Skip to content

Indian ISPs are giving the government remote access to web traffic

  • by
  • 3 min read

Photo by Novikov Aleksey / Shutterstock.com

The Internet Service Providers Association of India (ISPAI) claims in a filing with DoT that all International Long Distance (ILD) and Internet Service Provider (ISP) licensees operating in India are required to connect their systems to a Centralised Monitoring System (CMS) and provide law enforcement agencies in the country with an online and real-time facility for monitoring traffic.

Entrackr obtained the filing with the Department of Telecommunications (DoT) under the RTI Act. According to ISPAI’s claims, this facility of providing remote access to web traffic makes the obligation of providing a physical space consisting of 10 workstations with access control a “redundant real estate facility at the Licensee gateway locations”. 

This reveals a far deeper and easier level of access to India’s web traffic that the government and law enforcement agencies operating in the country have as compared to what was previously presumed or known. Since the data is now mandated to be sent remotely, physically visiting an ISP’s offices is no longer required. 

According to the Internet Freedom Foundation in 2020. these interceptions were previously believed to be made through LIS (Lawful Interception Systems), happening by interception requests made by law enforcement agencies to the nodal officers of a specific TSP (Telecom Service Provider).

Indian government surveillance controversy: What has happened so far?
The CMS allows law enforcement agencies to tap into intercepted data at will.

The CMS, however, was designed to bypass the TSPs and provided unrestricted access to the existing LIS. It’s a massive post-26/11 project with an assigned budget of ₹400 crores to expand the Indian government’s surveillance capabilities over telecommunications in the country. 

TSPs were made to integrate the LIS with their interception Store and Forward servers connected to the Regional Monitor Centres (RMCs) of the CMS, allowing direct access to all intercepted traffic coming from these telecom providers. The project was signed off in 2009 and was finally put into place in 2013 after multiple delays, with the implementation being done in phases.

Since these RMCs can, in turn, be directly accessed by law enforcement, the CMS allows the Indian government to tap into public communications at will without notifying the telecom provider. 

While the current level of implementation is unknown, the RTI filing makes it abundantly clear that it’s in place and functions, at least in part, enough for the government to monitor real-time web traffic. The current level of access is also unknown at the moment. 

In the News: Cloud9 browser botnet found hijacking Chromium-based browsers

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>