Access To Knowledge (A2K)

Your telco could help spy on you

praskrishna — 2013-07-30T06:13:07Z

Telecom minister gives approval to changes in rules for mobile licences to enable such mass surveillance.

The article by Joji Thomas Philip, Leslie D'Monte and Shauvik Ghosh was originally published in Livemint on July 30, 2013. Sunil Abraham is quoted.

Telecom companies and Internet service providers will soon help the government monitor every call made, every email sent and every website visited, with the Centre deciding to connect their networks to its automated surveillance platform known as the Centralised Monitoring System (CMS).

Communications minister Kapil Sibal has approved changes in existing rules and new clauses to be inserted in mobile licences for enabling such mass surveillance, copies of documents reviewed by Mint reveal.

	The department of telecommunications (DoT) will shortly send a letter to all telcos asking them to connect their “lawful interception system (LIS)” to the CMS “at a regional monitoring centre through an interception, store and forward (ISF) server placed in the licensee’s premises”, according to the documents. Telcos including Bharat Sanchar Nigam Ltd (BSNL), Mahanagar Telephone Nigam Ltd (MTNL), Reliance Communications Ltd, Bharti Airtel Ltd, Vodafone India Ltd and Tata TeleServices Ltd declined to comment on questions emailed in this regard.

The department of telecommunications (DoT) will shortly send a letter to all telcos asking them to connect their “lawful interception system (LIS)” to the CMS “at a regional monitoring centre through an interception, store and forward (ISF) server placed in the licensee’s premises”, according to the documents.

Telcos including Bharat Sanchar Nigam Ltd (BSNL), Mahanagar Telephone Nigam Ltd (MTNL), Reliance Communications Ltd, Bharti Airtel Ltd, Vodafone India Ltd and Tata TeleServices Ltd declined to comment on questions emailed in this regard.

“The automated process of the CMS will be subjected to the same regulatory scrutiny as is available in the present manual system under Section 5(2) of Indian Telegraph Act and Rules 419-A thereunder, with the added advantage of having a safeguard against any illegal provisioning by the telecom service providers in the present system, however, remote it may be,” DoT said in an email reply to a questionnaire with a brief on CMS.

“Safeguard has also been built against any unauthorized provisioning by having a different interception provisioning agency than the interception requisitioning and monitoring agencies thus having an inbuilt system of checks and balances. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” DoT said.

The CMS was approved by the cabinet committee on security (CCS) on 16 June 2011, with government funding of Rs.400 crore. It is expected to enable the government to monitor all forms of communication, from emails to online activity to phone calls, text messages and faxes by automating the existing process of interception and monitoring. The government completed a pilot project in September 2011 under which the Centre for Development of Telematics (C-DoT) installed two ISF servers, one of them for MTNL.

“The interception services have been integrated and tested successfully for these two telecom services providers (TSPs),” the note said, referring to MTNL and Tata Communications Ltd. MTNL officials declined to comment. There was no response to queries by Tata Communications.

It added that training had been imparted to six law enforcement agencies—the Intelligence Bureau, the Central Bureau of Investigation, the Directorate of Revenue Intelligence, the Research and Analysis Wing, the Delhi Police and the National Investigation Agency.

However, the documents also reveal that the CMS project is getting delayed over technical issues such as lawful interception systems sending the intercept-related information (IRI) in “their own proprietary format”; difficulty in tracing the movement of “the target from the home network to the roaming network”; and how to independently provision voice and data interception of mobile users.

The government is simultaneously devising a strategy to counter criticism from the media and privacy lobby groups that this surveillance platform has no privacy safeguards. Mint reported on 13 July that fresh questions were raised on the CMS infringing on the rights of individuals, especially in the wake of the US government’s PRISM surveillance project.

In an internal note on 16 July to help Sibal brief the media, DoT said even as the CMS will automate the existing process of interception and monitoring “... all safeguards that are currently in place in the manual mode of interception will continue”.

The note argued that implementation of the CMS “will rather enhance the privacy of the citizens” since it will not be necessary to take the authorization (for tapping) to the nodal officer of the telecom service providers “who comes to know whose or which phone is being intercepted”. The note added that after the CMS is implemented, provisioning of interception will be done by a CMS authority, who would be different from the law enforcement agency authorities.

“The law enforcement agency (LEA) cannot provision for interception and monitoring and the CMS authority cannot see the content but would be able to provision the request from the LEA.Hence, complete check and balance will be ensured. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” added the department’s note briefing the minister.

Also, acknowledging that “questions were being asked about the practices of Indian agencies and the privacy and rights of its citizens”, national security adviser Shivshankar Menon in a 23 June note to the ministries of home, external affairs and telecom, the department of electronics and information technology, and the cabinet secretary said: “Only home secretaries of the Centre and states can authorize such monitoring; orders are valid for two months, are not extendable beyond six months; records are to be maintained, use of storage is limited and a review committee of cabinet secretary, law secretary and secretary of the telecom department regularly screens all cases.”

Menon also admitted that when it came to individual privacy rights, there were “larger issues that needed serious consideration and wider consultation with industry, advocacy groups and NGOs (non-governmental organizations) as has been the case so far in the draft privacy Bill... For data protection and retention in India, however, there may be a need to consider legislation or strengthening existing legislation, as the march of technology has made most present laws irrelevant.”

Privacy experts are convinced that safeguards are needed, especially since India does not have a privacy law.

“To safeguard public interest, the government should also draft a law that will make it a criminal offence if a CMS authority is found in possession of any personal information culled through the CMS. That will prove to be a deterrent,” said Sunil Abraham, executive director of the Centre for Internet and Society, a privacy lobby body. “Also, the government must build an audit trail using PKI (public key encryption) and people as an additional safeguard.”

“As I understand it, there is also no clear statutory backing for the CMS,” said Apar Gupta, a partner at law firm Advani and Co. that specializes in information technology (IT) law. “What is important is that every tapping order should be backed by a reason. This was the case with the manual process. Will this be possible in an automated surveillance system such as the CMS?”

“What is disturbing is that there is no transparency with regard to the CMS. Everything is happening under the radar with media reports periodically giving us glimpses into the project,” he said. “A state should protect its interests but should do so in a manner that safeguards privacy and limits abuse.”

According to the Freedom on the Net 2012 report by Freedom House, an independent privacy watchdog body, of the 47 countries analysed, 19 had introduced new laws or other directives since January 2011 that could affect free speech online, violate users’ privacy, or punish individuals who post certain types of content. India, which scored 39 points out of 100 (score achieved out of 100 for censoring the Internet), was termed partly free by the report, which was released on 24 September.

Globally, 79% of the respondents in another study said they were concerned about their privacy online, with India (94%), Brazil (90%) and Spain (90%) showing the highest level of concern, according to a June survey undertaken by research firm ComRes, and commissioned by Big Brother Watch, an online privacy campaign.

For more details visit https://cis-india.org/news/livemint-july-30-2013-joji-thomas-philip-leslie-d-monte-shauvik-ghosh-your-telco-could-help-spy-on-you

Privacy Meeting: Brussels – Bangalore

praskrishna — 2013-09-12T07:56:53Z

The Centre for Internet and Society, Bangalore welcomes you to a talk on privacy by Gertjan Boulet and Dariusz Kloza on August 14, 2013, 5.00 p.m. to 8.00 p.m.

Slides from the talk can be accessed here.

Draft Agenda

Time	Detail
17.00 17.15	Brief presentation of the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel (VUB), Belgium
17.15 18.15	Session on "new tools" to protect privacy and personal data. A case-study on (European) approach to privacy impact assessment This session will provide an overview to the main findings of the projects carried out by VUB-LSTS (predominantly) with regard to privacy impact assessments (PIA), starting with the EU co-funded PIAF (“A Privacy Impact Assessment Framework for data protection and privacy rights”; 2011-2012), which reviewed existing PIA frameworks worldwide, surveyed opinions of national data protection authorities (DPAs) on an optimal PIA policy and, finally, provided a set of recommendations for PIA policy-makers and practitioners. This session will be concluded by proposing adaptation of the so-called environmental democracy to the needs and reality of privacy. The points in this session will be contrasted with the experience of India.
18.15 18.45	Session on co-operation of data protection authorities "Improving Practical and Helpful cooperation between Data Protection Authorities", 2013-15. This session will provide a preliminary analysis of the (legal) factors that pose as obstacles to and/or encourage co-operation between DPAs worldwide in enforcing privacy and data protection laws. Such an analysis aims at creating a 'wish-list', i.e. at identifying what measures could be taken to reduce barriers and to further foster co-operation. This session will be concluded by discussing what DPAs' can learn about co-operation from European and international competition law. The points in this session will be contrasted with the experience of India.
18.45 19.00	Break
19.00 19.15	Small session on big data The focus of this session will be on the challenges posed to sovereignty by cross-border law enforcement access to big data. The Belgian Yahoo-case will be discussed as it is emblematic of a reality with broad national claims to access data in a trans-border context. Indian perspectives on this topic will be taken into account.
19.15 20.00	Open discussion

Materials

Wright, David, Kush Wadhwa, Paul De Hert, and Dariusz Kloza, A Privacy Impact Assessment Framework for Data Protection and Privacy Rights, 2011. http://piafproject.eu/ref/PIAF_D1_21_Sept2011Revlogo.pdf
Hosein, Gus, and Simon Davies, Empirical Research of Contextual Factors Affecting the Introduction of Privacy Impact Assessment Frameworks in the Member States of the European Union, 2012. http://piafproject.eu/ref/PIAF_deliverable_d2_final.pdf
De Hert, Paul, Dariusz Kloza, and David Wright, Recommendations for a Privacy Impact Assessment Framework for the European Union, 2012. http://piafproject.eu/ref/PIAF_D3_final.pdf
Kloza Dariusz, Moscibroda Anna, Boulet Gertjan, “Improving Co-operation Between Data Protection Authorities: First Lessons from Competition Law.” in Jusletter IT. Die Zeitschrift für IT und Recht, published by Weblaw AG. http://jusletter-it.weblaw.ch/issues/2013/20-Februar-2013/2128.html
Kloza Dariusz, “Public voice in privacy governance: lessons from environmental democracy”, in Erich Schweighofer (ed.), KnowRight 2012 conference proceedings [forthcoming].

Other resources

PHAEDRA project: http://www.phaedra-project.eu

PIAF project: http://piafproject.eu
PIAw@tch, the PIA observatory: http://piawatch.eu

The Speakers

Gertjan Boulet

Gertjan Boulet holds a joint LL.M/MPhil (2010) from Leuven University (Belgium) and Tilburg University (the Netherlands) where he successfully completed a Research Master of Laws programme focused on legal methods and interdisciplinary research. He started to work as a doctoral researcher at the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel in January 2013 for the EU-funded research project 'Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities' (PHAEDRA). Before, he was a freelance researcher at VUB, and became a member of the programming committee of the annual conference 'Computers, Privacy & Data Protection' (CPDP). Prior to joining the Vrije Universiteit Brussel, Gertjan worked for the Brussels Airport Company (2010) and the law firm DLA Piper (2011). He also completed internships at the Belgian Public Prosecutor (2007), the Constitutional Court of Belgium (2012) and the Belgian Privacy Commission (2013).

Gertjan Boulet

Dariusz Kloza

Dariusz (Darek) Kloza is a doctoral researcher at the Research Group on Law, Science, Technology, and Society (LSTS) and the Institute for European Studies (IES) at Vrije Universiteit Brussel (VUB). He holds both an LL.M. in Law and Technology (2010) from the Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University (with distinction) and a master degree in law from University of Białystok (2008). He was also an exchange student at University of Copenhagen (2007-2008). His research is focused on fundamental rights in the digital era (especially privacy and data protection), liability of intermediary service providers and private international law. His doctoral research focuses on positive procedural obligations for privacy and data protection from the European perspective.

He has been involved in researching privacy and data protection issues in a number of EU co-funded projects, such as PIAF (Privacy Impact Assessment Framework for data protection and privacy rights), PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities) and ADVISE (Advanced Video Surveillance archives search Engine for security applications). He has also contributed to the work of the European Commission’s Task Force for Smart Grids, aimed at ensuring high level of privacy and personal data protection in smart grids/metering.

Dariusz Kloza

For more details visit https://cis-india.org/internet-governance/events/privacy-meeting-brussels-bangalore

Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India

praskrishna — 2013-08-28T10:19:23Z

The Research Center of Media and Communication at the University of Hamburg organized the Summer School 2013 at Hamburg, Germany from July 29 to August 2, 2013. Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".

The Summer School Book of Abstracts/Information brochure can be downloaded here

This year’s Summer School offered by the Research Center of Media and Communication at the University of Hamburg picked up upon a crucial issue for current media development – a topic relevant to academia, media practice and media policy. In the age of digitisation, the landscape of media and communications is being increasingly influenced by phenomena that can be viewed as reappropriations of previously published media communications. The Summer School pursued central questions about the kinds of reappropriated media communications that were being developed and the relationship between ‘old’ and ‘new’ shaping them. This repurposing was analysed from four different perspectives: repurposing as recombination, as reactualisation, as piracy and as plagiarism.

For more details visit https://cis-india.org/news/repeat-remix-remediate-summer-school-2013

Connaught Summer Institute on Monitoring Internet Openness and Rights

praskrishna — 2013-07-26T09:17:45Z

Malavika Jayaram is a speaker at this event being held at the Munk School of Global Affairs, Bloor Street West.

Click to read the original posted on Citizen Lab website

Monday, July 22, 2013

Location: Munk School of Global Affairs (Observatory Site), 315 Bloor Street West (map)

14:00 - 17:00	Meet and Greet at the Citizen Lab Participants are free to drop by the Lab between 2:00-5:00 pm to see the space and meet with Citizen Lab researchers. Participants should go to the reception desk on the first floor and have the receptionist call the Lab.

Tuesday, July 23, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 09:15	Opening Remarks
09:15 - 10:45	Tutorial "Welcome to Oz: Beyond a Black and White Debate on Internet Regulation (and Control)" – Jon Penney (Berkman Centre/Oxford Internet Institute/Citizen Lab) and Ryan Budish (Berkman Centre/Herdict)
10:45 - 11:00	Break
11:00 - 12:00	Commercialization of Information Controls "Regulators, Politicians, and Deep Packet Inspection: Who's Driving What and Why" – Chris Parsons (University of Victoria) "Fingerprinting Internet Filtering Products" – Jakub Dalek (Citizen Lab) "Cash Rules Everything Around Me: The Commercialization of Online Spying" – Bill Marczak (UC Berkeley)
12:00 - 13:45	Lunch
13:45 - 14:45	Circumvention / Attacks 1 "Collateral Freedom" – David Robinson (Robinson + Yu) "Remedy: Relays Monitoring and Deployment" – KheOps (Telecomix) "Fake Domain Attacks on Civil Society Groups" – Michael Carbone (Access)
14:45 - 15:45	Characterization / Measurement 1 "Iran through the Eyes of Big Data" – Collin Anderson (Independent Researcher) "Measurement, Detection, and Comparison of Surveillance Data" – Praveen Selvasekaran (Simple Tech Life) "Filbaan: What is Filtered Today?"
15:45 - 16:00	Break
16:00 - 16:45	Identity Systems and Monitoring "Desperately Seeking the Names: Examining the Historical Progression of Real Name Policies on the Chinese Internet" – Lianrui Jia (Carleton University) "India's Civil Liberties Crisis: Digital Free Will in Free Fall" – Malavika Jayaram (Centre for Internet and Society, Bangalore)
17:00 - 18:30	Poster and Demo Session Light refreshments will be served "User-side Approach for Censorship Detection: Home-router and Client-based Platforms" – Giuseppe Aceto (University of Naples Federico II) "The Cyber Losers" – Aaron Brantly and Katrin Verclas (National Democratic Institute) "What is the Impact of Internet Censorship in China?" – Carlotta James (Psiphon Inc.) "Open Integrity Index" – Jun Matsushita "M-Lab: Exploring the Possibilities for Open, Global Censorship and Surveillance Detection" – Stephen Soltesz (Open Technology Institute) and Meredith Whittaker (Google Research) "Mapping Google: Global Business Infrastructure and Implications for Openness " – John Harris Stevenson (University of Toronto) "Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC" – Greg Wiseman (Citizen Lab) "The Growth and Spread of Cyberspace Controls" – Benjamin Zaiser (Free University of Berlin)

Wednesday, July 24, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Characterization / Methodology 2 "Refining the Tor Censorship Detector" – Sam Burnett (Georgia Tech) "From Internet Security to Internet Freedom: The case of the RPKI" – Sharon Goldberg (Boston University) "Running Software in Albuquerque to Measure Censorship Anywhere" – Jeffrey Knockel (University of New Mexico) "Social Media as Labratory: What We Can Learn about Chinese Politics from Sina Weibo Censorship and Online Discussion" – Jason Q. Ng (Citizen Lab)
10:20 - 11:00	Break
11:00 - 12:00	Circumvention 2 "VPNthnography: Hacking the Great Firewall for Fun and Profit" "Economics of Web Proxy Networks" – Bennett Haselton (Peace Fire/Citizen Lab) "Censors Working Overtime" – Karl Kathuria (Psiphon Inc.)
12:00 - 14:00	Lunch
14:00 - 15:30	Tutorial "Network Censorship Techniques, Detection, and Localization" – Nick Weaver (ICSI)
15:30 - 16:00	Break
16:00 - 17:30	Panel: Bridging Activism and Research (5 minute talks + discussion) Ali Bangi (ASL19 / Citizen Lab) Stefania Milan (Tillburg University) Deji Olukotun (PEN) John Scott-Railton (Citizen Lab / UCLA) 'Gbenga Sesan (Paradigm Initiative Nigeria)

Thursday, July 25, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Jurisdictions and Borders Online "Cyberconflict and the Legal-Territorial Paradox" – Cameran Ashraf (UCLA) "Beyond Borders: Legislative Challenges to the Management of Records in the Cloud" – Elaine Goh (University of British Columbia) "Civil Society 2.0: The Global Struggle to Govern the Democratic Impacts of ICTs" – Muzammil M. Hussain (University of Michigan) "The Anti-Counterfeiting Trade Agreement and the Networked Public Sphere: How to avoid a Convergent Crisis" – James Losey (Open Technology Institute)
10:20 - 10:40	Break
10:40 - 12:10	Tutorial "Ranking Companies on Digital Rights: Challenges and Synergies" – Rebecca MacKinnon (New America Foundation)
12:10 - 14:00	Lunch
14:00 - 15:30	Surveillance and Monitoring "Revisiting Webtapping: Learning From Five Years’ of U.S. Cyber and Intel Policy" – Chris Bronk (Rice University) "Who Watches the Watchmen?: Detecting Stealth and Unattributed Information Controls" – Herve Saint Louis (University of Toronto) "IX Maps" – Andrew Clement (University of Toronto) "Technologies of Control, ‘National Security’ and Systemic Abuse of Minorities in the East and Horn of Africa" – Clara Gutteridge (Equal Justice Forum)
15:30 - 15:45	Break
15:45 - 16:30	Closing Discussion on Interdisciplinary Research and Information Controls

Friday, July 26, 2013

Location: Rooms 108, 208 and Basement, North House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

10:00 - 14:00

Breakout Sessions

Light refreshments will be served

The half day will be dedicated to giving participants the opportunity to break into small groups to further discuss, share, and hack on topics raised during the workshop.

Sponsor

The workshop is sponsored by University of Toronto's Connaught Fund. Since it was founded in 1972, the fund has invested more than $1 million in projects that span across the disciplines.

For more details visit https://cis-india.org/news/citizenlab-summer-institute-on-monitoring-internet-openness-and-rights

Your life's an open Facebook

praskrishna — 2013-07-26T04:53:11Z

The jury's out on Facebook's newly introduced Graph Search. While some argue that it's a stalker's dream come true, others say it's a great tool for social research. Shikha Kumar jumps right into the debate.

Shikha Kumar's article was published in DNA on July 21, 2013. Sunil Abraham is quoted.

Do this little exercise. Log on to Facebook and type ‘friends of friends who are single’ or ‘friends of friends who like dancing’ in the search bar on the top left hand of the screen. A long list of names with photographs of people you may have never seen in your life will pop up in front of you. Better still (or worse, depending on perspective), you can refine this search further with the drop down menu on the right hand side of the screen; you can filter the results on the basis of gender, employer, current city, hometown and so on.

Now, depending on whether you are paranoid about your privacy, or don’t give a damn (since the government is snooping on us anyway), you will either view this feature as a stalker’s dream come true or just another irritant to rant about for a day and then forget.

Whatever your reaction, Graph Search, an upgrade on Facebook’s rudimentary ‘search’, is here to stay and it holds the potential to forever change the ‘search’ behaviour of its members.

HOW DOES IT WORK?
Put simply, Graph Search is the Google search of Facebook. It indexes every little detail you have shared on Facebook — every drunken ‘like’, every status update, every unflattering photograph you are tagged in, every joke you’ve shared — so that a simple search can throw up pretty specific answers. A beta version was unveiled to a select audience in January but it went live for all English (US) users early last week.

A look at a Tumblr blog called ‘Actual Facebook Graph Searches’ gives an indication of how specific the results can get. Ranging from humorous to downright outrageous, some queries posted included ‘Single women who live nearby and who are interested in men and like Getting Drunk’ and ‘Married people who like Prostitutes.’

This is exactly why people like Adarsh Matham, a 29-year-old tech writer, cite as reason for never having been on Facebook. While he does admit the new feature can be very useful in finding jobs, dates, new friends and local businesses, he says the downsides trump the benefits. “Imagine if some pervert searches for ‘girls who like Fifty Shades of Grey in Mumbai’… It will make it easier for him to stalk them,” says Matham.

If you use your imagination, the list won’t end. Imagine what perverts at your workplace and in your apartment complex who are not ‘friends’ with you on Facebook can do with information they glean about you thanks to Graph Search.

Matham is particularly concerned with Graph Search’s misuse in India because of our social attitudes and tendency to slot people into types and judge them immediately. “One of the first things that people do when they go for a job or on a date is a Google search. Soon they will do a Graph Search too. This is a complete intrusion of one’s privacy.”

Sunil Abraham, director at the Bangalore-based Centre for Internet and Society, thinks the privacy implications are worrying because the average Indian user is not a ‘power’ user who fully exploits the site’s advanced features and is thus unclear about what personal information is public or private. “People need to be very cautious as they’re leaving behind a digital trail that is always searchable unlike on other platforms like Twitter. It’s like tattooing yourself, it’s permanent but you may not be comfortable with it in the future,” he says.

A brilliant format
Privacy concerns aside, many have warmed up to the benefits of Graph Search. Raghu Mohan, a Bangalore-based writer with YourStory.in, has used it for over six months and has only good things to say about it. “I think it’s a remarkable engineering feat. Any platform with a user data of over a billion people needs to come up with such a search facility,” says Mohan, adding that the tool has been very useful in finding work-related data.

Chetan Asher, founder and CEO of Tonic Media, a social media agency, agrees with him, saying the new feature is “very exciting” purely because of its ability to index information that was always there, but was buried somewhere. “The simple phrase-like format is brilliant… It completely changes the way you network and mine for information.”

Mohan adds that start-ups can benefit with what the feature offers. “Though not a complete marketing tool, Graph Search patterns can also provide more targeted behaviour for advertisers.” Mohan also looks at the feature as a social influencer. “If I’m looking to buy a new car, I’d rather use Graph Search to find out opinions based on my friends’ recommendations than a web search involving strangers,” he says.

From his experience, Asher says that the site doesn’t compromise the privacy settings that the user has set. But Ankit Tuteja, a 23-year-old technology expert in Delhi, would beg to differ with this. Tuteja has experimented with random searches to gauge how the feature worked with different privacy settings and found that Facebook tends to override certain security settings. “The security of your photographs are a major cause for concern,” he cautions.

For those concerned about privacy, it’s best to think carefully before ‘liking’ or uploading anything as it will remain in the digital realm forever, says Abraham. Mohan shrugs off privacy concerns as overrated. “You lost your personal life when you went online. Stalking can happen otherwise too.”

This innovation is clearly important to the company. While Asher says it is part of Facebook’s long-term plans to move beyond networking, Abraham says that faced with slow overall growth globally (except in markets like India), such innovations are just an attempt to keep its user base intact.

The more things change...
Whatever the reaction, Facebook is probably banking on the fact that after initial protests and social media debates, people will come around to accepting this intrusion into their private lives.

The American news satire website The Onion pretty much nailed this when, in a satirical piece, it ‘quoted’ Zuckerberg as saying: “Facebook will introduce a bunch of new features that everyone will hate, that will make your experience worse, you will complain about it, and then you will realize you are utterly powerless to do anything about these new features, at which point you will move on and continue to use our product every single day. Any users who strongly disagree with their policy should feel free to deactivate their accounts and reactivate them two days later.”

Admit it, you’ll probably be one of them.

For more details visit https://cis-india.org/news/dna-july-21-2013-shikha-kumar-your-life-is-an-open-facebook

Meeting of a Sub-committee on DNA Profiling Bill in Hyderabad

praskrishna — 2013-08-21T06:21:44Z

A sub-committee has been constituted as per the recommendations of the Expert Committee of DNA Profiling Bill. The sub-committee will have a meeting in Hyderabad on August 6, 2013.

The sub-committee was constituted with the following members:

Dr. Raghbir Singh, Former Secretary, Legislative Department, Ministry of Law, New Delhi
Shri. Kamal Kumar, IPS, (Retd.), Director General of Police, Hyderabad
Mr. Sunil Abraham, Executive Director, Centre for Internet and Society, Bangalore
Dr. Alka Sharma, Director, DBT
Dr. Madhusudan Reddy, Staff Scientist and Group Leader, CDFD, Hyderabad

The meeting has been scheduled for August 6, 2013, 10.30 a.m. at CDFD, Hyderabad to incorporate the ipunts/suggestions of the members of the Expert Committee appropriately in the draft Human Profiling Bill. The comments/inputs on the draft Bill have been requested from all the members of the Expert Committee. Once received, the same will be forwarded to you for further discussion in the sub-committee meeting.

The information was communicated by Dr. Alka Sharma, Director/Scientist F, Medical Biotechnology Division, R. No. 713, Department of Biotechnology, Ministry of Science & Technology, Government of India,

For more details visit https://cis-india.org/news/meeting-of-sub-committee-on-dna-profiling-bill

Report on the 5th Privacy Round Table meeting

maria — 2013-07-26T08:24:27Z

This report entails an overview of the discussions and recommendations of the fifth Privacy Round Table in Calcutta, on 13th July 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of seven multi-stakeholder round table meetings on “privacy” from April 2013 to October 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the seven Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Roundtable: 24 August 2013
New Delhi Final Roundtable and National Meeting: 19 October 2013

Following the first four Privacy Round Tables in Delhi, Bangalore, Chennai and Mumbai, this report entails an overview of the discussions and recommendations of the fifth Privacy Round Table meeting in Kolkata, on 13th July 2013.

Presentation by Mr. Reijo Aarnio – Finnish Data Protection Ombudsman

The fifth Privacy Round Table meeting began with a presentation by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman. In particular, Mr. Aarnio initiated his presentation by distinguishing privacy and data protection and by emphasizing the need to protect both equally within a legal framework. Mr. Aarnio proceeded by highlighting that 96 percent of the Finnish community believes that data protection is necessary, especially since it is considered to play an essential role in the enhancement of the self-determination of the individual. Fuerthermore, Mr. Aarnio pointed out that the right to privacy in Finland in guaranteed under section 10 of the Finnish constitution.

The Finnish Data Protection Ombudsman argued that in order for India to gain European data protection adequacy, the implementation of a regulation for data protection in the country is a necessary prerequisite. Mr. Aarnio argued that although the draft Privacy (Protection) Bill 2013 provides a decisive step in regulating the use of data, the interception of communications and surveillance in India, it lacks in defining the data controller and the data subject, both of which should be legally specified.

In order to support his argument that India needs privacy legislation, the Ombudsman clarified the term “data protection” by stating that it relates to the following:

individual autonomy
the right to know
the right to live without undue interference
the right to be evaluated on the basis of correct and relevant information
the right to know the criteria automatic decision-making systems are based on
the right to trust data security
the right to receive assistance from independent authorities
the right to be treated in accordance with all other basic rights in a democracy
the right to have access to public documents
the freedom of speech

In addition to the above, Mr. Aarnio argued that the reason why data protection is important is because it ensures the respect for human dignity, individual autonomy and honor.

The Finnish Data Protection Ombudsman gave a brief overview of the development and history of data protection, by citing the oathe of Hippokrates, the Great Revolutions and World War II, all throughout which data protection has gained increased significance. Mr. Aarnio pointed out that as a result of the development and proliferation of technology, societies have evolved and that data protection is a major component of the contemporary Information Society. The Ombudsman stated that in the Information Society, information is money and open data and big data are products which are being commercialised and commodified. Hence, in order to ensure that human rights are not commericalised and commodified in the process, it is necessary to establish legal safeguards which can prevent potential abuse.

Article 8 of the European Charter of Fundamental Rights guarantees the protection of personal data. Mr. Aarnio argued that the Parliament is the most important data protection authority in Europe and that privacy is legally guaranteed on three levels:

Protection of personal life: The Criminal Code (chapter 24) addresses and protects freedom of speech and secrecy regulations
Communication: Protection of content and traffic data
Data Protection: The Personal Data Act creates Right to Know and to affect/impact, the right to organise one's personal life, automatic processing of personal data and maintenance of register

The Ombudsman also referred to the Directive 95/46/EC of the European Parliament of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Mr. Aarnio argued that in the contemporary ecosystem of the Information Society, countries need “Privacy by Design”, which entails the description of the processing of personal data and the evaluation of its lawfulness. In particular, the purpose for the collection and processing of data should be legally defined, as well as whether such data will be shared with third parties, disclosed and/or retained. The Ombudsman argued that India needs to define its data controllers and to legally specify their roles, in order to ensure that the management of data does not result in the infringement upon the right to privacy and other human rights.

The Finnish Data Protection Ombudsman concluded his presentation by stating that data security is not only a technological matter, but also – and in some cases, mostly – a legal issue, which is why India should enact the draft Privacy (Protection) Bill 2013.

Discussion of the draft Privacy (Protection) Bill 2013

Chapter I: Definitions

The discussion of the draft Privacy (Protection) Bill 2013 commenced with a debate on whether such a Bill is necessary at all, given that section 43 of the IT Act is considered (by participants at the round table) to regulate the protection of data. It was pointed out that although section 43 of the Information Technology Act provides some rules for data protection, the Committee has stated that these rules are inadequate. In particular, India currently lacks statutory provisions dealing with data protection and rules are inadequate because they are subject to parliamentary debate, and the Parliament does not have the right to vote on rules. The Parliament does not have the right to amend rules, which means that it does not have the right to amend the rules on data protection under the IT Act. Since the rules under section 43 of the IT Act are not subject to parliamentary review, India needs a seperate privacy statutue. Hence, the round table reached a consensus on the discussion of the draft Privacy (Protection) Bill 2013.

Personal data is defined in the draft Privacy (Protection) Bill 2013 as any data which relates to a natural person, while sensitive personal data is defined as a subset of personal data, such as biometric data, medical history, sexual preference, political affiliation and criminal history. It was pointed out that race, religion and caste are not included in the Bill's definition for sensitive personal data because the Government of India refuses to acknowledge these types of information as personal data. According to the Government, the collection of such data is routine and there have been no cases when such data has been breached, which is why race, religion and caste should not be included in the definition for sensitive personal information. However, the last caste sensus took place in 1931 and since then there has been no caste sensus, because it is considered to be a sensitive issue. This contradictory fact to the government's position was pointed out during the round table meeting.

A participant argued that financial information should be included within the definition for sensitive personal data. This was countered by a participant who argued that India has the Credit Information Companies Act which covers credit information and sets out specific information for the protection of credit data by banks and relevant companies. Yet the question of whether general financial information should be included in the definition for sensitive personal data was further discussed, and many participants supported its inclusion in the definition.

The question of whether IP addresses should be included in the definition for personal data was raised. The response to this question was that IP addresses should be included in the definition since they relate to the identification of a natural person. However, the question of whether a specific IP address is considered personal data, as many individuals use the Web through the same IP address, remained unclear. Other participants raised the question of whether unborn humans and deceased persons should have privacy rights. The response to this was that in India, only the court can decide if a deceased person can have the right to privacy.

The controversy between the UID project and the protection of biometric data under the definition for sensitive personal information was discussed in the round table. In particular, it was pointed out that because the UID scheme requires the mass biometric collection in India is contradictory to the protection of such data under the Bill. As the UID scheme remains unregulated, it is unclear who will have access to the biometric data, who it will be shared with, whether it will be disclosed and retained and if so, for how long. All the questions which revolve around the implementation of the UID scheme and the use of the biometric data collected raise concerns in regards to what extent such data can realistically be protected under privacy legislation.

On this note, a participant mentioned that under EU regulation, an ID number is included in the definition for sensitive personal information and it was recommended that the same is added in India's draft Privacy (Protection) Bill 2013. Furthermore, a participant recommended that fingerprints are also included in the definition for sensitive personal data, especially in light of the NPR and UID scheme.

A participant argued that passwords should also be included in the definition for sensitive personal data, as well as private keys which are used for encryption and decryption. It was pointed out that section 69 of the IT Act requires the disclosure of encryption keys upon the request from authorities, which potentially can lead to the violation of privacy and other human rights. Hence the significance of protecting passwords and encryption keys which can safeguard data was highly emphasized and it was argued that they should definitely be included in the definition for sensitive personal data. This position was countered by a participant who argued that the Government of India should have access to private encyrption keys for national security purposes.

On the definition of sensitive personal data, it was emphasized that this term should relate to all data which can be used for discrimination, which is why it needs to be protected. It was further emphasized that it took Europe twelve years to reach a definition for personal data, which is why India still needs to look at the issue in depth and encounter all the possible violations which may potentially occur from the non-regulation of various types of data. Most participants agreed that financial information, passwords and private encryption keys should be added in the definition for sensitive personal data.

The fifth round table entailed a debate on whether political affiliation should be included in the definition for sensitive personal data. In particular, one participant argued that political parties disclose the names of their members and that in many cases they are required to do in order to show their source of income. Hence, it was argued that political affiliation should not be included in the definition for sensitive personal data, since it is not realistic to expect political parties to protect their members' privacy. This was countered by other participants who argued that anonymity in political communications is important, especially when an individual is in a minority position, which is why the term political affiliation should be included in the definition for sensitive personal data.

The discussion on the definitions in the draft Privacy (Protection) Bill 2013 concluded with comments that the definiton for surveillance is very exclusive of many types of surveillance. In particular, it was argued that the definition for surveillance does not appear to cover artificial intelligence, screen shots and various other forms of surveillance, all of which should be regulated.

Chapter II: Right to Privacy

Section 4 of the draft Privacy (Protection) Bill 2013 states that all natural persons have a right to privacy. Section 5 of the Bill includes exemptions to the right to privacy. On this note, it was pointed out that during the round table that there is no universal definition of privacy and thus it is challenging to define the term and to regulate it. Furthermore, the rapid pace at which technology is proliferating was emphasized, along with its impact on the right to privacy. For example, it was mentioned that emails were not covered by privacy legislation in the past, but this needs to be amended accordingly. The European Data Protection Directive was established in 1995 and does not regulate many privacy issues which arise through the Internet, which is why it is currently being reviewed. Similarily, it was argued that privacy legislation in India should encompass provisions for potential data breaches which may occur through the Internet and various forms of technology.

A participant argued that the draft Privacy (Protection) Bill 2013 should include provisions for data subjects, which enable them to address their rights. In particular, it was argued that data subjects should have the right to access information collected and retained about them and that they should have the right to make corrections. The reponse to this comment was that the Bill may be split into two seperate Bills, where the one would regulate data protection and the other would regulate the interception of communications and surveillance, while the data subject would be addressed extensively. Furthermore, participants raised questions of how to define the data controller and the data subjects within the Indian context.

Other questions which were raised during the round table included whether spam should be addressed by the Bill. Several participants argued that spam should not be regulated, as it is not necessarily harmful to data subjects. Other participants argued that the isse of access to data should be addressed prior to the definition of privacy. Another argument was that commerical surveillance should not be conducted within restrictions, which is why it should not be inlcuded in the exemptions to the right to privacy. It was also pointed out that residential surveillance should be allowed, as long as the cameras are pointed inwards and do not capture footage of third parties outside of a residence. On this note, it was argued that surveillance in the work place should also be exempted from the right to privacy, as that too can be considered the private property of the owner. Moreover, it was emphasized that the surveillance of specific categories of people should also be excluded from the exemptions to the right to privacy.

A participant argued that in some cases, NGOs may be collecting information for some “beneficial purpose” and that such cases should be excluded from the exemptions to the right to privacy. Other participants argued that in many cases, data needs to be collected for market research and that the Bill should regulate what applies in such cases. All such arguments were countered by a participant, who argued that Section 5 of the Bill on the exemptions to the right to privacy should be deleted, as it creates to many complications. This recommendation was backed up by the example of a husband capturing a photograph of his wife and then publishing the image without her consent.

During this discussion, a participant raised the question of to what extent the right to privacy applies to minors. This question was supported by the example of Facebook, where many minors have profiles but the extent to which this data is protected remains ambiguous. Furthermore, it was pointed out that it remains unclear whether privacy legislation can practically safeguard minors who choose to share their data online. A participant responded to these concerns by stating that Facebook is a data controller and has to comply with privacy law to protect its customers' data. It was pointed out that it does not matter if the data controller is a company or an NGO; in every case, the data controller is obliged to comply with data protection law and regulations.

Furthermore, it was pointed out that Facebook allows for minors aged 13 to create a profile, while it remains unclear how minors can enforce their privacy rights. In particular, it remains unclear how the mediated collection of minors' data can be regulated and it was recommended that this is addressed by the Bill. A participant replied to this by stating that Indian laws rule in favour of minors, but that this simultaneously remains a grey area. In particular, it was pointed out that rules under section 43 of the Information Technology (IT) Act cover Internet access by minors, but this still remains an unclear area which needs further debate and analysis.

The question which prevailed at the end of the discussion of Chapter 2 of the Bill was on the social media and minors, and on how minors' data can be protected when it is being published immediately through the social media, such as Facebook. Furthermore, it was recommended that the Bill addresses the practical operationalisation of the right to privacy within the Indian context.

Chapter III: Protection of Personal Data

The discussion of Chapter 3 of the draft Privacy (Protection) Bill 2013 on the protection of personal data commenced with a reference to the nine privacy principles of the Justice AP Shah Justice Committee. The significance of the principles of notice and consent were outlined, as it was argued that individuals should have the right to be informed about the data collected about them, as well as to have the rigt to access such data and make possible corrections.

Collection of Personal Data

The discussion on the collection of personal data (as outlined in Section 6 of Chapter 3 of the Bill) commenced with a participant arguing that a company seeking to collect personal data should always have a stated function. In particular, a company selling technological products or services should not collect biometric data, for example, unless it serves a specified function. It was pointed out that data collection should be restricted to the specified purposes. For example, a hospital should be able to collect medical data because it relates to its stated function, but an online company which provides services should not be eligible to collect such data, as it deviates from its stated function.

During the discussion, it was emphasized that individuals should have the right to be informed when their data is being collected, which data is being collected, the conditions for the disclosure of such data and everything else that revolves around the use of their data once it has been collected. However, a participant questioned whether it is practically feasible for individuals to provide consent to the collection of their data every time it is being collected, especially since the privacy policies of companies keep changing. Moreover, it was questioned whether companies can or should resume the consent of their customers once their privacy policy has changed. On this note, a participant argued that companies should be obliged to notify their customers every time their privacy policy changes and every time the purpose behind their data collection changes.

On the issue of consent for data collection, a participant argued that individuals should have the right to withdraw their consent, even after their data has been collected and in such cases, such data should be destroyed. This was countered by another participant who argued that it is not realistic to expect companies to acquire individual consent every time the purpose behind data collection changes, nor is it feasible to allow for the withdrawal of consent without probable cause.

The issue of indirect consent to the collection of personal data was raised and, in particular, several participants argued that the Bill should have provisions which would regulate circumstances where indirect consent can be obtained for the collection of personal data. Furthermore, it was emphasized that the Bill should also include a notice for all potential purposes of data collection which may arise in the future; if the purpose for data collection changes based on conditions specified, then companies should not be mandated to notify individuals. Moreover, a participant argued that the Bill should include provisions which would enable individuals to opt-in and/or opt-out from data collection.

On the issue of consent, it was further outlined that consent provides a legitimate purpose to process data and that the data subject should have the right to be informed prior to the collection of his or her data. However, it was emphasized that the draft Privacy (Protection) Bill 2013 is a very strict regulation, as consent cannot always be acquired prior to data collection, because there are many cases where this is not practically feasible. It was pointed out that in the European Data Protection Directive, it is clear that consent cannot always be acquired prior to data collection. The example of medical cases was mentioned, as patients may not always be capable to provide consent to data collection which may be necessary.

In particular, it was highlighted that the European Data Protection Directive includes provisions for the processing of personal data, as well as exceptions for when consent is not required prior to data collection. The Directive guarantees the legitimate interest of the data controller and data processing is based upon the provisions of privacy legislation. The outsourcing of data is regulated in the European Union, and it was recommended that India regulates it too. Following this comment, it was stated that the recent leaks on the NSA's surveillance raise the issue of non-consentual state collection of data and non-consentual private disclosure of data and a brief debate revolved around these issues in the round table.

On the issue of mediated data collection, the situations in which collected data is mediated by third parties was analysed. It was recommended that the law is flexible to address the various types of cases when collected data is mediated, such as when a guardian needs to handle and take decisions for data of a mentally disabled person being collected. However, it was pointed out that mediated data collection should be addressed sectorally, as a doctor, for example, would address mediated data in a different manner than a company. It was emphasized that specific cases – such a parent taking a mediated decision on the data collection of his or her child – should be enabled, whereas all other cases should be prohibited. Thus it was recommended that language to address the mediated collection of data should be included in the Bill.

A participant raised the question of whether there should be seperate laws for the private collection of data and state collection of data. It was mentioned that this is the case in Canada. Another question which was raised was what happens when state collectors hire private contractors. The UID was brought as an example of state collection of data, while private contractors have been hired and are involved in the process of data collection. This could potentially enable the collection and access of data by unauthorised third parties, to which individuals may have not given their consent to. Thus it was strongly recommended that the Bill addresses such cases and prevents unauthorised collection and access of data.

The discussion on the collection of personal data ended with an interesting test case study for privacy: should the media have the right to disclose individuals' personal data? A debate revolved around this question and participants recommended that the Bill regulates the collection, processing, sharing, disclosure and retention of personal data by the media.

Retention of Personal Data

The discussion on the retention of personal data commenced with the statement that there are various exceptions to the retention of data in India, which are outlined in various court cases. It was pointed out that data should be retained in compliance with the law, but this is problematic as, in various occasions, a verbal order by a policeman can be considered adequate, but this can potentially increase the probability for abuse. A question which was raised was whether an Act of Parliament should allow for the long term storage of data, especially when there is inadequate data to support its long-term retention. It was pointed out that in some cases there are laws which allow for the storage of data for up to ten years, without the knowledge – let alone the consent – of the individual. Thus, the issue of data retention in India remains vague and should be addressed by the draft Privacy (Protection) Bill 2013.

Questions were raised on the duration of data retention periods and on whether there should be one general data retention law or several sectoral data retention laws. The participants disagreed on whether an Act of Parliament should regulate data retention or whether data retention should be regulated by sectoral authorities. A participant recommended “privacy by design” and stated that the question of data retention should be addressed by data controllers. Other participants raised the question of purpose limitation, especially for cases when data is being re-retained after the end of its retention period. A participant recommended that requirements for the anonymisation of data once it has exceeed its retention period should be established. However, this proposal was countered by participants who argued that the pracitcal enforcement of the anonymisation of retained data is not feasible within India.

Destruction of Personal Data

The retention of personal data can be prevented once data has been destroyed. However, participants argued that various types of data are being collected through surveillance products which are controlled by private parties. In such cases, it was argued that it remains unclear how it will be verified that data has indeed being destroyed.

A participant argued that the main problem with data destruction is that even if data has been deleted, it can be retrieved up to seven times; thus the question which arises is how can individuals know if their data has been permanently destroyed, or if it is being secretly retrieved. Questions were raised on how the permanent retention of data can be prevented, especially when even deleted data can be retrieved. Hence it was recommended that information security experts cooperate with data controllers and the Privacy Commissioner, to ensure that data is permanently destroyed and/or that data is not being accessed after the end of its retention period. Such experts would ensure that data is actually being destroyed.

Another participant pointed out the difference between the wiping of data and the deletion of data. In particular, the participant argued that data is being deleted when it is being overwritten by other data, and can potentially be recovered. Wiping of data, on the other hand, involves the wiping out of data which can never be recovered. The participant recommended that the Bill explicitly states that data is wiped out in order to ensure that data is not being indirectly retained.

Processing of Personal Data

The dicsussion on the processing of personal data began with the question of national archives. In particular, participants argued that if the processing of data is strictly regulated, that would restrict access to national archives and the draft Privacy (Protection) Bill 2013 should address this issue.

Questions were raised on the non-consentual processing of personal data and on how individual consent should be acquired prior to the processing of personal data. It was pointed out that the Article 29 Working Party has published an Opinion on purpose limitation with regards to data processing and it was recommended that a similar approach is adopted in India.

Furthermore, it was stated that IT companies are processing data from the EU and the U.S., but it remains unclear how individual consent can be obtained in such cases. A debate evolved on how to bind foreign data processors to meet the data requirements of India, as a minimum prerequisite to ensure that outsourced data is not breached. In light of the Edward Snowden leaks of NSA surveillance, many questions were raised on how Indian data outsourced and stored abroad can be protected.

It was highlighted during the round table that all data processing in India requires certification, but since the enforceability of the contracts relies on individuals, this raises issues of data security. Moreover, questions were raised on how Indian companies can protect the data of their foreign data subjects. Thus, it was recommended that the processing of data is strictly regulated through the draft Privacy (Protection) Bill 2013 to ensure that outsourced data and data processed in the country is not breached.

Security of Personal Data

On the issue of data security, the participants argued that the data subject should always be informed in cases when the confidentiality of their personal data is violated. Confidentiality is usually contractually limited, whereas secrecy is not, which is why both terms are included in the draft Privacy (Protection) Bill 2013. In particular, secrecy is usually used for public information, whereas confidentiality is not.

Participants argued that the Bill should include restrictions on the media, in order to ensure that the confidentiality and integrity of their sources' data is preserved. Several participants stated that the Bill should also include provisions for whistleblowers which would provide security and confidentiality for their data. The participants of the round table engaged in a debate on whether the media should be strictly regulated in order to ensure the confidentiality of their sources' data. On the one hand, it was argued that numerous data breaches have occured as a result of the media mishandling their sources' data. On the other hand, it was stated that all duties of secrecy are subject to the public interest, which is why the media reports on them and which is why the media should not be restricted.

Disclosure of Personal Data

The discussion on the disclosure of personal data commenced with participants pointing out that the draft Privacy (Protection) Bill 2013 does not include requirements for consent prior to the disclosure of personal data, which may potentially lead to abuse. Questions were raised on the outsourcing of Indian data abroad and on the consequences of its foreign disclosure. Once data is outsourced, it remains unclear how the lawful disclosure or non-disclosure of data can be preserved, which is why it was recommended that the Bill addresses such issues.

A participant argued that there is a binding relationship between the data controller and the data subject and that disclosure should be regulated on a contractual level. Another participant raised the question of enforcement: How can regulations on the disclosure of personal data be enforced? The response to this question was that the law should focus on the data controller and that when Indian data is being outsourced abroad, the Indian data controller should ensure that the data subjects' data is not breached. However, other participants raised the question of how data can be protected when it is outsourced to countries where the rule of law is not strong and when the country is considered inadequate in terms of data protection.

With an increased transnational flow of information, questions arise on how individuals can protect their information. A participant recommended that it should be mandatory for companies to state in their contracts who they are outsourcing data to and whether such data will be disclosed to third parties. However, this proposal as countered by a participant who argued that even if this was inforced, it is still not possible to enforce the rights of an Indian data subject in a country which does not have a strong rule of law or which generally has weak legislation. A specific example was mentioned, where E.G. Infosys and Wipro Singapore have a contractual agreement and Indian data is outsourced. It was pointed out that if such data is breached, it remains unclear if the individual should address this issue to Wipro India, as well as which law should apply in this case and whether companies should be liable.

A participant suggested that the data controller discloses data without having acquired prior consent, if the Government of India requests it. However, this was countered by a participant who argued that even in such a case, the question of regulating access to data still remains. Other participants argued that the Right to Information Act has been misused and that too much information is currently being disclosed. It was recommended that the Right to Information Act is amended and that the Bill includes strict regulations for the disclosure of personal data.

Meeting Conclusion

The fifth Privacy Round Table meeting commenced with a presentation on privacy and data protection by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, and proceeded with a discussion of the draft Privacy (Protection) Bill 2013. The participants engaged in a heated debate and provided recommendations for the definitions used in the Bill, as well as for the regulation of data protection. The recommendations for the improvement of the draft Privacy (Protection) Bill 2013 will be considered and incorporated in the final draft.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-5th-privacy-round-table

Snooping technology: Will CMS work in India?

praskrishna — 2013-07-22T07:19:02Z

The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.

Pierre Fitter's article was published in FirstPost on July 17, 2013. Pranesh Prakash is quoted.

Several articles have raised valid questions about privacy violations, including this one by Danish Raza. Elsewhere, Pranesh Prakash has raised important points about how CMS may actually violate several laws and at least one Supreme Court verdict.

I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?

	Encryption In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

Encryption

In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the Guardian. In an online chat where he took questions from the public, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the eavesdropping behemoth created of the NSA.

It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.

Over the years it has become easier to encrypt one’s communication. YouTube tutorials train even novice users to set up email encryption within minutes. Phone calls, text messages and online chats can also be encrypted with free, easy-to-install apps.

The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that it took them four years to factor a 768-bit integer. They estimated it would take 1,000 times longer to factorise a 1024-bit integer. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.

Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.

What about ‘Metadata’?

It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.

However, this method of tracing criminals has a limitation. Programs such as TOR and Hotspot Shield disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.

There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!

To make untraceable phone calls, terrorists have been known to use “burner” phones. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.

Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to turn off their phones and remove the battery to prevent being tracked even while not on a call.

So what is CMS good for?

If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?

Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.

Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.

Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.

What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?

These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.

For more details visit https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology

You Have the Right to Remain Silent

nishant — 2013-07-22T06:59:53Z

Reflecting upon the state of freedom of speech and expression in India, in the wake of the shut-down of the political satire website narendramodiplans.com.

Nishant Shah's column was published in Down to Earth on July 17, 2013.

It took less than a day for narendramodiplans.com, a political satire website that had more than 60,000 hits in the 20 hours of its existence, to be taken down. A simple webpage that showed a smiling picture of Narendra Modi, the touted candidate for India’s next Prime Ministerial campaign, flashing his now trademark ‘V’ for ~~Vengeance~~ Victory sign. At the first glimpse it looked like another smart media campaign by the net-savvy minister who has already made use of the social web quite effectively, to connect with his constituencies and influence the younger voting population in the country. Below the image of Mr. Modi was a text that said, "For a detailed explanation of how Mr. Narendra Modi plans to run the nation if elected to the house as a Prime Minister and also for his view/perspective on 2002 riots please click the link below." The button, reminiscent of 'sale' signs on shops that offer permanent discounts, promised to reveal, for once and for all, the puppy plight of Mr. Modi's politics and his plans for the country that he seeks to lead.

However, when one tried to click on the button, hoping, at least for a manifesto that combined the powers of Machiavelli with the sinister beauty of Kafka, it proved to be an impossible task. The button wiggled, and jiggled, and slithered all over the page, running away from the mouse following it. Referencing the layers of evasive answers, the engineered Public Relations campaigns that try to obfuscate the history to some of the most pointed questions that have been posited to the Modi government through judicial and public forums, the button never stayed still enough to actually reveal the promised answers. For people who are familiar with the history of such political satire and protest online would immediately recognise that this wasn’t the most original of ideas. In fact, it was borrowed from another website - http://www.thepmlnvision.com/ that levelled similar accusations of lack of transparency and accountability on the part of Nawaz Sharif of Pakistan. Another instance, which is now also shut down, had a similar deployment where the webpage claimed to give a comprehensive view into Rahul Gandhi’s achievements, to question his proclaimed intentions of being the next prime-minister. In short, this is an internet meme, where a simple web page and a java script allowed for a critical commentary on the future of the next elections and the strengthening battle between #feku and #pappu that has already taken epic proportions on Twitter.

The early demise of these two websites (please do note, when you click on the links that the Nawaz Sharif website is still working) warns us of the tightening noose around freedom of speech and expression that politicos are responsible for in India. It has been a dreary last couple of years already, with the passing of the Intermediaries Liabilities Rules as an amendment to the IT Act of India, Dr. Sibal proposing to pre-censor the social web in a quest to save the face of erring political figures, teenagers being arrested for voicing political dissent, and artists being prosecuted for exercising their rights to question the state of governance in our country. Despite battles to keep the web an open space that embodies the democratic potentials and the constitutional rights of freedom of speech and expression in the country, it has been a losing fight to keep up with the ad hoc and dictatorial mandates that seem to govern the web.


Above is a screen shot from narendramodiplans.com website

We have no indication of why this latest piece of satirical expression, which should be granted immunity as a work of art, if not as an individual’s right to free speech, was suddenly taken down. The website now has a message that says, “I quit. In a country with freedom of speech, I assumed that I was allowed to make decent satire on any politician more particularly if it is constructive. Clearly, I was wrong.” The web is already abuzz with conspiracy theories, each sounding scarier than the other because they seem so plausible and possible in a country that has easily sacrificed our right to free speech and expression at the altar of political egos. And whether you subscribe to any of the theories or not, whether your sympathies lie with the BJP or with the UPA, whether or not you approve of the political directions that the country seems to be headed in, there is no doubt that you should be as agitated as I am, about the fact that we are in a fast-car to blanket censorship, and we are going there in style.

What happens online is not just about this one website or the one person or the one political party – it is a reflection on the rising surveillance and bully state that presumes that making voices (and sometimes people) invisible, is enough to resolve the problems that they create. And what happens on the web is soon going to also affect the ways in which we live our everyday lives. So the next time, you call some friends over for dinner, and then sit arguing about the state of politics in the country, make sure your windows are all shut, you are wearing tin-foil hats and if possible, direct all conversations to the task of finally finding Mamta Kulkarni. Because anything else that you say might either be censored or land you in a soup, and the only recourse you might have would be a website that shows the glorious political figures of the country, with a sign that says “To defend your right to free speech and expression, please click here”. And you know that you are never going to be able to click on that sign. Ever.

For more details visit https://cis-india.org/internet-governance/blog/down-to-earth-july-17-2013-nishant-shah-you-have-the-right-to-remain-silent

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy

CII Conference on "ACT": Achieve Cyber Security Together"

kovey — 2013-07-26T08:17:40Z

The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.

Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.

With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.

In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."

For more details visit https://cis-india.org/internet-governance/blog/cii-conference-on-act

DSCI Best Practices Meet 2013

kovey — 2013-07-26T08:18:01Z

The DSCI Best Practices Meet 2013 was organized on July 12, 2013 at Hyatt Regency, Anna Salai in Chennai. Kovey Coles attended the meet and shares a summary of the happenings in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Last year’s annual Best Practices Meet, sponsored by the Data Security Council of India (DSCI), was held in here in Bangalore, and featured CIS associates as panelists for an agenda focused mostly around mobility in technology. This year, the event was continued in nearby Chennai, where many of India’s top stakeholders in Cyber Security came together at the Hyatt hotel to discuss the modern cyber security landscape. Several of the key points of the day emphasized how the industry realm needed to be especially keen on Cyber Security today. Early speakers explained how many Cyber-Attacks occur as opportunistic attacks on financial institutions, and that these breaches often take months to be discovered, with the discovery usually being made by a third-party. For those reasons, it was repeatedly mentioned throughout the day that modern entities must anticipate attacks as inevitable, and prepare themselves to be able to respond and successfully bounce-back.

Several panelists of the event expanded upon the evolving challenges facing industries, and explained why service based industry continually grows more susceptible to Cyber-Attack. There were representatives from Microsoft, Flextronics, MyEasyDoc, and others, who explained how technological demands of modern consumers resulted inadvertently in weaker security. For example, with customers expecting real-time access to data rather than periodic data reports, i.e financial data reports, industries must now keep their data open, which weakens database security. Overall, the primary challenge faced by the industry was effectively summarized by Microsoft India CSO Ganapathi Subramaniam, stating that within web services, “Security and usability are inversely proportional.” Essentially, the more convenient a product, the less secure its infrastructure.

Despite discussion of the difficulties facing modern producers and consumers, there were undoubtedly highlights of optimism at the conference. A presentation by event sponsor Juniper Networks shed light on practices which combat Cyber-Attackers, including rerouting perceived Distributed Denial of Service (DDoS) attacks and finger-printing suspected hackers through a series of characteristics rather than just IP addresses (these characteristics include browser version, fonts, Add-Ons, time zone, and more). Notably, there was a call for cooperation on all fronts in combatting Cyber-crime, for public-private partnerships (PPP), and many citizens stood and spoke on the behalf of civil society’s incorporation in the process as well. One speaker, Retired Brig. Abhimanyu Ghosh admirably tore down sector divisions in the face of Cyber-Security threats, saying “We all want to secure ourselves. It is not a question of industry versus government, government versus industry. Government needs industry, and industry needs government.”

Finally, a few speakers used their opportunity at the conference to highlight issues related to rights and responsibilities of both citizens and government in internet. Nikhil Moro, a scholar at the Hindu Center for Politics and Public Policy, spoke at length about the urgent condition of laws which undermine freedom of speech and freedom of expression in India, especially within while online. His talk, which occurred near the end of the event, stirred the crowd to discussion, and helped remind the attendees of the comprehensiveness of issues which demand attention in the realm of a growing internet presence.

For more details visit https://cis-india.org/internet-governance/blog/dsci-bpm-2013-conference-notes

Interview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman

maria — 2013-07-19T13:02:14Z

Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India!

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

For more details visit https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman

सावधान आपके प्रोफ़ाइल पर है पुलिस की नज़र!

praskrishna — 2013-07-31T04:10:37Z

जन लोकपाल, दिल्ली रेप केस और बाबा रामदेव के आंदोलनों में उमड़ी भीड़ से घबराई सरकारी एजेंसियां अब सोशल मीडिया पर कड़ी नज़र रखने के लिए मैदान में उतरी हैं.

This blog post by Parul Aggarwal was published by BBC on July 18, 2013. Pranesh Prakash is quoted.

अपनी तरह के एक पहले मामले में मुंबई पुलिस ने क्लिक करें फ़ेसबुक-ट्विटर और दूसरे सोशल मीडिया पर आम लोगों की राय और उनकी भावनाओं पर निगरानी रखने की शुरुआत की है.

साइबर अपराधियों और इंटरनेट पर क्लिक करें गड़बड़ियां फैलाने वालों के अलावा अब पुलिस की नज़र उन लोगों पर भी रहेगी जो राजनीतिक-सामाजिक मुद्दों पर सोशल मीडिया में जमकर बोलते हैं.

आम लोग बने मुसीबत?

पुलिस की मंशा है समय रहते ये जानना कि जनता किन मुद्दो पर लामबंद हो रही है और विरोध प्रदर्शनों के दौरान बड़े स्तर पर लोगों का रुझान किस तरफ़ है.

सोशल मीडिया मॉनिटरिंग का ये काम मार्च 2013 में शुरु किए गए मुंबई पुलिस के सोशल मीडिया लैब के ज़रिए किया जाएगा. मुंबई पुलिस के एक वरिष्ठ अधिकारी ने बीबीसी से हुई बातचीत में कहा, ''नौजवान आजकल फ़ेसबुक पर ख़ासे एक्टिव हैं, ये लोग नासमझ हैं और बात-बात पर उग्र हो जाते हैं. सोशल मीडिया लैब के ज़रिए हम ये देखते हैं कि कौन किस मुद्दे पर ज़्यादा से ज़्यादा लिख रहा है और किस तरह की प्रतिक्रिया दे रहा है.''

दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं."
रजत गर्ग, सीईओ सोशलऐप्सएचक्यू

इस काम में पुलिस को तकनीकी मदद मिल रही है नैसकॉम और तकनीकी क्षेत्र की एक निजी कंपनी ‘सोशलऐप्सएचक्यू’ से.

सोशल मीडिया पर लामबंदी

सोशलऐप्सएचक्यू के सीईओ रजत गर्ग ने बीबीसी से हुई बातचीत में कहा, ''दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं. ''

फ़ेसबुक-ट्विटर पर क्लिक करें निगरानी कोई नई बात नहीं लेकिन अब तक ये काम ज्यादातर मार्केटिंग कंपनियां ही करती आई हैं. लेकिन सोशलऐप्सएचक्यू जैसी कंपनियां जो कर रही हैं वो 'ओपन सोर्स इंटेलिजेंस' यानी सार्वजनिक स्रोतों से मिली संवेदनशील जानिकारियों को इकट्ठा करना है.

विशेष सॉफ्टवेयर्स की मदद

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’ सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.	अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’

सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.

अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

पारदर्शिता की कमी

ऐसे में सार्वजनिक मंच पर कई ऐसी जानकारियां उपलब्ध हो सकती हैं जो उन्हें पुलिस की आंख की किरकिरी बना दें.

साल 2012 में पूर्व शिवसेना प्रमुख बाला साहब ठाकरे की निधन के मौक़े पर बुलाए गए मुंबई बंद के ख़िलाफ़ फ़ेसबुक पर टिप्पणी करने वाली एक लड़की और उसकी पोस्ट को लाइक करने वाली उसकी दोस्त को रातोंरात गिरफ्तार कर लिया गया. पुलिस ने ये कार्रवाई एक स्थानीय शिवसेना नेता की शिकायत पर की थी.

कथित तौर पर संविधान का मज़ाक उड़ाने और अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया. मीडिया में हुए हंगामे के बाद सभी लोगों को छोड़ दिया गया लेकिन भारत में अब तक इस तरह के कई ऐसे मामले सामने आ चुके हैं.

सूचना प्रौद्योगिकी क़ानून की धारा 66 कहती है कि इस तरह की कार्रवाई बेहद संवेदनशील और राष्ट्रहित से जुड़े मामलों में ही की जानी चाहिए. हालांकि धारा 66 की आड़ में सरकार और नेताओं के ख़िलाफ़ बोलने वालों की गिरफ्तारी सरकार की मंशा पर कई सवाल खड़े करती है.

इंटरनेट से जुड़े मुद्दों पर काम करने वाली संस्थाएं मानती हैं कि भारत में इंटरनेट और आम लोगों पर निगरानी रखने के मामले में सरकार की ओर से पारदर्शिता की बेहद कमी है.

'दुरुपयोग की संभावना'

द सेंटर फ़ॉर इंटरनेट एंड सोसाएटी से जुड़े प्रनेश प्रकाश कहते हैं, ''भारत में सूचना प्रौद्योगिकी और इंटरनेट से जुड़े क़ानूनों को अगर पढ़ें तो समझ आता है कि वो कितने ख़राब तरीक़े से लिखे गए हैं. इन क़ानूनों में स्पष्टता और जवाबदेही की गुंजाइश न होने के कारण ही उनका इस्तेमाल तोड़-मरोड़ कर किया जाता है.''

सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुच्छेक मामलों को छोड़कर चीन जैसे देशों के मुकाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अबतक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है. "

प्रनेश कहते हैं, ''साल 2011 में सरकार ने केंद्रीय मंत्रालयों और विभागों के लिए सोशल मीडिया से जुड़े दिशा-निर्देश जारी किए. इसका मक़सद था सरकारी विभागों को ये बताना कि सोशल मीडिया पर आम लोगों से कैसे जुड़ें. यही वजह है कि जब सरकार और पुलिस से जुड़े विभागों ने सोशल मीडिया लैब बनाए तो ज्यादातर लोगों ने समझा कि इनका मक़सद जनता की निगरानी नहीं बल्कि आम लोगों से जुड़ना है.''

तो मुंबई पुलिस का ये क़दम क्या आम लोगों और मानवाधिकार संगठनों के लिए ख़तरे की घंटी है ?

प्रनेश कहते हैं, “सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुछ एक मामलों को छोड़कर चीन जैसे देशों के मुक़ाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अब तक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है.”

For more details visit https://cis-india.org/news/bbc-uk-july-18-2013-parul-aggarwal-social-media-monitoring

Can India Trust Its Government on Privacy?

pranesh — 2013-07-15T10:35:33Z

In response to criticisms of the Centralized Monitoring System, India’s new surveillance program, the government could contend that merely having the capability to engage in mass surveillance won’t mean that it will. Officials will argue that they will still abide by the law and will ensure that each instance of interception will be authorized.

Pranesh Prakash's article was published in the New York Times on July 11, 2013.

In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.

Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun noted that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.”

India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.

At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.

In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.

Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a spy when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.

India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently complained to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.

Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 article in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”

The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint reported last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.

In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.

India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government asked various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually turned in.

These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.

The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.

In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.

Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.

A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.

The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.

Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.

Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.

For more details visit https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy