Cyber security should safeguard privacy

by Roopinder Singh

IN the wake of the Mumbai terrorist attacks, the government has been tightening its hold on cyber traffic, and the latest Information Technology (IT) Amendment Bill 2008 gives government agencies the power to handle new cyber crimes like posting sexually explicit material electronically, video voyeurism, breach of confidentiality and leakage of data and e-commerce frauds.

For the first time, there is provision to fine, up to Rs 5 crore, companies that fail to handle sensitive personal data. Government agencies have got the power to intercept access and use any information conveyed through computers in the interest of national security.

Only recently, government servants were asked to desist from using the popular web-based e-mail services like Gmail and Yahoo! Mail for transacting official business because of increasing security concerns.

This is not the first time this move was made, but many officials still continue to use these services because of convenience. However, in doing so, they put at risk national security, since the information contained in these mails may well be intercepted at various levels.

Most of the computer ‘servers’ used for these services are located in the US, where the government has long-standing programmes to intercept and analyse such data for its own national security purposes. A signals intelligence collection and analysis network called ECHELON is used by Australia, Canada, New Zealand, the UK and the US to intercept and analyse commercial satellite trunk communications.

In any case, interceptions can occur anywhere while the data is being transmitted, and even e-mail accounts can be broken into. During the recent Presidential primary elections in the US, Alaska Governor Sarah Palin’s Yahoo! e-mail account was hacked and she faced considerable embarrassment. Later, it was revealed that President-elect Barack Obama’s personal cell phone account had been illegally accessed by employees of the phone company Verizon.

In India, last year, a Joint Secretary in the Union Agriculture Ministry sought police assistance after his account was hacked and all his contacts listed in the e-mail service received mails seeking financial help. Many cases of phishing where deceptive tactics are used to make users reveal their e-mail addresses have been reported.

The Indian government has rightly asked the officials to restrict themselves to the mail services offered by the National Informatics Centre (NIC) which has its servers located within the nation. This considerably reduces the potential of leaks. Since NIC handles the bulk of government business on the Internet, it is thus also a major potential target for hackers and it must take steps to ensure proper security for the data that has been entrusted to it.

It was in August last year that a Swedish computer security consultant posted the user names and passwords of at least 1,000 e-mail accounts belonging to embassy employees around the world, including the Indian Ambassador to China. He noted that user laziness played a key role in both weak passwords and improper use of encryption software. He was right; we can only be secure if we take security seriously.

While every precaution must be taken to ensure that safe practices are followed on the Internet, there is also, however, concern about the rights of the user. It is generally accepted that all official communication must be taken seriously, and should be subject to judicious scrutiny, just as it would be in the case of letters written on paper. It is precisely for this reason that in the US, government officials are expected to uses only the government accounts, which are safe, and also subject to legal examination, as and when necessary.

On the other hand, ordinary people have a right to privacy. This right is being progressively threatened — both by what one may call “stateless actors” of the cyber world and governments that become increasingly invasive in their cyber scrutiny. These days communications through the cyber world represent a fairly major slice of people’s personal live. Much personal data is stored in various computers that has serious consequences if it is leaked out.

The IT Bill 2008 was passed after barely minutes of scrutiny. Experts have pointed out that the Bill does not say how the personal information collected by the government should be processed and used. What are the safeguards to ensure the privacy of individuals? The IT Bill 2008 has left many grey areas, some important issues like spam mail have been neglected and privacy issues have been given a short shrift.

Coupled with a lack of basic understanding about the issues involved in tackling cyber crime among many police personnel, especially at the grassroots level, this vagueness bodes ill for the future.

This article was published in The Tribune on December 29, 2008