Receive free Technology sector updates
We’ll send you a myFT Daily Digest email rounding up the latest Technology sector news every morning.
Every day, reams of personal data flow through the subsea cable landing stations that have proliferated around India’s coast, connecting the communications of the world’s most populous country to the rest of the globe.
In each of these, innocuous-looking hardware is installed to search, copy and pump that data to Indian security agencies on demand, with the help of AI and data analytics.
These so-called lawful interception monitoring systems help make up what one industry insider calls the “backdoor” that allow prime minister Narendra Modi’s government to snoop on its 1.4bn citizens, part of the country’s growing surveillance regime.
The speed of the growth of India’s communications market has fuelled a thriving industry of companies vying to sell powerful surveillance tools. These include homegrown providers such as Vehere, as well as less well known Israeli groups like Cognyte or Septier.
Some of those links have raised alarms. Septier was also one of dozens of companies deemed a “potentially irresponsible proliferator” by the Atlantic Council in 2021, which the US think-tank defined as companies “willing to accept or ignore the risk that their products will bolster the capabilities of client governments that might wish to threaten US/Nato national security or harm marginalised populations”. Septier dismissed the Atlantic Council’s “finger-pointing” as “pure speculation”.
Four people who have worked on submarine cable projects in countries all over the world said that India is unusual in that it openly requires telecom companies to install surveillance equipment at subsea cable landing stations and data centres that is approved by the government as a condition of operation.
New Delhi has said this surveillance is strictly controlled, with all monitoring requests approved by the country’s home secretary. Yet critics said these protections amount to “rubber stamping” that do little to prevent abuse.
While the lawful interception rules predate Modi, his government has enthusiastically scaled up India’s snooping powers.
Though never officially acknowledged, India has deployed the Pegasus spyware of Israeli group NSO, triggering a political scandal when the hacking tool was found on the phones of journalists and activists in 2019 and 2021. A personal data protection bill passed this month also gives authorities broad powers to bypass privacy safeguards that critics say legislates “carte blanche” for government surveillance.
This contrasts with the approaches to surveillance elsewhere. A decade ago the Snowden leaks revealed US and UK intelligence agencies were engaged in mass surveillance via backdoor arrangements with telecoms companies — collecting and keyword searching bulk civilian communications data, rather than just that of suspects.
Since then western telecoms companies have largely resisted government pressure to install official backdoors providing unfettered access to customer data, instead asking investigative agencies to provide a court-approved warrant for targeted interception.
In India, security and law enforcement agencies must request permission on a case-by-case basis from the home secretary to access data via the monitoring equipment — but do not have to go through the courts. Civil liberties campaigners argue that these regulations are inadequate and lack judicial oversight, with the legal framework based in part on the colonial-era Telegraph Act of 1885.
In 2011 the Indian home affairs ministry said central government was issuing 7,500 to 9,000 orders every month for phone interception. Udbhav Tiwari, head of global product policy at the Mozilla Foundation, called this process “rubber-stamping exercises”.
“How much attention can the home secretary actually pay to each request?” said Pranesh Prakash, co-founder of the Bangalore-based Centre for Internet and Society, adding that the need to request permission from the home secretary is only a “procedural safeguard” that “doesn’t make clear what distinguishes between targeted and mass surveillance”.
India is not alone to have a more permissive legal interception regime. Some South-east Asian nations, and east African countries like Uganda and Rwanda have similar interception legislation.
But the scale of India’s telecoms market has grown exponentially in recent years. The country’s economic survey last year said that wireless data usage had risen from an average of 1.24GB per person a month in 2018 to over 14GB.
“Internet capacities are growing or doubling almost every year now,” said one veteran of the lawful interception industry in India. “They keep needing to add capacity.”
This has proved lucrative for lawful interception vendors. Vehere, founded in 2006 and jointly headquartered in India and the US, advertises its “state of the art monitoring solution” that helps telecom companies “fulfil their legal obligation to intercept calls and data while maintaining maximum privacy protection”.
One person who works in the industry said surveillance products made by Israeli companies have proved more popular than their international rivals. “Israelis are more open [to doing business] compared to Europeans and Americans,” the person said.
Israel-based Septier, which was founded in 2000, has sold its lawful interception technology to telecoms groups including Mukesh Ambani’s Reliance Jio, the Vodafone Idea Indian joint venture and Singapore’s Singtel, according to a company press release.
Its technology extracts “voice, messaging services, web surfing and email correspondence” of targets, according to a promotional video on its website, and uses AI technology to search for and copy data, according to a person familiar with the matter.
“Our company’s sales to foreign entities are regulated by the Israeli authorities and all of our business is conducted in complete compliance with applicable law,” it said. It added that details about its customers and the types of products it supplies are confidential.
Israel-based Cognyte, which was spun out of software group Verint in 2021 and is listed on the Nasdaq, is another leading provider of surveillance products in India.
In 2021, Meta alleged that Cognyte was among several companies whose services were being used to track journalists and politicians in multiple countries, though it did not mention India.
The Indian government, Cognyte, Vehere, Reliance Jio and Singtel did not respond to requests for comment. Vodafone Idea said it “remains strictly compliant to licensing conditions mandated by [the] government of India and the prevailing regulations in force at any given time”.
