Cyber (In)security in India

Samir Saran, Bedavyasa Mohanty
Tuesday, February 16, 2016, 9:34 AM

In the week leading up to the India’s 67th Republic Day on January 26, 2016, the National Investigation Agency apprehended 14 Islamic State “sympathisers” who had planned to carry out coordinated attacks. Although the men were arrested from six cities in different parts of the country, a common thread emerged: a single handler had been coordinating their activities over Whatsapp.

Published by The Lawfare Institute
in Cooperation With

In the week leading up to the India’s 67th Republic Day on January 26, 2016, the National Investigation Agency apprehended 14 Islamic State “sympathisers” who had planned to carry out coordinated attacks. Although the men were arrested from six cities in different parts of the country, a common thread emerged: a single handler had been coordinating their activities over Whatsapp. This handler, Shafi Armar, is considered a social media and communications expert and has been responsible for IS propaganda and online recruitment.

In response to such instances of incitement of violent extremism over cyberspace, states have clamped down on the internet. For countries like India that are only starting to realise the full potential of the digital space for e-governance and the digital economy, developing norms around the security and stability of the internet is paramount. This process of norm-creation, however, is contested and fraught with challenges.

When it comes to the internet, “the medium is the message” to borrow Marshal McLuhan’s oft-quoted phrase. By expanding the range of social interactions, it has become the preferred vehicle for communication, information dissemination, and business. The very act of going online presumes a certain agency on the part of the internet user who has evolved from a passive consumer of information to its curator and an active participant in its creation.

As data becomes currency and cyberspace emerges as a new frontier, however, businesses, end users, and sovereign states can all have incongruent interests. Governments respond to discord in cyberspace with heavy-handed and blunt regulation, often unwittingly harming the interests of their citizens and businesses. Unlocking the full potential of the internet instead requires imagining a sophisticated regulatory structure that minimises the role of gatekeepers, moderates licensing and fosters freedom. Technology—and not legislation—is the only suitable solution to challenges posed by technology itself. Norms, regulations and laws must be designed so as to allow technology to be its own antidote. For a country where state intervention is omnipresent, a nuanced and light government touch in the digital realm is required to appropriately respond to social challenges, poverty, food and energy needs.

India, and similar emerging economies, face a unique dilemma surrounding access, affordability, and stability. The next billion internet users from Asia and Africa will need to surmount striking levels of income inequality in order to get online. Cheap smartphones that are manufactured with the intent of providing this first-time connectivity are seldom as secure or verified and authenticated as their higher-end counterparts. Due to their sheer ubiquity, it is these devices that will determine the overall standard of security in the smartphone industry. Smartphone manufacturers in India and elsewhere do not stand to gain by lowering integrity of their supply chains; in fact they stand to lose considerable market share if obvious vulnerabilities in their devices are made public.

Beyond technical standards, legal norms also set the stage for cyber-insecurity. Following from other global interventions, in India too, the government has previously forced behemoths like Blackberry to provide it interception capabilities as a condition of operating in the Indian market. In September last year, the Indian government also faced much criticism over its (now withdrawn) draft encryption policy which sought to impose a licensing regime on encrypted services and mandate storage of decrypted information by service providers. Market players find it easier to accede to government pressure rather than lose access to a growing market. In many cases, therefore, it is the sovereign’s choices that set a lower standard of security and harm businesses. This is not to say all encryption policy is bad; but it must respond to the ideal of light government.

A heavy-handed response is not limited to alleged national security threats online. In 2012, faced with rumours of violence and a massive exodus of north-eastern Indians from Bangalore, the government blocked a wide array of text broadcasting and social media websites. More recently, due to instances of sporadic violence, the government imposed a block on mobile internet access to 63 million users in the state of Gujarat. Such instances are becoming frequent. The fabric of the internet is threatened if blocking access becomes the norm, but it is easy to understand why governments resort to such measures.

Regulating the internet is challenging. While every society contains “deviants,” cyberspace has created an unparalleled aggregation of deviance, a case in point being the “radicalisation in rooms.” The Islamic State operates over 50,000 Twitter accounts in nearly 9 languages. In days past, extremist propaganda was expensive to transmit across borders and limited in reach. Today, the internet has shrunk the physical distance separating these actors and this death of space enables a “personal touch” to the radicalisation of sympathetic voices and an aggravated animosity towards opposing opinions. Indian law enforcement has on multiple occasions demonstrated an inability to deal with hate speech or incitement in a sophisticated manner. While maintaining public order remains a duty of the state, the predominant challenge is the extent to which fundamental freedoms can be compromised in the process.

The internet, with its unparalleled information delivery systems and aggregation capabilities, has revolutionised communication. But these same features unwittingly lead to insecurity in the ways the medium is used. This insecurity is particularly acute for nascent digital economies like India, where decisions by the government or regulators to curtail access or seek backdoors cannot be characterised in binary tones. Global cyber-norms must therefore be sensitive to local or national contexts—economic, social and political—rather than reinforcing the narrative that cyberspace is truly seamless.

Samir is a Senior Fellow and Vice President of the Observer Research Foundation. He is also the chair of CyFy: The India Conference on Cyber Security and Internet Governance. He is the editor of India's most read journal in this sector, “Digital Debates.” Samir’s latest published work in this area include “The ITU and Unbundling Internet Governance: An Indian Perspective,” “Indo-U.S. Cooperation on Internet Governance and Cyber Security” and “The Shifting Digital Pivot: Time for Smart Multilateralism.” He is regularly featured in Indian and international print and broadcast media.
Bedavyasa is a Junior Fellow with Observer Research Foundations’ Cyber Initiative. A lawyer by training, he is interested in the jurisprudence of privacy law and the evolution of the internet. At ORF Cyber, his work focuses on cyber security and internet governance. He has previously written on the Constitutionality of surveillance law in India and antitrust perspectives on net neutrality. His work has appeared in The Wire and Economic Times.

Subscribe to Lawfare