In May, a weekly cabinet meeting was under way on the fourth floor of Vallabh Bhawan, seat of the Madhya Pradesh Government, when Chief Minister Shivraj Singh Chouhan dropped a bomb. He told the ministers to speak carefully over the phone as the devices were being tapped. The room went quiet. After the meeting, the ministers asked each other who would dare tap their phones when the BJP was in power in state and Centre.
Chouhan's information came from a reliable source—one who had given raging migraines to the BJP leadership and to the government earlier. Indore-based cyber expert Prashant Pandey is MP's own Edward Snowden. Interestingly, both worked for law enforcment agencies before becoming whistleblowers.
Pandey has reportedly worked with the police and investigating agencies of Maharashtra, Delhi, Madhya Pradesh, Chhattisgarh, Bihar, Jammu, Rajasthan and Karnataka. He was reportedly consultant on digital forensics, advance surveillance and security devices to the military, departments of sales tax, central excise and income tax, and the Intelligence Bureau.
Pandey hit the limelight when he produced incriminating evidence against Chouhan in the Vyapam scam case. In MP, entrance exams for medical, engineering and other professional courses is conducted by the state professional examination board. Its Hindi acronym is Vyapam. Established in 1982, the board conducts 36 exams for entrance and recruitment annually. It had earned a reputation of being clean and apolitical.
Since 2008, Vyapam conducted recruitment exams for teachers, police sub-inspectors and constables, forest guards, jail guards and food inspectors, and to multiple posts in the excise department, transport department and dairy federation. These exams and subsequent entrance exams were scam-ridden, said civil rights activist Dr Anand Rai in a complaint to the Indore Police in 2013.
The complaint blew the top off a huge scam, which is now being investigated by a special task force supervised by the MP High Court. Till date, 55 FIRs have been registered in the case; charge-sheets have been filed in 28 cases. The accused—2,530 of them—include two state ministers; a governor and his son, who died recently; three IAS and two IPS officers and owners of medical colleges. The charge-sheets and statements of the accused have thrown up high-profile names like those of Union Minister Uma Bharati, former RSS chief K.S. Sudarshan and senior RSS leader Suresh Soni.
So far, 1,983 people have been arrested; 543 accused are absconding. The High Court has refused bail to those in custody and appointed 20 special courts for prosecution. Over 36 accused died in suspicious circumstances; all the deceased were between 25 and 40 years of age.
Pandey turned over a hard disk containing names of alleged beneficiaries of the Vyapam scam. For his troubles, he has faced life threats twice and was jailed for possessing “illegal information”. The charges did not hold up in court. The courts also admitted all the evidence he submitted in the case. The Delhi High Court has now ordered the state police to provide 24-hour security cover for him.
So, when Pandey blew the whistle on a tapping scandal, the least Chouhan could do was to alert his cabinet colleagues. Pandey said that Spundan, an IT firm with two offices each in Indore and Salt Lake City, Utah, US, was analysing and selling telephone records through its Indore office. On its website, Spundan claims that it “provides IT based solutions and consultancy services to the globe around”.
In reality, the IT solution it provided was call record analysis (CRA). Very popular among the police and law enforcement agencies, the price of the Spundan CRA package ranged from Rs5,000 to Rs5 lakh a month, depending on the subscriber's requirements.
Subscribers could reportedly access details of mobile phone users all over India. Sources said that while the basic package (CRA-I) offered bare details like name, date of birth and address of cell phone users, the premium package (CRA-II) provided alternate mobile or land line numbers, call history and current location of the device.
The storm broke when Pandey approached the Supreme Court seeking a CBI enquiry into Spundan and its clients. Apparently, the CRA took off in 2008, when Spundan got the support of a few godfathers—serving and retired top cops and a director (vigilance) of BSNL. The godfathers used their clout to access national databases, which were then linked to the Spundan server.
The CRA was designed to create personality profiles based on call records. Based on the location of the device and the call history, the CRA would provide vital information like where the individual spent most of his day or night, places or establishments the user visited and comprehensive data on people who were frequently in touch with the user.
Pandey says that Spundan cheated its subscribers, too. For example, law enforcement agencies used the CRA service for probes. The police can obtain call records from mobile phone service providers, provided an officer of at least the rank of superintendent of police approves the request. But, the records by themselves are useless.
So, after sourcing the call records data from the service providers, the police would hand it over to Spundan, which would upload it to its server and generate an analysis, including a map of the suspect's movement. Even after the analysis was handed over to the client, the raw data would remain on Spundan servers. The data, ethically and legally, did not belong to Spundan. But, Spundan allegedly kept the data and sold it to investigators, telemarketers and whoever else who paid up. Pandey alleges that the data was even used to blackmail people.
At one point, allegedly, around 4,000 policemen were subscribers of the Spundan CRA. Several officers of the Madhya Pradesh police bought two subscriptions—official and personal. According to a ballpark figure, Spundan received at least Rs2 crore as monthly subscription fee from police subscriptions alone.
Even bookies and traders in futures subscribed to CRA. A cricket bookie arrested by Rajasthan police had the CRA software installed on his laptop. A source said that this simply meant that even a bookie had real-time access to where a top cop or even Chouhan was and whom they were talking to.
Information stored on the Spundan server included location of vital telecommunication infrastructure. Pandey said that foreign intelligence agencies would pay top dollar for the information. Because, in the eventuality of a war, a few well-placed strikes could then shut down telecommunications nationwide. In his submission before the Supreme Court, Pandey said that the snooping scam had escalated from invasion of privacy to threat to national security.
Surendra Sinh, director general of police, MP, told THE WEEK that he was not aware of any company involved in snooping. “We never seek any information illegally,” Sinh said. However, Pandey said that with the petition to the Supreme Court he had attached receipts issued by Spundan. The receipts were proof that the MP anti-terrorist squad, the special task force and top cops in the districts had subscribed to Spundan's CRA.
It is feared that the snooping was done illegally by politicians and bureaucrats with political and commercial interests. The state intelligence and police might have been kept out of the loop because the official procedure involves checks and balances. After the issue came to light, Spundan's offices in Indore were closed and multiple calls to the official numbers went unanswered.
Interview/ Prashant Pandey
No checkpoint in the software
When did you come to know about this software and about its capabilities?
I first saw the software in 2011-12 and used it many times while working with the police and the anti-terrorism squad. It took me some time to study all functions including source codes, location of data server, clients/user records, IP addresses and the like. While data mining the server, I have come across IP addresses from various locations on the globe.
How can you prove that around 4,000 policemen are using this application?
In 2012-13 the number of registered users on Spundan's local server was 4,647. This is as per the server registry of user records. Among them, around 3,970 were using government IP addresses, mostly from the home department. There could be a margin of error of 2 to 3 per cent in my calculation.
You have mentioned the fee paid to Spundan. How can you prove that?
The amount mentioned is based on the payments made by majority of users in the state. It is very clearly visible in audit reports, government bank statements, treasury records, district police office bank accounts and receipts from Spundan.
In your petition you said judges, bureaucrats and journalists were being spied upon.
The server has the entire database of almost all telecom service providers in the country. I had given a sample of names available on the server to the court. There is no check point in the software, hence it almost impossible to identify who snooped on whom.
Non-governmental players use this application?
I have remotely accessed laptops of bookies and seen this software with them. For bookies, this is the jackpot. Their entire business is based on mobile phone numbers. Their customers have no anonymity now! I know a few bookies who complained about this software to the MP cyber cell, but to no avail. The Rajasthan Police arrested a popular bookie and dummy MCX operator 'Amit Soni/Sanwer' with a laptop on which this software was installed.
You said the software is a threat to national security.
The software offers all details of everyone ranging from nuclear scientists to ministers to bureaucrats to military officers and judicial officers! People can join on recommendation of existing users or by paying a Spundan representative a hefty fee.
You have demanded a CBI inquiry.
I wanted the courts and the CBI involved. I’ve also added the Director General of Military Intelligence as a respondent in the petition.
Does Spundan have links to the Vyapam scam?
I got some call history files related to the Vyapam scam from the same server.