questions. you have to pass a driving test to drive a car. The logic is to ensure that an untrained driver does not hurt or kill someone on the road. Even when you buy a gadget for home, say a washing machine, you go through its installation and safety manual ( at least the pictographic leaflet if not the whole booklet). It is strange in that context that while we spend most waking hours in front of our mobile phones and computers, we rush to use them without a scant thought or effort towards using these with caution, safety, and knowledge. The good news however is that there are sufficient tools at our disposal to protect our privacy which we profess to be sacrosanct but seem rather lax in doing anything about. Every day, from cyber experts we hear of commandments of routine security precautions to be followed – use unique passwords, keep changing them, go in for 2-factor authentication, install a good anti-spyware, regularly update the operating systems, and anti-spyware to install the latest patches and so on. But how many of us follow it with discipline which our security and privacy deserve?

How many of us have taken a small self-learning module on cybersecurity at an Individual level? There are free,  interesting, and gamified self-learning modules available for each age group on your phone and ironically, many of them have been built by very creative start-ups in India. But as a culture, we are loathed to spend even a few minutes each day say for a month to increase our competence. Our national mindset to security is that accidents happen but to others. They are stuff we read about in the newspapers and God forbid, if it happens to us, we go ballistics about government, need for Judicial intervention, legislative oversight, Independent watchdog, and what have you?

There is a whole field of Quantification of verifiable Risk (QFR) in the cyberworld. Ironically, some very innovative Indian companies are world leaders in that. However, with our lax attitude to security, it is no wonder that most of their customers and investors are from North America and Europe. These apps inform you every second of your device’s security score and help you identify, manage and mitigate the threat on an immediate and on-time basis. It is like an 'Israeli Early Warning System' for an oncoming missile or an intrusion detection alarm at your home. These tools are used extensively by large corporations and systems integrators the world over where a successful cyberattack can lead to the complete ruin of a business. While managements use it to keep their organizations secure, insurance companies use these definitive scores to determine your worthiness of getting insured against cyber risk and to determine the cyber risk premiums.

 At an individual level, they are easy to deploy apps and they keep you posted about any intrusion in your device and the measures you need to take to defeat it. Challenges of technology can only be defeated by our behaviour modification which involves proactive and enlightened use of technology. Begging and beseeching the government and singing odes to the lofty ideals may sound ethically elevating, but its practical purpose ends there. The business goes on and will go on as usual. To defeat corona, we were asked to follow some hygiene and now we are told that vaccine is the final solution. Similarly, following cyber hygiene and using vaccinating tools is the only workable way forward if we want to defeat the virus of surveillance. 

(The author is an ex-IPS officer and a technology entrepreneur. Views expressed are personal and do not necessarily reflect those of Outlook Magazine.)