Realpolitik-Breaking News from India Everytime

Digitially Anonymous

Digital technology has made it near impossible to determine the sender, content and recepient of emails and SMS; The government needs to invest in R&D to stay ahead of terrorists.

By Ravi Visvesvaraya Prasad

The Special Cell of the Delhi Police and the Special Task Force of the Uttar Pradesh Police did extremely well to trace, within a couple of hours, the e-mail which had warned some television stations of the bomb blasts in Lucknow, Varanasi and Faizabad. Every e-mail’s header information contains the IP (Internet Protocol) address of the sender, along with routing and timing information, from which the Internet Service Provider (ISP) can determine from which group of computers or location the email was sent, and the time that it was sent. In this case, the email was traced to a cyber café in Laxmi Nagar in East Delhi, but the security agencies are yet to determine which of the ten computers in the café was used.

Since the Indian intelligence agencies have become quite expert in tapping cellular phones and tracking calls originating from neighboring countries, terrorists have relied more on email to communicate and coordinate attacks. After some terrorists were caught in the late 1990s due to the emails they sent having been intercepted, they have adopted the following strategy.

A group of terrorists create a throwaway webmail address on Hotmail or Yahoo, and agree on a password. They then disperse to different cities. When they need to communicate, the sender logs in from a cyber cafe, types his message, but instead of emailing it, he saves it in the “Drafts Folder”. The intended recipient, in a different city, logs in at a cyber café with the same password, and reads the saved message. Since no internet traffic is generated at all, there is nothing to intercept at the ISP’s server. It is a Herculean task for the intelligence agencies to monitor every webmail address
that has been created, especially one from where no messages are sent or received, and to crack its password.

Several terror groups are also reported to have used stegano-graphic techniques since the late 1990s. Steganography is the science of concealing encrypted messages within innocuous cover messages, video, audio, picture, or music files in such a manner that an interceptor or other recipients of the cover file would not even suspect that hidden within it was an encrypted message. Middle Eastern groups were reported by American intelligence agencies to be hiding their messages within pornographic and sports images and movies, as well as in music files, and utilising heavily-visited electronic chat rooms and bulletin boards as ‘drop sites’. The intended recipient would download the file and decrypt the hidden message. To all others who would download that file, it would seem to be an innocuous image or music clip.

There are several inexpensive or free steganographic packages available. Using these intended messages can be concealed within cover or carrier files. Packages that combine technical excellence with human psychological factors to avoid suspicion are Texto, which converts messages into blank verse poetry, and Spam Mimic, which encodes messages into what looks like a junk e-mail.

A security analyst recounted the case of a suspected Islamic militant. The FBI in the US, which had placed him under surveillance using its Internet Packet-Sniffing tool Carnivore, was intrigued that while he kept e-mailing photographs of his family to e-mail addresses that appeared to be those of relatives, he never received any replies. He was found to be sending instructions to his agents using an inexpensive Steganos package, which was undetectable by FBI’s Carnivore.

What has intrigued Indian intelligence agencies in the UP blasts case is that it was probably one of the first instances in India when a warning was issued, albeit only a couple of minutes in advance. The two Yahoo addresses from which these two emails were sent had been created just a day earlier, for the sole purpose of issuing these warnings, but from the same cyber café. It is not yet known if sending an email whose origin could be traced was an oversight by the terrorists, or was a deliberate ploy to throw the police off their trail, since it is possible to spoof IP addresses. But the former appears more probable.

But more importantly, even the most meticulous forensic work by the intelligence agencies can come to naught since the courts may not accept their validity. Sections 65 A and 65 B of the Indian Evidence Act specify how electronic or digital evidence is to be presented to the courts, and how it is to be admitted / denied by the accused / prosecutors. These two sections specify very stringent conditions for the collection, storage, and presentation of electronic evidence. In the hurry and chaos of collecting evidence from blast sites, the police may not be able to comply with the stringent procedures prescribed by Sections 65 A and 65 B of the Indian Evidence Act, and the courts would have no option but to disregard such evidence. Since all types of digital evidence are extremely easy to fabricate and plant on a suspect, a good defence lawyer can allege that the evidence was fabricated, and it would be almost impossible for the prosecution to prove, beyond reasonable doubt, that the digital evidence was not fabricated.

With IP (Internet Protocol) telephony, it is easy to fabricate or spoof the sender’s calling number. In many IP phone systems, the caller can enter any number that he likes as the calling number to show up in the receiver’s CLI (Calling Line Identification). In the last few years, many Indian telecom operators have been misusing this facility to pass off incoming calls originating from overseas as domestic calls to avoid paying settlement fees and access deficit charges. This caused alarm among Indian intelligence agencies that the foreign callers would be impossible to trace with legal standards of certainty. Many readers would have received calls where the CLIP just shows +301 as the calling number, instead of the true calling number.

It is also possible to forge or spoof IP addresses from which an email appears to originate. There are also several Anonymizer packages which hide or change a web-surfer’s IP address. Alternatively, a terrorist can use various Peer-to-Peer networks such as Tor, tracing the course of which becomes impossible. In a recent case, an innocent person was arrested in Bangalore and kept in jail for over ten months because the police were given a wrong IP address by the ISP.
In some of the newer cellular phones, it is possible to fabricate or edit SMSs and claim that they were sent by a particular party. This was not easy to do in the earlier generation of phones. The method of doing this is: 1) Copy all the SMSs from the cellular phone to a computer using a data cable and appropriate software. 2) Edit the SMSs in the computer using any text editor. Even the time and originating number can be changed. 3) Erase the SMSs from the phone and reset it to its factory settings using the CD that came with the phone. 4) Copy back the altered SMSs from the computer to the cell phone. This procedure is almost impossible to detect, and if the time and originating number are left unchanged, they will correlate perfectly with the server logs of the cell phone operator. So, the recipient can allege that she received a threatening or obscene SMS from the sender, when she may in fact have received a benign one, and it would be impossible for the accused sender to prove his innocence.

In the Pramod Mahajan murder trial, this is what Sarangi Mahajan alleged when she claimed that an SMS sent by Pravin Mahajan to Pramod Mahajan had been tampered with. This procedure was demonstrated to the court by the defence team.

It is even easier for the sender of an SMS to hide his identity by using any of the hundreds of inexpensive or free Email-to-SMS gateways such as smsxchange.com or smsjunction.com or sms.ac. The sender can enter any email address that he likes in the “Sender’s Field”.
It is for these reasons that Section 88A of the Indian Evidence Act states that courts cannot make any presumptions about the purported sender of an electronic message. Section 88 A states: “The court may presume that an electronic message forwarded by the originator through an electronic mail server to addressee to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission but the court shall not make any presumption as to person by whom such a message was sent.”

The onus of proof is on the prosecution to prove that the purported sender is really the person who indeed did send the message. Section 67 A of the Indian Evidence Act, “Proof as to Digital Signature”, states: “Except in the case of a secure digital signature, if the digital signature of any subscriber is alleged to have been affixed to an electronic record the fact that such digital signature is the digital signature of the subscriber must be proved.”

Further, even a secure digital signature must be proved. Section 73 A of the Indian Evidence Act states:
“In order to ascertain whether a digital signature is that of the person by whom it purports to
have been affixed, the Court may direct —
a) that person or the Controller or the Certifying Authority to produce the Digital Signature Certificate;
b) any other person to apply the public key listed in the Digital Signature Certificate and verify the digital signature purported to have been affixed by that person.”
Moreover, Section 47A states: “When the court has to form an opinion as to digital signature of any person, the opinion of the Certifying Authority, which has issued the digital signature certificate is a relevant fact.”
Since it is highly unlikely that a terrorist would apply to the Indian government for a Secure Digital Certificate, it would be practically impossible for the police to prove that a terrorist did indeed send a message.

Moreover, in view of the ease with which not just the identity of the sender can be forged but even the contents can be altered, it may be necessary to modify Section 88 A so as to make no presumption as to both the content and the sender of an electronic message.

Further, digital photographs, videos and audio tracks are extremely easy to morph or alter with little chance of detection. Many forgers have been detected only because they made the human error of not making the lighting and brightness consistent across the fabricated photograph.
In the 2001 Parliament Attack case, there were several inconsistencies in the digital evidence of the cellphone records of the accused, especially the SIM (Subscriber Identity Module) and IMEI (International Mobile Equipment Identity) numbers of the handsets, and the defence team had alleged that the evidence had been fabricated or tampered with. Cloning of GSM SIM cards and CDMA handset numbers can be done easily. It is even possible to fabricate or spoof IMEI numbers of GSM handsets, although this procedure is much more complicated and expensive.
Moreover, in the Haren Pandya murder case, much of the electronic evidence of his cellphone records have been destroyed and are being reconstructed. Cellular phone operators typically retain call data for only a few months since it is too expensive for them to store call records indefinitely. Since the trial court did not order the cellphone operator to produce Pandya’s call records, these were destroyed as a matter of routine. After several years, when the court called for these records, the cellular operator tried to reconstruct it but succeeded only partially. The defence has cast doubts on the validity and authenticity of this partial reconstruction.

In USA, Johns Hopkins University has been developing several technologies for use by US courts for determining the authenticity and validity of electronic evidence. It is high time that the Indian government sponsored such research by Indian universities and the Indian Institutes of Technology. Luckily, this process has just begun.

In order to ensure cyber security, the Indian government has established CERT-IN, Computer Emergency Response Team India, in collaboration with CERT of USA, which is a joint venture between Carnegie Mellon University and the US Government. But the capabilities of CERT-IN need to be developed greatly. The Home Ministry also asked the Indian Institute of Technology, Kanpur, to develop an “Internal Security Centre”, based on USA’s Homeland Security Department. This project envisages a huge computer network which will contain detailed data on each and every individual in India, including all his financial records and foreign visits, and it will search for any unusual or suspicious patterns of activities. But this project will set the stage for an Orwellian Big Brother in India, and will likely infringe the Fundamental Rights of Indian citizens, and is liable to be struck down by the courts.