User:Kenfyre/Central Monitoring System

The Central Monitoring System, abbreviated to CMS, is a clandestine mass electronic surveillance data mining program installed by the Centre for Development of Telematics (C-DOT), an Indian Government owned telecommunications technology development centre, and operated by Telecom Enforcement Resource and Monitoring (TERM) Cells. The CMS gives India's security agencies and income tax officials centralized access to India's telecommunications network and the ability to listen in on and record mobile, landline and satellite calls and voice over Internet Protocol (VoIP), and read private emails, SMS and MMS and track the geographical location of individuals, all in real time. It can also be used to monitor posts shared on social media such as Facebook, LinkedIn and Twitter, and to track users' search histories on Google, without any oversight by courts or Parliament. According to a government official, an agency "shall enter data related to target in the CMS system and approach the telecom services provider (TSP), at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information". The intercepted data is subject to pattern recognition and other automated tests to detect emotional markers, such as hate, compassion or intent, and different forms of dissent. Telecom operators in India are obligated by law to give access to their networks to every legal enforcement agency. From 2014 onwards, all mobile telephony operators will be required to track and store the geographical location from which subscribers make or receive calls, meaning that, in addition to the contact number of the person a caller speaks to, the duration of the call and details of the mobile tower used, the Call Data Records (CDR) will now also contain details of the caller's location. The system aims to attain a tracking accuracy of 80% in the first year of operation, followed by 95% accuracy in the second year, in urban areas. Commander (rtd) Mukesh Saini, former national information security coordinator of the Government of India, expressed fears that all CDR details would eventually be fed into the central server for access through the CMS.

The Times of India described CMS as "the single window from where government arms such as the National Investigation Agency or the tax authorities will be able to monitor every byte of communication." Prior to CMS, agencies had had to seek court orders for surveillance, and had to send in an individual request to a telecom operator or Internet service provider whenever it wanted to monitor the activity of a particular target. The Ministry of Home Affairs now has the sole power to decide who to monitor. The system was created without approval from Parliament, provides no avenues for redress and places no consequences in case of abuse. The government stated that the cost of implementing CMS was inr 4000000000. However, on 21 June 2013, The Hindu, reported that it had obtained project documents relating to CMS, which showed that the project's budget was "nearly double" that amount.

There has been no public debate about the system, and the government has said little about how it will work or how it will ensure that the system is not abused. The government has not stated how the data it collects is stored, secured, accessed or deleted. The government claims that the sole purpose of the CMS is to protect the country against terrorism, and it refuses to disclose details about the system, claiming that doing so, would make it far less efficient. However, human rights and civil-liberties groups fear that the system is prone to abuse. India does not have any formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the jurisdiction of the Indian Telegraph Act, a law formulated by the British in 1885 during the Raj, which allows for monitoring communication in the "interest of public safety."

History
The 2007-08 annual report of the Department of Telecommunications (DoT) stated that the requirements for the CMS project had been finalized by the Telecommunication Engineering Center (TEC), after deliberations with security agencies, and that the first phase of the project, covering the "national capital", was scheduled to be implemented by 31 March 2008. It also stated that C-DOT had finalized the "scope, architecture and dimensioning of the network". The 2008-09 annual report stated that proof of concept had been demonstrated and that R&D activities for the project were "ongoing". The Government of India set aside approximately $150 million for the system as part of its 12th Five Year Plan, with Cabinet ultimately approving a higher amount. The CMS was fast-tracked following the 2008 Mumbai attacks, when the perpetrators used VoIP. However, it faced repeated delays due to inadequate infrastructure, and missed the original deployment deadline of the end of 2012, and the next deadline of March 2013. Mint quoted an unnamed "top government official" as saying that C-DOT had signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR), to integrate Internet service providers with its system, and would allow monitoring agencies to track an individual's Internet use. According to the 2012-13 annual report DoT, C-DOT will install the system, after which the Telecom Enforcement Resource and Monitoring (TERM) cells will take over. As on 31 March 2013, there were 34 such TERM cells in India. The current number is unknown as there is almost no official data from the government about the implementation of the CMS.

CMS was first announced publicly in a press release by the Press Information Bureau (PIB), dated 26 November 2009. The release lacked details on the system but stated that CMS was a "centralized system to monitor communications on mobile phones, landlines and the internet in the country" and claimed that the project would "strengthen the security environment in the country". CMS was mentioned by Minister of Communications and Information Technology Kapil Sibal on 1 January 2011, while addressing the media to announce his 100-day agenda for the Indian telecom sector. Sibal mentioned it in passing, telling the media that "Steps will be taken to establish the Central Monitoring System which will facilitate and prevent misuse of lawful interception facility." The announcement was described as "muted" by Time magazine. There was no public debate about the system, and the government said little about how it will work or how it will ensure that the system is not abused. In a 2009 reply in the Rajya Sabha, then IT Minister Gurudas Kamat, explained that CMS would monitor communications on mobile phones, landlines and the Internet in the country. He also claimed that it was in "the interest of protecting secrecy of the system as it does away with manual interventions, instead these functions will be performed on secured electronic link and there will be minimum manual intervention." He also stated that the interception would be "instant as compared to the existing system which takes a very long time", meaning real time. According to the Rajya Sabha transcripts uploaded on the PIB site, the stated benefits of CMS are "to create central and regional database to help central and State enforcement agencies in interception and monitoring, eliminating manual intervention by telecom service providers enabling direct electronic provisioning, filter and alert creation on target numbers, and analysis of call data records and data mining.

In a written reply to a question in the Lok Sabha on 9 March 2011, Minister of State for Communications & Information Technology, Sachin Pilot stated that the CMS was proposed to be set up for the "Lawful Interception and Monitoring of communications to address the national security concerns. It will automize the present manual system of interception and monitoring, which will enhance the secrecy of intercepted numbers and will cut down the delay in provisioning." He also stated that the licence terms and conditions of all the telecom service providers (TSPs) had been amended to "take care of known security concerns". On 29 April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every State and union territory of India. The notice, published on its website, went almost unnoticed by most the public and media. It specified that the system should be able to monitor voice calls, fax messages, SMS and MMS, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet. It also required the system to allow listening in live, be able to analyse intercepted data, have the ability to record, store and playback, without interfering "with the operation of telecommunication network or make the target aware that he is being monitored". It also required the ability for "live listening, recording, storage, playback, analysis, postprocessing" and voice recognition.

On 15 October 2012, The New Indian Express reported that the National Investigation Agency (NIA) had requested for authorization to access CMS once it became functional. The paper also stated that the CMS platform for two service providers in Delhi, MTNL and Tata Telecom, was complete, and the Intelligence Bureau (IB) and the Directorate of Revenue Intelligence (DRI) were using it to conduct a pilot trial. Mint cited an internal note from the DoT dated 10 June 2013, which reportedly said that CMS had "undergone successful pilots" and was "likely to be commissioned" by the end of 2013. The government began quietly rolling out the CMS, state by state, in April 2013. When fully implemented, it will be able to target any of India's landline, mobile phone and/or Internet subscribers. As part of the implementation, the home ministry updated all its offices in state capitals with specialized equipment and systems for such monitoring.

On 13 June 2013, The Times of India reported that the "secretive" National Technical Research Organisation (NTRO), a technical intelligence gathering agency, created under an executive order and not accountable to Parliament, "often went beyond its mandate". In 2006-07, NTRO reportedly tried, but failed, to crack into Google and Skype servers. However, it succeeded in cracking Rediffmail and Sify servers. On 14 May 2012, Mint reported that the NTRO's surveillance devices, "contrary to norms, were deployed more often in the national capital than in border areas" and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. Despite that, according to the The New York Times, the organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which "monumental" amounts of Internet traffic are captured. All traffic passing through the undersea cables in Mumbai are reportedly captured. In April 2013, the Department of Electronics and Information Technology (DeitY), citing a report prepared by its operations division, the Indian Computer Emergency Response Team (ICERT), listed specific instances when the NTRO reportedly hacked into the National Informatics Center (NIC) infrastructure and extracted sensitive data connected to various ministries. The NIC provides internet connectivity to all ministries, and its NICNET (the NIC network) has institutional linkages with the Central Government, State Governments and union territories. All government officials have email IDs issued by NIC. NTRO denied the accusations. The IB and Research and Analysis Wing (R&AW) have reportedly asked the Indian government to downgrade NTRO's role to that of a "service provider".

A public tender by the special branch of the Assam Police, uploaded on tech news portal NextBigWhat in 2013, asked for the creation of an "automated system with Internet monitoring solutions, where the deployment architecture will include 10 GB probes deployed [on] ISP premises, strategically or tactically deployed at various tapping points in the ISP network". The documunet also stated that each ISP site would have to host at least one aggregation server for all the probes. The information collected would be collated in this server, and then transferred to a master aggregation server. The system aimed to "collect, filter and analyse data" in real time, and the metadata must be retained for at least a year. The document also required the system to be able to monitor unstructured content such as emails, chats and transcribed call logs. Similar tenders have been called in Delhi and Karnataka, and Pranesh Prakash, lawyer with the Centre for Internet and Society, observed that "state-level surveillance might even exceed central-level surveillance, and these 'Internet monitoring systems' are just as worrisome and they too lack public accountability"

On 17 June 2013, the Home Ministry stated that access to CMS would be strictly restricted to authorized tapping requests. It also said that CMS would involve an online system for filing and processing of all lawful interception requests, and an electronic audit trail would be in place for each phone number put under surveillance, which would indicate how long a mobile, land line or internet communication was under watch. The Ministry also revealed that the necessary hardware and infrastructure for CMS was in place, and that the system was ready to be operational, initially on a limited scale.

On 21 June 2013, The Economic Times reported that it reviewed internal government documents regarding "a meeting between communication ministry officials for reviewing the progress on executing the National Telecom Policy", which revealed that the CMS would only be commissioned only by December 2013, due to "a lack of requisite infrastructure". The internal note also reportedly stated that the system was scheduled to be operational in 10 States by March 2013, but the deadline was being extended to the year-end. The note also stated that the "tenders for equipment that would be housed in the remote monitoring centres (RMCs) were ready, but the delay in setting up of these centres had pushed back the project", also added that "orders for ISF (Interception Store-and-Forward) equipment had so far been placed in only 7 service areas".

In July 2013, BlackBerry granted the Indian Government access to its consumer messaging services, which include BlackBerry Messenger (BBM) and BlackBerry Internet Service (BIS) email. It is presumed that CMS will be used to monitor these services, although it may be done through C-DOT's Lawful Intercept and Monitoring (LIM) system. However, the government will not have access to the BlackBerry Enterprise Server. The same month, the DoT proposed an amendment to the condition 44.10 of the unified access service licence (UASL) and the condition 5.9 of the Cellular Mobile Telephone Service (CMTS) agreement, under which it would become mandatory for a service provider to provide connectivity up to the nearest point of presence of Multi Protocol Label Switching (MPLS) network of the CMS at its own cost in the form of dark optic fibre with redundancy. The burden of handling the flow of information, from the point of MPLS onwards, will lie with the government. UASL and CMTS are telecom licences. If a service provider is unable to provide the dark optic fibre connectivity, it would have to extend connectivity in the form of 10Mbit/s bandwidth upgradeable to 45Mbit/s or higher, till such time that it was able to so. The DoT will soon amend the to incorporate the clauses. The DoT is expected to finalise the norms for interception and monitoring of phone calls and messages by the end of August 2013. It will make two amendments to the Indian Telegraph Act to allow for intercepting and monitoring through the CMS and to allow "collecting, storing and analyzing message pertaining to information of any nature by the Telegraph Authority".

According to The Hindu, only Delhi and Haryana had been successfully tested "proof of concept" (POC) as of June 2013. The next three telecom service areas planned for CMS implementation were Kerala, Karnataka and Kolkata. The paper also stated that until 2015, "two surveillance and interception systems will run in parallel — the existing State-wise, 200-odd LIM systems, set up by 7 to 8 mobile operators in each of the 22 circles, plus the multiple ISP and international gateways — alongside the national rollout of CMS." The government plans to cover 12 States by the end of 2013-14.

On 6 July 2013, The Wall Street Journal reported that the IB had denied permission for the CMS to go ahead because the system "lacks the ability to track down specific target". The system reportedly lacked the search algorithms, or set of software programs, to "precisely identify the particular target document based on a set of key words". This meant that, for example, an agency searching for a specific email would not be able to enter certain search terms to narrow down the information, but instead have to read every email in the system to find the required one. The centralized data center, or the network of computers, where the intercepted data is stored was also reportedly "not yet operational", and was expected to be operational by October 2013. Another reported reason for the delay in implementing CMS was that system would require a high speed communications network to transmit the data it intercepts, after encryption, which was not expected to be ready until January 2014. The Central Bureau of Investigation's (CBI) need for the system to allow it to track data on the communication activity of all individuals those under its probe, further delayed the full launch of the program.

System details
CMS creates central and regional databases, which authorized Central and State level government agencies can use to intercept and monitor any landline, mobile or internet connection in India. The CMS will converge all the interception lines at one location, for access by authorized government agencies. CMS is connected with the Telephone Call Interception System (TCIS) which will helps in monitoring voice calls, SMS and MMS, fax communications on landlines, CDMA, GSM, video calls and 3G networks. CMS equips government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, and enables Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers, without any manual intervention from telecom service providers (TSPs).

The Indian government agencies known to have been authorized to make intercept requests through CMS are the Central Board of Direct Taxes (CBDT), the Central Bureau of Investigation (CBI), the Defense Intelligence Agency (DIA), the Directorate of Revenue Intelligence (DRI), the Enforcement Directorate, the Intelligence Bureau (IB), Narcotics Control Bureau (NCB), National Investigation Agency (NIA) and the Research & Analysis Wing (R&AW), as well as Military Intelligence of Assam and Jammu and Kashmir, and the Home Ministry. Authorized agencies are not required to seek a court order for surveillance or depend, as they did prior to CMS, on Internet or telephone service providers to give them the data. The government has built intercept data servers on the premises of private telecommunications firms, which will allow it to tap into communications, at will, without informing the service providers. The top bureaucrat in the home ministry and his state-level deputies have the authority to approve requests for surveillance of specific phone numbers, e-mails or social media accounts. According to the Press Trust of India (PTI), the government plans to give the Securities and Exchange Board of India (SEBI) the powers to get telephone call data records (CDRs), access to emails and SMSs, of entities under its investigation in cases of insider trading, money laundering and other market manipulations. The move was reportedly at the request of SEBI and the Ministry of Finance. SEBI claims that it requires CDRs in order to "establish links between two or more parties who might have had conversations among themselves before or after the incidents of insider trading and to prevent black money coming to market or other manipulative activities in the market".

According to the The Times of India, authorized agencies will have to submit online tapping requests to a "competent authority", or the Union home secretary. If clearance is received, only a specific gateway to the number cleared for surveillance will be provided to the agency concerned. However, experts still feel that too many agencies have access to CMS, and the list must be reduced. The paper quoted an unnamed DoT official as stating that the grounds for interception would be prescribed by the Review Committee as described in the Indian Telegraph Act, and online surveillance will be authorized by the Secretary of Department of Electronics and Information Technology. The paper also reported that the staff manning and monitoring the CMS facility are "experts from the department of telecommunications and department of information technology", on deputation to the Union home ministry. The "experts" are tasked with ensuring that no tapping request exceeds the authorized duration. The Times of India also reported that "the usual audit system where the sanctioning authority randomly reviews an interception request to rule out procedural slip-ups and examines the outcome of surveillance" would be followed.

On 21 June 2013, The Hindu, reported that it had obtained project documents relating to CMS, which showed that the project would "enhance the government’s surveillance and interception capabilities far beyond "meta-data," data mining, and the original expectation of "instant" and secure interception of phone conversations." It reported that previously unseen interception flow diagram, revealed that CMS would be able to deliver Intercept Relating Information (IRI) across GSM, CDMA and fixed (PSTN) lines as well as Internet users, on a real time basis through secure ethernet leased lines. The paper also stated that the system would have "unfettered access" to the existing Lawful Interception Systems (LIS) installed in the network of every fixed and mobile operator, ISP, and International Long Distance service provider in the country. It was also revealed that mobile and long distance operators would have no role in the process. Previously, the operators would be permitted to intercept only after receiving government authorization. However, the CMS keeps all authorizations confidential within government departments. The paper said that this meant that government agencies would be able to "access in real time any mobile and fixed line phone conversation, SMS, fax, web-site visit, social media usage, Internet search and email, including partially written emails in draft folders, of targeted numbers." The paper declared that contrary to the impression created by the government, CMS would not replace the existing surveillance equipment deployed by mobile operators and ISPs, but instead, combine their strengths, thus "expanding the CMS' forensic capabilities multiple times". The CMS also permits data mining and meta-data access through call data records (CDRs) and session initiation protocol data records (SDRs), which are used for Internet protocol-related communications including video conferencing, streaming multi-media, instant messaging, presence information, file transfer, video games and voice & fax over IP. The system will also have access to call content (CC) on multiple E1 leased lines through operators billing/ mediation servers, which reveal user information to the "accuracy of milliseconds, relating to call duration, identification and call history" of those under surveillance. It can also disclose mobile numbers and email IDs, including tracking the target's physical location by revealing mobile tower information.

Government view
The government feels that making details of the project public would limit its effectiveness as a clandestine intelligence-gathering tool. It usually cites national security as the reason for implementing the system. It also claims that the CMS will not increase surveillance or enhance intrusion beyond current levels, and will instead strengthen the policy framework of privacy and increase operational efficiency. The government has also argued that CMS will make intelligence gathering faster, as it will allow for any interception in real time, without having to seek permission from the Home Ministry or the courts, and also without having to consult the telecom service providers. On 26 November 2009, the government told Parliament that CMS' implementation would overcome "the existing system’s secrecy which can be easily compromised due to manual interventions at many stages."

A 20 June 2013 Reuters report quoted a "senior telecommunications ministry official", directly involved in setting up the project who chose not to be identified "because of the sensitivity of the subject", as saying, "Security of the country is very important. All countries have these surveillance programmes. You can see terrorists getting caught, you see crimes being stopped. You need surveillance. This is to protect you and your country. The home secretary has to have some substantial intelligence input to approve any kind of call tapping or call monitoring. He is not going to randomly decide to tape anybody's phone calls. If at all the government reads your e-mails, or taps your phone, that will be done for a good reason. It is not invading your privacy, it is protecting you and your country."

Minister of state for information technology, Milind Deora, appeared on a Google+ Hangout that was open to the public for questions on 7 June 2013. When asked about CMS, Deora defended the project and said that the new data collection system would "actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance - only government officials would". The minister also insisted that it would "safeguard your [Indian citizens] privacy and national security". He also revealed that "The mobile company will have no knowledge about whose phone conversation is being intercepted." However, Deora's guarantees were dismissed by the Indian media. Mint cited the leak of CCTV footage from the Delhi Metro coaches, which showed couples being intimate in deserted coaches, to international porn sites, was proof that the government databases were not "non-tamperable". It also stated that being "asked to repose faith in the government as a custodian of the data it collects" was "a laughable proposition".

West Bengal Chief Minister Mamata Banerjee criticized the CMS in a Facebook post on 2 July 2013. She accused the Centre of placing the privacy of Indians at stake, and setting up the system without consulting other political parties. She stated in her post, "Experts feel that these capabilities could be as lethal and intrusive as the highly controversial PRISM project of the US. The plan is to launch it in Kolkata, Karnataka and Kerala. The aim is to cover about 12 states by March 2014. Why is the UPA-II government developing an autocratic system of surveillance and monitoring to secure interception of telephonic conversation in all forms? Will it be targeted to silence the opposition in general and all politicians and others in particular? Who will authorize or decide on selection of targets?" She also felt that the Centre was "making a mockery of" the right to freedom of speech and expression enshrined in the Constitution." Banerjee has previously been criticized for the arrest and charges against a professor in West Bengal for circulating a cartoon of her.

Speaking to reporters on the sidelines of the Association of Southeast Asian Nations (ASEAN) regional forum meeting on 2 July 2013 in Bandar Seri Begawan in Brunei, Minister of External Affairs Salman Khurshid defended the United States PRISM surveillance program saying, "This is not scrutiny and access to actual messages. It is only computer analysis of patterns of calls and emails that are being sent. It is not actually snooping specifically on content of anybody's message or conversation. Some of the information they got out of their scrutiny, they were able to use it to prevent serious terrorist attacks in several countries." The media felt that Khurshid's defence of PRISM was because the Indian government was rolling out CMS, which was similar to the PRISM program.

Media reaction
Business Standard criticized the lack of a court warrant stating, "Making the new system unusually draconian is the discretion it provides bureaucrats to approve requests for surveillance, which can be made by any one of nine government agencies, including the Central Bureau of Investigation, Intelligence Bureau and Income Tax Department. With the union and state home secretaries permitted to approve requests for surveillance, this bypasses the traditional system of a court warrant being needed for monitoring a citizen." Firstpost criticized the lack of information from the government about the project and the lack of a legal recourse for a citizen whose personal details were misused or leaked from the database. The paper stated, "One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record." It also criticized the lack of judicial oversight, but conceded that "given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable".

The Hindu criticized the CMS stating, "The power to propose, implement and monitor India’s cyber security regulations has been concentrated in the hands of a few agencies without specifying what participatory role, if any, civil society and industry will play in them. Where Information and Communication Technology guidelines are prescriptive, the government plans to offer tax incentives for companies conforming to them, effectively coercing the latter into obedience. Most importantly, the policy fails to address the scope of oversight, parliamentary or judicial, that such entities will be subject to." It also criticized the lack of information about the system stating, "The fact is that till date, the actual nature of the programme remains a top secret. There is very little in the public domain that sheds light on the project itself, let alone what kind of monitoring it entails, what type of data it attempts to tap, collect or analyse, the technological aspects, and limitations and safeguards."

The Indian Express criticized the introduction of the system in the absence of "any reasonably effective safeguards" to protect privacy. The paper stated that the "government is working on leveraging technology to violate privacy with greater efficiency", instead of "protecting privacy rights from the domestic and international intrusions made possible by technological development". It also stated that the CMS infrastructure facilitated large-scale state surveillance of private communication, with very little accountability.

The Times of India criticized the introduction of CMS without public debate or Parliamentary accountability. The paper stated, "While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability." The paper also felt that Indian privacy laws were "lax", and "far worse than American law on these matters".

Forbes India pointed out that a consequence of CMS would be that innocent citizens would be wrongly accused of being criminals based on mistaken data patterns. The magazine states, "While searching for matches in any database with hundreds of millions of records, the risk of a 'false positive' increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified. As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?"

The New York Times argued that India did not need centralized interception facilities to have centralized tracking of interception requests. It stated, "To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities." It also pointed out that despite a 1975 Supreme Court ruling which held that an "economic emergency" may not amount to a "public emergency", three of the nine agencies authorized to intercept communication through CMS were "exclusively dedicated to economic offenses". It also stated that despite a 2011 report by the cabinet secretary, which pointed out that economic offenses might not be counted as "public emergencies", and that "the Central Board of Direct Taxes should not be empowered to intercept communications", the tax department was still permitted to conduct interceptions. The paper also stated that "government entities have engaged in unofficial and illegal surveillance, and the CMS is not likely to change this". The paper also expressed supported for a strong privacy law, and advised Indian citizens to "take greater care of their own privacy and safeguard the security of their communications".

Human rights and civil-liberties groups reactions
Human rights and civil-liberties groups have expressed concerns that the CMS is prone to abuse, and is an infringement of privacy and civil liberties. Critics have described it as "abuse of privacy rights and security-agency overreach", and counterproductive in terms of security. Indian activists have also raised concerns that the system will inhibit them from expressing their opinions and sharing information, especially because the government has repeatedly used the Information Technology Act, since it was amended in 2008, to arrest people for posting comments on social media that are critical of the government, as well as to put pressure on websites such as Facebook and Google to filter or block content, and impose liability on private intermediaries to filter and remove content from users.

Meenakshi Ganguly, the South Asia director of Human Rights Watch, pointed out that Indian agencies tend to leak data that should remain private, saying, "There is always the danger of private data and conversations going out to unauthorized recipients. A central monitoring system is vulnerable to misuse. An innocuous comment can be interpreted as a threat to someone or something; and we have seen that the response of the state can be ugly. We need a new set of very tight laws. If we are going to live with surveillance, we need an internationally accepted protocol that protects the public from misuse of data. Unless that comes into place, the central monitoring system will be misused by apparatchiks". She also felt that the move toward extensive "surveillance capabilities enabled by digital communications" suggests that governments are now "casting the net wide, enabling intrusions into private lives". Ganguly also felt that increasing surveillance around the world was an attempt by governments to "grapple with the power of social media that can enable spontaneous street protests".

Praveen Swami, strategic affairs editor of Network18, felt that "There is also the argument that the threat of a cyber attack is deliberately overplayed. So far, even in the highly-networked West, no major incident has ever been caused by a cyber crime. There is definitely an element of hype in scenarios of terrorists hijacking a nuclear power plant... it is far-fetched. So there is a need for balance". Cynthia Wong, an Internet researcher at New York-based Human Rights Watch, felt that the Indian government needed to "be transparent about who will be authorized to collect data, what data will be collected, how it will be used, and how the right to privacy will be protected", if it did not "want to look like an authoritarian regime". She described CMS as "chilling, given its [the Indian government] reckless and irresponsible use of the sedition and Internet laws". She also said that, "New surveillance capabilities have been used around the world to target critics, journalists, and human rights activists." Pawan Sinha, a human rights teacher at Delhi University, believes that bypassing courts was "really very dangerous" and could be "easily misused". In most countries in Europe and in the United States, security agencies were obliged to seek court approval or had to function with legal oversight."

Anja Kovacs of the Internet Democracy Project, and a fellow at the New Delhi-based Centre for Internet and Society, felt that there was "a growing discrepancy and power imbalance between citizens and the state" and that in the Indian scenario, there were "no checks and balances in place". Kovacs also felt that the potential for misuse and misunderstanding was increasing enormously. She pointed out that the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act, saying that this was a "clear indication that having access to massive amounts of data is not necessarily going to make people safer". She also stated that the system gave the authorities the ability to act however they deemed fit, and that "just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country".

Sunil Abraham, executive director of Bangalore-based non-profit Centre for Internet and Society, fears that the CMS, in the process of collecting data to monitor criminal activity, will become a "honeypot" target for terrorists and criminals. Abraham also felt that the wide-ranging tapping "undermined financial markets by compromising confidentiality, trade secrets and intellectual property". Vulnerabilities would have to be built into the existing cyberinfrastructure to make way for the surveillance system. Abraham contends that attackers will target India's "patchy infrastructure" that may not be able to handle a complex web of surveillance and networks. Abraham also advised Indians to "stop using proprietary software, shift to free/open source software" and "encrypt all sensitive Internet traffic and email using software like TOR and GNU Privacy Guard".

Pranesh Prakash, director of policy at the Centre for Internet and Society, warned that, "In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome. Further, this has been done with neither public nor parliamentary dialogue, making the government unaccountable to its citizens." Pavan Duggal, a Supreme Court advocate specialising in cyberlaw, stated that the "system is capable of tremendous abuse" and "even legitimate conversations could end up being tracked". Mishi Choudhary, executive director, Software Freedom and Law Center stated that, "There has been no public consultation on this issue. No one knows what they have proposed or whether it has parliamentary mandate. We don't even have empirical data on phone tapping from the government. It's like a black hole."

Human rights activist Neingulo Krome described CMS as "a threat to democracy" and also felt that the agencies involved could "soon challenge the authority of the government itself".

Other reactions
The Indian wing of hacktivist group Anonymous announced a multi-city protest against CMS, terming it, "the Indian prism". However, the protests were not successful.

The CMS has mainly been criticized by the public for the lack of public information and debate, before its implementation. Many have expressed concern that the system could lead to violations of individual liberty, in the absence of privacy laws.