Network security agreements that Reliance Communications and VSNL signed with U.S. government departments oblige them to share data carried on their infrastructure and assist the U.S. in its surveillance programme. By SAGNIK DUTTA in New Delhi
EVEN as the storm set off by the whistle-blower Edward Snowden’s revelations about the United States’ elaborate electronic surveillance programme is raging, a set of documents accessed by Frontline highlight the involvement of two major Indian telecom companies in assisting the U.S. in carrying out the programmes.
A series of Network Security Agreements (NSAs) entered into by various U.S. government departments with foreign communications infrastructure providers from 1999 to 2011 allowed the U.S. access to a considerable amount of data flowing through the cables of these companies.
Reliance Communications Limited and the erstwhile Videsh Sanchar Nigam Limited (VSNL), which is now called Tata Communications Ltd, signed network security agreements with the U.S. in November 2007 and April 2005 respectively. The U.S. government departments that were party to this agreement include the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), the Department of Justice (DoJ), and the Department of the Treasury.
A close analysis of these agreements reflects an elaborate attempt to control and monitor the flow of information through physical infrastructure owned by these companies. A similar pattern is observed in the agreements in terms of the mechanisms that are put in place to not only control and monitor transactional and other information of subscribers, but also protect access to the same by foreign governments and even the management of the company. The agreements also attempt to control foreign ownership of telecom companies. This illustrates attempts by the U.S. to dominate the cyberspace.
These agreements have significant ramifications for cybersecurity policy in India. A significant amount of Internet traffic across the world, including from India, flows through the U.S. Internet infrastructure. The existence of such agreements makes such data available to U.S. government departments. What is noticeable in these agreements is the degree to which foreign control of the telecom companies is monitored and curbed.
Speaking to Frontline, Prabir Purkayastha, chairman of Knowledge Commons, a body involved with Internet and free software issues, said: “The attempt to gain control of telecom infrastructure through surveillance is significant as 80 per cent of the Internet traffic is routed through the U.S. Also, the contrast between India and the U.S. in terms of telecom policy is significant. While India is calling for lifting the ceiling on FDI [foreign direct investment] to 100 per cent, the U.S. is exercising considerable control over the functioning of telecom companies.”
On July 22, The Hindu reported that National Security Adviser Shivshankar Menon, in an internal note, called for international cooperation to counter cyber attacks. The note reportedly mentioned that the security agencies of the U.S. and the United Kingdom were “extremely stingy” in sharing information.
Reliance Communications’ agreement
An agreement signed by Reliance Communications Limited and its subsidiaries (Reliance Gateway Net Limited, Yipes Holdings Limited and FLAG Telecom Group Limited) with the DoJ and the DHS (referred to as USG parties) in November 2007 provides that the communications service providers will provide technical or other assistance upon lawful request to facilitate electronic surveillance relating to domestic communications infrastructure.
It is significant to note in this context that at the time of signing this agreement, Yipes catered to financial, legal, government, educational and health-care industries through a network of more than 22,000 route kilometres of optical fibre and associated equipment across 17 major U.S. metropolitan markets. The agreement also mentions that Yipes had points of presence (PoPs) in London, Tokyo and Hong Kong and was in the process of deploying additional PoPs in Frankfurt, Toronto and London. Reliance Communications completed its acquisition of Yipes in December 2007. The acquisition was announced in July.
Article 2, the key section of the agreement, clearly outlines the obligations of the company regarding storage of information on domestic communications. Section 2.4 states that unless otherwise agreed to by the parties, Yipes shall store domestic communications, transactional data, subscriber information, billing records, domestic network and domestic network management information exclusively in the U.S. Article 2.5 of the agreement clearly puts an obligation on Yipes to share such information on request with the U.S. government authorities. On a request made by a government authority, Yipes will have to provide any information in its possession and such information shall be stored exclusively in the U.S.
The agreement envisages an elaborate security framework to guard zealously this information accessed by the service providers. It states that within 10 business days of the effective date, Yipes shall designate a security officer to act as a point of contact between the USG parties regarding compliance with this agreement. Article 3.1 of the agreement says that the security officer will have to be a resident U.S. citizen, hold a U.S. security clearance and possess the authority to enforce the agreement. The security officer is given considerable powers and access to information.
The agreement states that the security officer “shall have access to all information necessary to perform his or her duties, including, without limitation, security-related and technical information and business information, including but not limited to information regarding the existing and emerging products and services of Yipes and business plans of the communications service providers affecting Yipes’ ability to perform its obligations under this agreement”. It further states that if any action of the security officer is blocked or if he is denied relevant information, the officer shall immediately report the fact to the USG parties within five days of such an incident occurring.
Further, Article 3.10 of the agreement provides that Yipes, upon a request from the USG parties, shall provide the name, date of birth, and other relevant requested information of each person who regularly handles or deals with sensitive information. Also, the company is bound by the agreement not to disclose sensitive information to any third party, including those who serve in a supervisory, managerial or executive role with respect to the employees working with the information (Article 3.11).
Article 4 of the agreement outlines attempts to manage the structure of the company and exert considerable control over ownership by foreign entities. Article 4.2 of the agreement says that a member of the management of Yipes acquiring information about a foreign entity acquiring ownership in the company or the domestic communications infrastructure above 10 per cent shall notify Yipes in writing within 10 business days. Also, Article 4.3 of the agreement states that if any foreign government or foreign government-controlled entity participates in the management of the company in a way so as to interfere with Yipes performing the terms of the agreement, then a member of the management aware of such developments will notify the USG parties within 10 business days of the timing and nature of the foreign government’s plans.
Article 4.7 allows the USG parties to visit any time any part of the domestic communications infrastructure and Yipes’ security offices to conduct on-site reviews regarding the implementation of this agreement.
Article 7.3 of the agreement says that violation of any obligations of this agreement shall be considered irreparable injury and monetary relief will not be adequate remedy. The agreement states that the USG parties shall be entitled “to any remedy available to law or equity, to specific performance and injunctive or other equitable relief”.
A detailed questionnaire addressed to Reliance Communications remained unanswered at the time of writing this report.
Agreement with VSNL
A similar agreement was signed between VSNL and the U.S. government departments which also provided an elaborate framework of surveillance in collaboration with the telecom company. The agreement was signed by VSNL and its subsidiaries (VSNL America and VSNL Telecommunications (U.S.), or VSNL U.S.) with the DoJ, including the FBI and the DHS, and the Department of Defence, collectively referred to as the “Parties”, between April 5 and 7, 2005. This was to be followed up by an agreement, dated July 25, among VSNL, VSNL Telecommunications (Bermuda) Ltd and Teleglobe International Holdings Ltd and affiliated entities to facilitate the filing of applications with the Federal Communications Commission (FCC) for authorisation to assign and transfer control of certain licences granted by the FCC. (VSNL acquired Teleglobe in July 2005.)
The agreement provides the U.S. government departments a mechanism for seamless and holistic access to information flowing through the physical infrastructure of VSNL and Teleglobe. Article 1.3 of the agreement says that VSNL shall ensure that all domestic telecommunications routed over the Teleglobe network shall not be routed outside of the U.S. and/or Canada except in emergency situations such as a natural disaster. The agreement also grants the U.S. government departments unimpeded access to information concerning technical matters and physical management or other security measures and the right to ensure compliance with its terms.
Article 2.1 states that all domestic communications infrastructure shall at all times be located in the U.S. and it shall pass through the facility of VSNL America or VSNL U.S. located in the U.S. from which electronic surveillance can be conducted. As per Article 2.3, these two entities are obliged to store domestic communications, wire or electronic communications, transactional data, subscriber information, billing records of customers who are U.S.-domiciled, and network management information.
This agreement also provides a similar elaborate security apparatus to enable electronic surveillance and access to sensitive information. Article 3.2 of the agreement states a security officer shall review visits by non-U.S. persons to any domestic communications infrastructure. A written request for approval of a visit was to be submitted to the security officer no less than seven days prior to the date of the proposed visit. Article 3.8 also talks about points of contact to be assigned to VSNL America and VSNL U.S. security offices who shall be available for 24 hours a day, seven days a week, and shall be responsible for maintaining the security of classified, sensitive and controlled unclassified information. The two companies are also obliged to comply with any request from the U.S. government authorities for a background check or a security clearance process to be completed for a designated point of contact. The U.S. government departments are also given considerable powers regarding the appointment and screening of security officers handling sensitive information.
The clauses of Article 3.14 clearly point to the degree of penetration that this agreement allows to the U.S. government departments. It states: “Upon request, VSNL America or VSNL U.S. shall provide to the investigation services of DHS, DOJ, FBI, and DOD, or in the alternative, to the investigation service of the United States office of Personnel Management (‘OPM’), all the information it collects in its screening process of each candidate.”
This agreement also states that the breach of the terms will entail “irreparable injury” (Article 4.3) caused to the U.S. government departments and they will have the right to any other remedy available at law, to “specific performance and injunctive or other equitable relief”.
An e-mail questionnaire to Tata Communications about the agreement did not elicit any response at the time of writing this article.
The existence of these agreements highlights the concerted attempts by the U.S. government departments to appropriate global telecom infrastructure to establish dominance in the cyberspace.
The involvement of two major Indian telecom companies in this elaborate framework of surveillance in collaboration with U.S. government departments has significant implications for cyber security policy in India. The larger question facing the advocates of Internet democracy and privacy in communication is whether the Indian telecommunications companies will be similarly appropriated by an overzealous Indian government to obtain information about unsuspecting citizens and eventually as an instrument to control and monitor forms of dissent both in the real and in the virtual world.