India: privacy vs security

17 Jan 2012

One wonders what the authorities in India are thinking, suing Google, Facebook, Yahoo and everyone else on the Internet over content that it thinks is objectionable.

It will be interesting to see if Google’s appeal on the grounds that it would be humanly infeasible to provide the level of policing demanded by the Indian authorities succeeds.

But looking at history, the world’s largest democracy always has had a rather authoritarian streak when it comes to communications.

One could say it began after the partition of India and Pakistan. Mail from one country to the other was not sent over the border, but was sent for sorting via London so that the motherland could do the censorship and interception deemed necessary for peace and civility to endure, so they say.

I first went to India in 2007, to Bangalore at the invitation of IBM. Back then, there was much of a ruckus about VoIP. The technology was too secure and it was not possible for the police to intercept communications as they might have to. One of my hosts explained that after a long protracted series of negotiations, IBM was allowed to use VoIP for internal communications, but not for external calls within India or overseas. Hence most desks had two phones on them.

Fast forward to 2010 and Skype and Nokia had similar run-ins with the Indian authorities. The centralized, encrypted nature of push mail on BIS and Nokia Ovi meant it was impossible to intercept messages, and thus a backdoor or a local server under the jurisdiction of Indian courts was mandated.

It is ironic in a way that while many CIOs are talking about data sovereignty in terms of escaping the US Patriot Act, it is really the authorities in more repressive regimes that demand access to data and are themselves complaining of being unable to access data in US-hosted data centres.

It is a tug of war between freedom and security. The more freedom we have, the less power the state has. Less power to crack down on individual freedoms as well as less power to crack down on genuine terrorists. The more powerful the state is at the expense of the individual, the more the individual is vulnerable to real cyber criminals. There is no one answer, rather it is a continuum.

I once interviewed Microsoft CTO Craig Mundie back in 2006 and one thing I remember was his view on privacy and security.

Mundie said that as CTO he had two teams reporting directly to him. The security team said that they could solve all the security problems on the Internet if every Internet packet were digitally signed so that it was known exactly where any packet originated. The privacy team said that they could solve all the privacy problems on the Internet if all traffic was anonymized.

India may be leaning towards security at the expense of privacy, but obviously they cannot afford to go too far otherwise business will cease to function. One example is VPN use. Most companies rely heavily on VPN tunnels for off-site workers to access corporate systems securely and need to do so for security and compliance reasons. But the dirty little secret that nobody is highlighting is that VPN also renders government big-brother programs useless. All the government sees is an encrypted tunnel to the corporate data centre, often somewhere in California. It could be a proper document, video conference or, gasp, objectionable content. Banning VPN or similar encryption would effectively ban foreign companies from having any security.

It will be interesting to see how far India is willing to go in prying open Pandora’s box.

Related content

No Comments Yet! Be the first to share what you think!