Photo by Novikov Aleksey / Shutterstock.com
The Internet Service Providers Association of India (ISPAI) claims in a filing with DoT that all International Long Distance (ILD) and Internet Service Provider (ISP) licensees operating in India are required to connect their systems to a Centralised Monitoring System (CMS) and provide law enforcement agencies in the country with an online and real-time facility for monitoring traffic.
Entrackr obtained the filing with the Department of Telecommunications (DoT) under the RTI Act. According to ISPAI’s claims, this facility of providing remote access to web traffic makes the obligation of providing a physical space consisting of 10 workstations with access control a “redundant real estate facility at the Licensee gateway locations”.
This reveals a far deeper and easier level of access to India’s web traffic that the government and law enforcement agencies operating in the country have as compared to what was previously presumed or known. Since the data is now mandated to be sent remotely, physically visiting an ISP’s offices is no longer required.
According to the Internet Freedom Foundation in 2020. these interceptions were previously believed to be made through LIS (Lawful Interception Systems), happening by interception requests made by law enforcement agencies to the nodal officers of a specific TSP (Telecom Service Provider).
The CMS, however, was designed to bypass the TSPs and provided unrestricted access to the existing LIS. It’s a massive post-26/11 project with an assigned budget of ₹400 crores to expand the Indian government’s surveillance capabilities over telecommunications in the country.
TSPs were made to integrate the LIS with their interception Store and Forward servers connected to the Regional Monitor Centres (RMCs) of the CMS, allowing direct access to all intercepted traffic coming from these telecom providers. The project was signed off in 2009 and was finally put into place in 2013 after multiple delays, with the implementation being done in phases.
Since these RMCs can, in turn, be directly accessed by law enforcement, the CMS allows the Indian government to tap into public communications at will without notifying the telecom provider.
While the current level of implementation is unknown, the RTI filing makes it abundantly clear that it’s in place and functions, at least in part, enough for the government to monitor real-time web traffic. The current level of access is also unknown at the moment.
In the News: Cloud9 browser botnet found hijacking Chromium-based browsers