Monday, October 14, 2013

Has India evolved its position on the NSA's spying?

This morning, India's IT Minister Kapil Sibal spoke at CyFy 2013, a cybersecurity conference organised by the Observer Research Foundation and FICCI.

During the Q&A round, Sibal was questioned once again about the interception/ theft of emails and data by the NSA from the Indian consulate in New York. He replied saying: "The Indian Embassy in New York is sovereign Indian territory. Data located there is in Indian territory." This comment followed another one he made earlier: "What is sovereign is not the power of data but the use of data... If it impacts India, then the jurisdiction should be India."

These two statements together suggest Kapil Sibal has significantly evolved his views on the NSA's spying. A few months ago, he had brushed aside questions about the NSA's spying saying, "this is not surveillance", since the NSA had only looked at "metadata" and not the actual content of emails.

(To be fair, that statement was in response to revelations about the NSA's PRISM program, which intercepted emails sent via Gmail. That said, Indian government staffers widely use Gmail for official work & the NSA knows this. Even knowing who is talking to who is in itself a major security threat as I explain in this piece.)

His new statements suggest the Indian government now views the NSA's actions as a violation of India's sovereignty. However, it also suggests the government has taken a realistic view of the incident: If the NSA spied on emails sent via Gmail, then the Indian government simply has no jurisdiction to act. Gmail afterall, is not subject to Indian laws.

However, the NSA didn't just intercept emails, it also stole data from computers located inside the consulate. I asked India's National Security Advisor Shivshankar Menon about this. I'm paraphrasing his reply: 'Look, everyone does this. But if you're going to stand in the middle of the street and shout at people, you can't complain that they are violating your privacy'.

This is another 'realist' statement. Menon isn't just saying that we can't really blame the NSA for doing what every spy agency is doing. He also seems to suggest that by trusting state secrets to Gmail servers or unsecured systems in the consulate, the fault lay with the Indian government.

This would explain why India recently announced a new email policy for its foreign service. Diplomats would now exclusively use NIC servers, which fall under Indian jurisdiction and laws.

At least publicly, the Snowden revelations seem to have taught India's government two lessons. First, there is nothing any government can do about the spying. Every country spies on its rivals. Second, it has learned that leaving sensitive information on servers outside Indian jurisdiction or on unprotected computers is a big no-no. Whether these lessons have been taken to heart will only be known by observing subsequent actions by New Delhi.