Access To Knowledge (A2K)

Social media may influence 160 LS seats in 2014

praskrishna — 2013-04-15T07:13:52Z

Social media is likely to influence politics and elections in 160 of India’s 543 Parliament constituencies, making Facebook and Twitter users the nation’s newest voting bloc, a new study suggests.

This article by Zia Haq was published in the Hindustan Times on April 12, 2013. Sunil Abraham is quoted.

In these mostly urbanizing constituencies, social-media usage is now “sufficiently widespread” to influence the outcome of a general election slated for 2014, the study by IRIS Knowledge Foundation and supported by the Internet and Mobile Association of India (IAMAI), indicates.

On April 4, Congress scion Rahul Gandhi’s high-profile address to the Confederation of Indian Industry, a leading business forum, was trending topmost on Twitter in India that day, some posts by rivals mocking him.

A series of lectures by Gujarat chief minister Narendra Modi, a presumptive PM, this week too garnered strong social-media attention, with his and Gandhi’s supporters competing online to run the other down.

A deeply polarizing figure still, Modi is often accused of watching over a carnage that killed nearly 2000 people in 2002, mostly Muslims. Yet, he has pulled off a stunning online strategy to showcase Gujarat as India’s Guandong, a south China province with top GDP rankings and investment.

Research shows that social media is more persuasive than television ads. Nearly 100 million Indians, or more than Germany’s population, use the Internet each day. Of this, 40 million have assured broadband, the ones most likely to have at least one social media account.

“Unlike Obama, who used social media directly for votes, Indian politicians have tended to use it more to mould public discourse,” says Sunil Abraham, the CEO of The Centre for Internet and Society.

That is likely to change in 2014. Not surprisingly, Modi became the third politician globally, a fter Obama and Australian PM Julia Gillard, to host a political conference on Google+ hangout.

Chief ministers in states are also leveraging social media. Bihar has unveiled a re-branded campaign called, “Bihar ka haq” or Bihar’s Rightful Cause, on Facebook.

Social-media-impacted constituencies, according to the study, are those where Facebook users are more than the victory margin of the winner in the last Lok Sabha election, or where such users account for over 10% of the voting population.

For more details visit https://cis-india.org/news/hindustan-times-zia-haq-april-12-2013-social-media-may-influence-160-lok-sabha-seats-in-2014

India takes its first serious step toward privacy regulation – but it may be misguided

praskrishna — 2013-04-15T06:39:05Z

The world’s second-most populous nation may be on the cusp of embracing privacy legislation. After several false starts the Indian government appears ready to accept the need for some form of regulation.

This blog post by Simon Davies was published in the Privacy Surgeon on April 9, 2013. The Centre for Internet and Society recently published a draft Citizens privacy bill which is mentioned in this post.

Well, maybe this is a slightly optimistic view. A more accurate portrayal might be “the Indian government appears ready to accept the principle of some form of regulation”.

There is actually no agreed policy position across government on the question of privacy and data protection, but the Planning Commission last year established an Expert Group under the chairmanship of the former Chief Justice of the Delhi High Court, A.P.Shah. Justice Shah’s subsequent report is being considered and a draft Bill has been created.

Shah’s report provided a convincing body of evidence – both at the domestic and the international level – for the creation of national regulation.

It called for the formation of a regulatory framework and set out nine principles that could form a foundation for the next stage. These principles – reflecting the basis of law in other countries – have been generally accepted by Indian stakeholders as a sound frame of reference for progress.

However although the nine principles are supported, the precise nature of any possible regulation is still very much in flux.

There’s a long way to go before consensus is established on a overall type of regulatory framework. Having said that, India is closer than ever to seeing real legislation – and the international community needs to put its weight behind the activity.

Debate over the merits of data protection and privacy law stretch back beyond a decade but reform was constantly hampered by perceptions that regulation would stifle economic growth.

Some industry lobbies have been as keen as government to ensure that privacy proposals are stillborn.

Even with the nine principles as a bedrock the path to privacy law must overcome two extremely difficult hurdles.

The first of these is that a substantial number of Indian opinion leaders continue to express an instinctive view that there is no cultural history for respect of privacy in India. That is, people don’t want or expect privacy protection and Western notions of privacy are alien to Indian society.

In support of this assertion these critics often cite an analogy about conversation on Indian trains. It is well known that many Indians will disclose their life story to strangers on the Indian rail network, discussing their personal affairs with people they have never before met. This trait is construed as evidence that Indians do not value their privacy.

I spoke last week at an important meeting in New Delhi where this exact point was repeatedly made. The meeting, organised by the Data Security Council of India and ICOMP India was well attended by industry, government, academics and NGOs. Speakers made constant reference to the matter of public disclosure of personal information.

In response, noted commentator Vickram Crishna expressed the view that the train anecdote had no relevance and was a convenient ruse for people who for their own self interest opposed privacy regulation.

“In reality this circumstance is like Vegas”, he said. “What happens on Indian trains, stays on Indian trains. People will talk about their lives because they will never see these passengers again and there is no record of the disclosures.”

“What we are dealing with in the online world is a completely different matter. There is no correlation between the two environments”.

A substantial opinion poll published earlier this year also debunked the myth that Indians don’t care about privacy. Levels of concern expressed by respondents was roughly the same as the level of concern identified in other parts of the world.

A second hurdle facing privacy legislation is the perception - particularly prevalent in the United States – that legislation will be a burden on industry and people do not want yet another cumbersome and costly government structure.

There are perhaps some grounds for considering this perspective, given the vast scale and complexity of India’s economy.

Government intervention does not enjoy a history of consistent success in the marketplace, though in many instances intervention has been the only means to bring industry into compliance with basic safeguards.

I made the point at the meeting that support for a purist model of industry self regulation was simplistic and misguided. Most systems of a similar nature fail unless someone is mandated to ensure compliance, transparency, enforceability and consistency. It’s a question of finding a way to embed accountability in industry self regulation – and this is where legislation and government could help.

Justice Shah’s report reflected this widespread concern by recommending a co-regulatory framework in which a privacy commissioner would oversee industry self regulation. However – as last week’s meeting exemplified – even this compromise solution is not acceptable to many industry players. They oppose the idea of an appointed commissioner and believe that industry self regulation alone will be sufficient.

This is an influential view that cannot be brushed aside. However in a special programme aired on19th April on India’s main parliamentary television network – RSTV – I repeatedly make the point that such a view, if successful, would put Indian industry in danger of winning the battle but losing the war. Europe is unlikely to accept a model of sole industry regulation, and the crucial flow of data between the two regions could be imperiled.

Conscious of all these challenges the influential NGO Centre for Internet and Society has published a draft Citizens privacy bill and has commenced a series of consultation meetings across the country. These initiatives will provide important input for the emerging legislation.

This is an important moment for privacy in India, and one that will require careful thought and sensitive implementation. However no-one in India should be in any doubt that the current unregulated situation is unsustainable in a global environment where nations are expected to protect both their citizens and the safety of data on their systems.

For more details visit https://cis-india.org/news/privacy-surgeon-simon-davies-april-9-2013-india-takes-its-first-serious-step-toward-privacy-regulation

India's 'Big Brother': The Central Monitoring System (CMS)

maria — 2013-12-06T09:39:20Z

In this post, Maria Xynou looks at India´s Central Monitoring System (CMS) project and examines whether it can target individuals´ communications data, regardless of whether they are involved in illegal activity.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

For more details visit https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

Off the Record

nishant — 2013-04-26T05:58:47Z

Social networks track our world but not relationships. We live in a world where things happen. And yet, with the presence of digital objects, the things that happen have increased in intensity and volume.

Nishant Shah's article was published in the Indian Express on April 6, 2013.

Never before have we lived in a world that is so seen,documented, archived and forgotten. Early Enlightenment philosophers had wondered, if a tree falls in loneliness and there is nobody there to see it, does the tree really fall? In the world of instant documentation, chances are that if the tree falls, there is somebody there to tweet it.

We live in a spectacular world. That is not to say that it is the best or worst of all possible. I want to ponder on the fact that we create spectacles of things that were otherwise swept under the carpet. Every little detail of our myriad and mundane life is potentially spectacular. From medical technologies that can decipher our chemical DNA to the mobile phone that Instagrams the food we eat and things that we see, we are surrounded by spectacles of everyday life. Pictures, tweets, blogs, geolocation services, status updates, likes, shares — the texture of living has never been this richly and overwhelmingly documented.

However, the data and information that constitutes the recognition of our life, have increased to such a scale that we have overturned the course of human history writing. We identify ourselves as a species that is able to document, store and relay information from one passing generation to another. So much so that we have invested a vast amount of our energies in creating museums, writing histories, building archives, and obsessively collecting facts and fictions of our origins, from the big bang to flying reptiles.

But big data has made us reach a point where we are trying to manage, filter the onslaught of data. We have, for the first time, created information that is no longer intelligible to the human eye or brain. From machines that can verify god particles to artificial intelligence which can identify patterns every day we have replaced the human being from its central position as consumer, producer and subject of data.

These are conditions of living in information societies that are producing, archiving and reorganising information for these information ecosystems. The multiple information streams remind us of the multitude and diversity of human life which cannot be reduced to a generalising theory of similarity. The rise of big data brings to focus the promise of the World Wide Web — a reminder that there are alternatives to the mainstream and that there are unheard, contradictory voices that deserve to be heard. Yet, even as the burgeoning information society explodes on our devices, there is another anxiety which we need to encounter. If the world of information, which was once supposed to be the alternative, becomes the central and dominant mode of viewing the world, what does it hide?

Take friendship, for instance.You can quantify how many friends exist on your social networks. Algorithms can work out complex proximity principles and determine who your closer connections are.

Data mining tools are able to figure out the similarities and likelihood of enduring conversations in your social sphere. But these are all human actions which can be captured by the network and the big data realities. They may be able to give us new information about what friends do and how often, but there is still almost no way of figuring out, which friend might call you in the middle of the night.

Friendship, like many other things, is not made of spectacles. It does not produce information sets which can be mapped and represented as information. Friendship cannot be reduced to pictures of being together or dramatic stories of survival and togetherness. More often than not, true friendships are made of things that do not happen. Or things, if they happen, cannot be put in a tweet, captured on Instagram or shared on Tumblr.

As we take these social networked realities as 'real' realities, it might be worth asking what is being missed out, what remains unheard and unrepresented in these information streams. Because if you love somebody and there is nobody to know it, report it, record it and convert it into a spectacle, does it make your love any less special? Any less intense? Any less true?

For more details visit https://cis-india.org/internet-governance/blog/indian-express-april-6-2013-nishant-shah-off-the-record

A Privacy Round Table in Bangalore

praskrishna — 2013-04-17T06:55:52Z

The Centre for Internet and Society, Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry cordially invite you to a "Privacy Round Table" at Jayamahal Palace in Jayamahal Road, Bangalore on Saturday, April 20, 2013, 10.30 a.m. to 4.00 p.m.

To discuss, in furtherance of Internet Governance Initiatives and Dialogue in 2013, the "Report of the Group of Experts on Privacy" by the Justice AP Shah Committee, the text of the Citizens' Privacy (Protection) Bill 2013, drafted by the Centre for Internet and Society, and the paper "Strengthening Privacy Protection through Co-Regulation" by DSCI.

The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Time	Detail
10.30	Overview, explanation, and discussion: The Report of the Group of Experts on Privacy
11.30	Overview, explanation, and discussion: Strengthening Privacy Protection through Co-regulation
12.15	Tea
12.30	Overview, explanation, and discussion: The Citizens (Protection) Bill 2013
13.15	Lunch
14.15	In depth discussions: The Citizens’ Privacy (Protection) Bill 2013
16.15	Tea

Confirmations and RSVP

Please send your email confirmations for attending the Bangalore Privacy Roundtable on April 20, 2013, to Snehashish Ghosh at snehashish@cis-india.org, mobile no. +91- 9902763325,latest by end-of-business 5:30 p.m. on Monday April 15, 2013. As the conference is a roundtable dialogue, we request that attendees submit a brief introduction about themselves and their interest in the topic.

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-in-bangalore

Clarify and define terms in IT rules, panel tells govt.

praskrishna — 2013-04-03T10:02:33Z

In the wake of concerns that the government is increasingly using ambiguously-phrased terms in legal codes to crack down on online speech, the Parliament’s Committee on Subordinate Legislation has asked for greater clarity and definition on terms which can serve as grounds for restrictions.

The article by Prashant Jha was published in the Hindu on April 1, 2013. Pranesh Prakash is quoted.

In 2011, the government issued Intermediary Guidelines under Section 79 of the Information Technology (IT) Act. Rule 3 requires intermediaries – including Internet Service Providers (ISPs), web hosts, cyber cafes, blogging platforms, search engines and others – to inform users not to ‘host, display, upload, modify, publish, transmit or share information’ that is ‘grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, or otherwise unlawful in any manner whatsoever.’ Any person aggrieved by the content can ask intermediaries to take it down, and if they do not do so within 36 hours, they can be legally liable.

‘Remove ambiguities’

The committee has heeded the views of NGOs that these terms have not been defined either in the IT Act or the rules. In a report submitted on March 21, it has drawn the attention of the Ministry of Communication and IT to the ‘reported misuse’ of Section 66A of the IT Act in the absence of precise definitions, and said it was important to remove ‘ambiguities/misgivings in the minds of people.’

In its report, the committee, chaired by MP P. Karunakaran, suggested that the definition of those terms in other laws be incorporated in one place for the ‘convenience of reference’ of intermediaries and general public. It has added that those terms not mentioned in other laws be defined in a way that ‘no new category of crimes or offences is created in the process of delegated legislation.’ The committee said it expected the Ministry to have a fresh look at the guidelines and ‘make amendments to ensure there is no ambiguity.’

Highlighting the significance of the committee’s directive not to create new offences, Pranesh Prakash of the Centre for Internet and Society said that this was recognition that ‘many categories of speech prohibited by the Intermediary Guidelines Rules are not prohibited by the statute, and hence cannot be prohibited by the government through these rules.’

‘Conflicting picture’

The committee has also pointed out that there was a ‘conflicting picture’ regarding the ‘legal enforceability’ of these guidelines. In its response, the Ministry told the committee that these are of ‘advisory’ nature; it is not ‘mandatory’ for the intermediary to disable information and this does not amount to ‘censorship.’ But the rules state the intermediary ‘shall act’ within 36 hours of complaint.

The committee said there was a need for ‘clarity on the aforesaid contradictions,’ particularly on the process of ‘take down of content,’ and install ‘safeguards to protect against any abuse during such process.’

Mr. Prakash of CIS said that this had exposed the ‘government’s Janus-faced stance on the issue of mandatory nature of these rules.’

For more details visit https://cis-india.org/news/the-hindu-april-1-2013-prashant-jha-clarify-and-define-terms-in-it-rules-panel-tells-govt

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011

bhairav — 2013-07-12T12:12:16Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 This submission presents comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (“ESD Rules” or “Rules”).

1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (“EDS Bill” or “Bill”). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (“electronic service delivery”). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.

II Basic Issues Regarding Electronic Service Delivery

2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (“Standing Committee”) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:

(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;

(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;

(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;

(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;

(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;

(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection[1] and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,[2] the annual installed capacity for electricity generation is growing[3] and the literacy rate is increasing.[4]

2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.

III Improper Exercise of Subordinate Legislative Power

3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (“Rules of Procedure”), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:

There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.

Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.”

3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:

The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.

This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.

3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (“IT Act”). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:

the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.

Section 6-A(2) of the IT Act states:

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Prima facie, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own. Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is ultra vires the IT Act. This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).

IV Clause-by-Clause Comments

Rule 2 - Definitions

4.1.1 Rule 2(c) of the ESD Rules states:

"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules

In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.

4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:

““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”

Rule 3 - System of Electronic Service Delivery

4.2.1 Rule 3(3) of the ESD Rules states:

The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.

This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “may” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.

4.2.2 Therefore, it is proposed that rule 3(3) is amended to read as follows:

“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”

4.3.1 Rule 3(5) of the ESD Rules states:

The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.

Firstly, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. Secondly, the use of the phrase “financial code and treasury code” is avoidable since these terms are undefined.

4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:

“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”

4.4.1 Rule 3(6) of the ESD Rules states:

The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services:

Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.

This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:

Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.

4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.5.1 Rule 3(7) of the ESD Rules states:

The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.

This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:

The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.

As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.

4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.6.1 Rule 3(8) of the ESD Rules states:

The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.

There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, the state cannot enforce penalties unless authorised by law. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.

4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:

“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”

[1]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, Telecom Sector in India: A Decadal Profile (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).

[2]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.

[3]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).

[4]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011

WGIG+8: Stock-Taking, Mapping, and Going Forward

pranesh — 2013-04-04T06:49:31Z

On February 27, 2013, the Centre for Internet and Society conducted a workshop on the Working Group on Internet Governance report, titled "WGIG+8: Stock-Taking, Mapping, and Going Forward" at the World Summit on the Information Society (WSIS) + 10 meeting at Fontenoy Building, conference room # 7, UNESCO Headquarters, Paris from 9.30 a.m. to 11.00 a.m.

Details of the event were published on the UNESCO website.

Session Personnel

Pranesh Prakash was the moderator for the session. There were about 10-15 participants along with 5 remote participants.

There were four speakers:

William Drake, International Fellow and Lecturer, Media Change & Innovation Division, IPMZ at the University of Zurich
Carlos Afonso, Executive Director of the Núcleo de Pesquisas, Estudos e Formação (NUPEF) institute
Avri Doria, Dotgay LLC, Association for Progressive Communications, International School for Internet Governance
Désirée Miloshevic, International Affairs and Policy Adviser, Afilias

Summary of the Discussion

Speakers Summaries

William Drake:
Mr. Drake argued that the WGIG process demonstrated the benefits of multistakeholder collaboration, and facilitated the WSIS negotiations, and the multistakeholder process that WGIG embodied promoted public engagement in the Internet governance debate. The working definition of “Internet governance” that the WGIG came up with demystified the nature and scope of Internet governance. One important outcome of the WGIG report was the proposal of the establishment of the Internet Governance Forum. The WGIG began the holistic assessment of “horizontal issues,” including development, and made some broad but useful recommendations on key “vertical issues”. And lastly, the WGIG offered four models for the oversight of core resources that helped to focus the global debate on the governance of the Internet’s core resources.

Carlos Afonso:
Mr. Afonso commented on the issue of international interconnection costs, and pointed out that they continue to be complex and involve complicated cost accounting. Mr. Afonso then pointed out that the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) could be doing more in the context of IPv6, in the way of stimulating backbone operators to ensure IPv6 visibility of the networks below them — many are already IPv6-ready but upstream providers do not provide corresponding transit. He also drew attention to “enhanced cooperation” as an issue that had not been anticipated at the time of the report, but had since become an important issue; similarly, he identified social networking and (in response to a question) military uses of the Internet, etc., as other such issues. He opined that the WGIG report needed to be elaborated upon in the present context.

Avri Doria:
Ms. Doria argued that while the report was reluctantly accepted after having been first rejected by the governments, it has proven to be highly useful. She praised the report for its working definition of IG, as it is still being used, and because the report made a clear distinction between governments and the governance of the Internet. She then argued that the definition of roles and responsibilities of stakeholders is very loose in the WGIG report and that these definitions are something that needs further study as they do not take into account the full role and responsibilities of all stakeholders. She also argued that the National Telecommunications and Information Administration is transferring some of its oversight powers over technical governance of the domain name system, to multistakeholder processes as can be seen from the “Affirmation of Commitments” which has replaced the earlier “Memorandum of Understanding” it had with ICANN." She argued that the Affirmation of Commitment based review teams are an important experiment that should be followed with interest.

Désirée Miloshevic:
Ms. Miloshevic pointed out that outside the meta issue of keeping the Internet open for innovation, issues relating to freedom of speech and human rights were the most important challenges facing Internet governance today. She highlighted that several issues, such as economic benefits, consumer protection, freedom to connect and education are issues that have either not been addressed or have been addressed inadequately in the report. She then went on to argue that the IGF, which is an outcome of the WGIG report has had a tangible impact on IG, particularly on clarifying IG as a multi-stakeholder process rather than describing mere institutional regulation models. For example, the IGF allows for newly identified public policy issues to continue to feature as topics in the IGF as emerging issues, such as open data, etc. Ms. Miloshevic also emphasised the need for stakeholders to increase the development of capacity in dealing with IG issues at the global level.

Summary of General Discussion

Overall, it was agreed by all panelists that the WGIG 2005 report and the WSIS process have had a large impact on Internet Governance (IG), particularly in terms of an increase in public awareness and participation in IG as well as in framing of IG as involving multiple stakeholders and not just governments. This has in turn led to a shifting of power equations as well as an increase in openness and transparency. The report has helped create the distinction between governments and governance of the Internet, and framed, through the working definition of IG that was later incorporated in the WSIS Tunis Agenda, the non-technical aspects of IG as a core part of IG. Further, the identification and mapping of issues associated with IG and the generation of institutional governance models were important outcomes of the report. The report was also seen as instrumental in the creation of the Internet Governance Forum (IGF).

Panellists also noted the changed context and the progress (and in many cases, lack of progress) since the WGIG report. Issues were raised around the lack of progress in implementing the specific recommendations made by the report. Inadequate capacity-building of actors in the global South, and efforts of the Number Resource Organization (NRO) and the Regional Internet Registries (RIRs) with respect to IPv6 were used as examples. It was also pointed out that a number of concerns have materialized that had not been anticipated at the time of the report, including 'enhanced cooperation', the emergence of social networking, and military uses of the Internet.

Moderator's summary

The WGIG and its report, the background report and the book that followed from that report, have proven to be crucial in defining the formulation and direction of Internet governance for the past 8 years, and have resulted in a multi-stakeholder governance model for the Internet and the IGF, and have set many norms that have shifted power equations. However, many significant issues that weren't central to Internet governance during the formulation of the WGIG report have since emerged, the majority of the recommendations made in the WGIG report haven't seen much progress, the capacity of actors in the global South to engage in IG issues has not increased greatly, and the IGF needs to gain greater credibility and centrality. Transnational private corporations are emerging as increasingly powerful actors in Internet governance and are slowly shifting the balance, a development that was unforeseen in 2005 when governments were seen as the most powerful actors.

Any agreed recommendations from the session

The panelists recommended the production of an analytical report that would explore the current status of the issues and recommendations laid in the original report issues as well as identify any new concerns that have arisen since 2005. An important aspect of this report would be an emphasis on the benefits of the IGF and the role of the WGIG process and report in underscoring the significance of multi-stakeholder processes. Further recommendations included the continued advancement of Internet rights and principles and enhanced cooperation, as these are two focus areas that have emerged since the WGIG report, and the strengthening of the IGF.

For more details visit https://cis-india.org/internet-governance/blog/wgig-8-stock-taking-mapping-and-going-forward

Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

bhairav — 2013-07-12T12:13:53Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 The Centre for Internet and Society (“CIS”) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (“Sensitive Personal Data Rules” or “Rules”) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.

1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy[1], there have never been codified provisions protecting the privacy of individuals and their personal information.

The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.[2] Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:

II Principles to Facilitate Appraisal
2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.[3]

This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.

2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:

(a) Principle of Notice / Prior Knowledge

All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.

(b) Principle of Consent

Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.

Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.

(d) Right to be Forgotten / Principle of Purpose Limitation

Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.

(e) Right of Access

All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.

(f) Principle regarding Disclosure

Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.

(g) Principle of Security

All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.

(h) Principle of Transparency / ‘Open-ness’

All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.

(i) Principle of Accountability

Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.

2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards. Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:

"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.

3.1.2 Firstly, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. Secondly, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.

3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:

““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”

3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (“IT Act”) as follows:

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

3.2.2 Firstly, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.[4]

This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, will exclude public and private trusts[5] and unincorporated public authorities. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a prima facie violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.

3.2.3 Secondly, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.

3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:

““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”

Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate.

Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India.

3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:

"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.

3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “cyber incidents” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. Firstly, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. Secondly, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.

3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.

3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Sensitive Personal Data

3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to –

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.

3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Sensitive personal data or information of a person means personal information as to that person’s –

(i) passwords and encryption keys;

(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;

(iii) physical, physiological and mental condition;

(iv) sexual activity and sexual orientation;

(v) medical records and history;

(vi) biometric information; and

(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;

and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.

Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”

Rule 4 - Privacy and Disclosure Policy

3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:

Body corporate to provide policy for privacy and disclosure of information. – (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –

(i) Clear and easily accessible statements of its practices and policies;

(ii) type of personal or sensitive personal data or information collected under rule 3;

(iii) purpose of collection and usage of such information;

(iv) disclosure of information including sensitive personal data or information as provided in rule 6;

(v) reasonable security practices and procedures as provided under rule 8.

3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. Firstly, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. Secondly, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. Thirdly, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. Fourthly, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “personal or sensitive personal data or information” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.

3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Duty to publish certain policies. – (1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.

(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –

(i) the meanings of personal information and sensitive personal data in accordance with these rules;

(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;

(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;

(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;

(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and

(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”

Rule 5 - Collection of Information

3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:

Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

3.7.2 Firstly, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. Secondly, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. Thirdly, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.

3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”

3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:

Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —

(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose.

3.8.2 Firstly, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. Secondly, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.

3.8.3 Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:

“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –

(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and

(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”

3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:

While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —

(a) the fact that the information is being collected;

(b) the purpose for which the information is being collected;

(c) the intended recipients of the information; and

(d) the name and address of —

(i) the agency that is collecting the information; and

(ii) the agency that will retain the information.

3.9.2 Firstly, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. Secondly, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. Thirdly, the use of the phrase “take such steps as are, in the circumstances, reasonable” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.

3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –

(a) the fact that it is being collected;

(b) the purpose for which it is being collected;

(d) the intended recipients to whom it will be sent or made available;

(e) the duration for which it will be stored;

(f) the conditions upon which it may be disclosed;

(g) the conditions upon which it may be destroyed; and

(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”

3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:

Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.

3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:

“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”

Rule 6 - Disclosure of Information

3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:

Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: Firstly, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. Secondly, the use of the phrase “any third party” lends vagueness to this provision since the term “third party” has not been defined. Thirdly, the repeated use of the undefined phrase “provider of information” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.

3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. Firstly, the disclosure of personal information and sensitive personal data when it is “necessary for compliance of a legal obligation” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. Secondly, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. Thirdly, the definition and use of the term “cyber incidents” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. In sum, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.

3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:

“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.

Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.

Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”

3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:

Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.

3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “an order under the law”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.

3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.

3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:

The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

3.13.2 Firstly, as mentioned elsewhere in this submission, the phrase “third party” has not been defined. This is a drafting discrepancy that must be rectified. Secondly, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. Thirdly, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.

3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:

“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”

Rule 7 - Transfer of Information

3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: firstly, the simultaneous use of the phrases “provider of information” and “such person” is imprecise and misleading; secondly, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.

3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:

“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”

Rule 8 - Reasonable Security Practices

3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):

The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.

3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001.

IV The Press Release of 24 August 2011

4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:

Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.

Press Note

The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

Ministry of Communications & Information Technology (Dept. of Information Technology)

Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011

SP/ska
(Release ID :74990)

4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.

4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,

...law includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.

Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.

[See, Edward Mills AIR 1955 SC 25 at pr. 12, Babaji Kondaji Garad 1984 (1) SCR 767 at pp. 779-780 and Indramani Pyarelal Gupta 1963 (1) SCR 721 at pp. 73-744]

Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.

[See, Raj Narain Singh AIR 1954 SC 569 and Re Delhi Laws Act AIR 1951 SC 332]

Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.

V Summary

5.1 CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled

Rule 2(1)(b);
Rule 2(1)(c);
Rule 2(1)(d);
Rule 2(1)(g);
Rule 3;
Rule 4(1);
Rule 5(1);
Rule 5(2);
Rule 5(3);
Rule 5(4);
Rule 6(1);
Rule 6(1) Proviso;
Rule 6(2);
Rule 6(4);
Rule 7; and
Rule 8.

5.2 CIS submits that the Committee on Subordinate Legislation should take a serious view of the press release issued by the Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.

5.3 CIS submits that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.

5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.

[1]. See generally, Kharak Singh AIR 1963 SC 1295, Gobind (1975) 2 SCC 148, R. Rajagopal (1994) 6 SCC 632, People’s Union for Civil Liberties (1997) 1 SCC 301 and Canara Bank (2005) 1 SCC 496.

[2]. See infra pr. 4.3.

[3]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[4].See generally, Board of Trustees of Ayurvedic College AIR 1962 SC 458 and S. P. Mittal AIR 1983 SC 1.

[5]. See generally, W. O. Holdsworth AIR 1957 SC 887 and Duli Chand AIR 1984 Del 145.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011

Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011

bhairav — 2013-07-12T12:15:30Z

Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“Cyber Café Rules”).

1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21^st Report, the Committee on Subordinate Legislation presciently noted that:

“…statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.” [See the 21^st Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]

Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:

II Validity of the Cyber Cafe Rules

2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (“IT Act”). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:

“the guidelines to be observed by the intermediaries under sub-section (2) of section 79”

Sections 79 (1) and (2) state:

“79. Exemption from liability of intermediary in certain cases. – (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.”

2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “any third party information, data, or communication link made available or hosted” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are ultra vires the IT Act.

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:

““cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”

This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.

Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:

“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”

3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.

Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.

Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Agency for Registration of Cyber Cafes

4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:

“3. Agency for registration of cyber cafe. – (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include:

(i) name of establishment;

(ii) address with contact details including email address;

(iii) whether individual or partnership or sole properitership or society or company;

(iv) date of incorporation;

(v) name of owner/partner/proprietor/director;

(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and

(vii) type of service to be provided from cyber cafe

Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency.

(2) The details of registration of cyber cafe shall be published on the website of the registration agency.

(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line.

(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

CIS raises two unrelated and substantial objections to this provision: firstly, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, secondly, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.

4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.

Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:

“5. Registration of establishment. – (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing

(a) the name of the employer and the manager, if any;

(b) the postal address of the establishment;

(c) the name, if any, of the establishment,

(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment;

(e) the number of employees working about the business of the establishment; and

(f) such other particulars as may be prescribed.

(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier.

(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect.

(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act.

(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).”

Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.

4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.

In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.

4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.

4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:

“(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, prima facie violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.

Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.

Rule 4 - Identification of User

5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:

“(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:

(i) Identity card issued by any School or College; or

(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or

(iii) Passport; or

(iv) Voter Identity Card; or

(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or

(vi) Photo Identity Card issued by the employer or any Government Agency; or

(vi) Driving License issued by the Appropriate Government; or

(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).”

The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.

Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.

5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:

“The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.”

While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Therefore, it is proposed that rule 4(2) be amended to read as follows:

“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”

5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:

“(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.”

Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.

Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.4 Sub-rue (4) of rule 4 reads as follows:

“(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).”

Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.

Therefore, it is proposed that rule 4(4) be amended to read as follows:

“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”

5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “shall be allowed to enter the cyber cafe after he has established his identity.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “allow[ing] any user to use its computer resource without the identity of the user of the user being established,” this rule 4(5) is redundant.

Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.6 Rule 4(6) of the Cyber Cafe Rules states:

“(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.”

This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.

Therefore, it is proposed that rule 4(6) be deleted.

Rule 5 - Log Register

6.1 Rule 5(3) of the Cyber Cafe Rules states:

“(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.”

This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.

Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.

Rule 7 - Inspection of Cyber Cafe

7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:

“An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.”

The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.

Therefore, it is proposed that rule 7 be deleted.

IV Summary

8.1 In sum:

(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are ultra vires the parent statute;

(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:

Rule 2(1)(c);
Rule 2(1)(e);
Rule 2(1)(g);
Rule 3(1);
Rule 3(4);
Rule 4(1);
Rule 4(2);
Rule 4(3);
Rule 4(4);
Rule 4(5);
Rule 4(6);
Rule 5(3); and
Rule 7.

(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.

8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011

The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues

divij — 2013-07-12T12:17:06Z

The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

The author, Divij Joshi is a law student at NLS and is interning with CIS for its privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

What is the Criminal Law (Amendment) Bill, 2013? What will it change?
The Criminal Law (Amendment) Bill is a bill which is to be introduced in the Indian Parliament, which will replace the Criminal Law (Amendment) Ordinance, 2013[1] currently in force, and aims at amending the existing provisions in criminal law in order to improve the safety of women. The Bill seeks to make changes to the Indian Penal Code, the Code of Criminal Procedure, and the Indian Evidence Act. The Bill will introduce unprecedented provisions in the Indian Penal Code which would criminalise sexual voyeurism and stalking and would amend legal provisions to protect the privacy of individuals, such as discontinuing the practice of examination of the sexual history of the victim of a sexual assault for evidence. With instances of threats to individual privacy on the rise in India, [2] it is high time that the criminal law expands its scope to deal with offences which violate physical privacy.

What threats to privacy will the Act address?
The Act will address the following violations of physical privacy:

Stalking
Draft provision: The ordinance introduces the offence of stalking under Section 345D of the Indian Penal Code, and makes it punishable by imprisonment of not less than one year, which may extend to three years, and a fine. The provision prescribes that ‘Whoever follows a person and contacts, or attempts to contact such person to foster personal interaction repeatedly, despite a clear indication of disinterest by such person, or whoever monitors the use by a person of the internet, email or any other form of electronic communication, or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person.’ Hence, under the new law, constant, unwanted interaction of any one person with another, for any reason, can be made punishable, if the actions results in fear of violence or distress in any person, or interferes with their mental peace.

Current law and need for amendment: Stalking is generally characterized by unwanted and obsessive harassment or persecution of one person by another. Stalking can be a physical act such as constantly following a person, or can be done through electronic means — usually the internet (known as cyberstalking). Stalking may or may not be an act which physically threatens the security of an individual; however, it can cause mental trauma and fear to the person being stalked. Stalking is a blatant intrusion into an individual’s privacy, where the stalker attempts to establish relationships with their victim which the victim does not consent to and is not comfortable with. The stalker also intrudes into the victim’s private life by collecting or attempting to collect personal information the victim may not want to disclose, such as phone numbers or addresses, and misusing it. If the stalker is left undeterred to continue such actions, it can even lead to a threat to the safety of the victim. Cyber-stalking is a phenomenon which can prove to be even more invasive and detrimental to privacy, as most cyber-stalkers attempt to gain access to private information of the victims so that they can misuse it. Stalking, in any form, degrades the privacy of the victim by taking away their choice to use their personal information in ways they deem fit. [3] Recognizing stalking as an offence would not only protect the physical privacy rights of the victims, but also nip potentially violent crimes in the bud.

Many nations including Australia, the United States of America and Japan have penal provisions which criminalise stalking. [4] In India however, there is no appropriate response to stalking as an offence — either in its physical or electronic forms. The Information Technology Act, the legislation purported to deal with instances of cyber-crimes, overlooks instances of breach of online privacy and stalking which does not lead to publication of obscene images or other obvious manifestations of physical or mental threat. The general provision under which victims of stalking can file complaints is Section 509 of the Indian Penal Code (IPC), which states that — ‘Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to one year, or with fine, or with both.’There are several problems with using this section as a response to stalking. Without a particular definition of what comes under the scope of ‘intrusion of privacy’ under this section, there is reluctance both for the victim to approach the police and for the police to file the complaint. Usually the offence is coupled with some other form of harassment or violence, and the breach of privacy and trauma is not considered as a separate offence. For example, if a person is continuously following or trying to contact you without your consent or approval, but does not physically threaten or insult you, there is no protection in law against such a person. Hence, as pointed out, there is a need to recognize the breach of privacy as a separate ground of offence, notwithstanding other physical or mental grounds. Secondly, the provisions of this section require the criminal to have the ‘intent of insulting the modesty of a woman’. Aside from the difficulties in adjudging the ‘modesty’ of a woman, the provision limits the scope of harassment to only that which intends to insult the modesty of a woman and excludes any other intention as criminal behaviour. The present law amends these problems by disregarding the reason or intent for the behaviour, and by clearly defining the elements of the offence and making stalking as a stand-alone, punishable offence.

Sexual Voyeurism

Draft provision: The Act will add Section 345D to the Indian Penal Code, which reads as follows — ‘Whoever watches, or captures the image of, a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years, and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine.

Explanation 1.–– For the purposes of this section, “private act” includes an act carried out in a place which, in the circumstances, would reasonably be expected to provide privacy, and where the victim's genitals, buttocks or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or the person is doing a sexual act that is not of a kind ordinarily done in public.

Explanation 2.–– Where the victim consents to the capture of images or any act, but not to their dissemination to third persons and where such image or act is disseminated, such dissemination shall be considered an offence under this section.’

The provision seeks to protect victims of voyeurism, who have been watched, or recorded, without their consent and under circumstances where the victim could reasonably expect privacy, and where the victim’s genitals, buttocks or breasts have been exposed. A reasonable expectation of privacy means that in the circumstances, whether in a public or a private place, the victim has a reasonable expectation that she is not being observed engaging in private acts such as disrobing or sexual acts. The test of reasonable expectation of privacy can be derived from similar provisions in voyeurism laws across the world, and also section 66E of the Information Technology Act.[5] It is particularly important because voyeurism does not necessarily take place in private places like the victims home, but also in public spaces where there is generally an expectation that exposed parts of one’s body are not viewed by anyone.

Current law and need for amendment: A ‘voyeur’ is generally defined as "a person who derives sexual gratification from the covert observation of others as they undress or engage in sexual activities." [6] Voyeurism is the act of a person who, usually for sexual gratification, observes, captures or distributes the images of another person without their consent or knowledge. With the development in video and image capturing technologies, observation of individuals engaged in private acts in both public and private places, through surreptitious means, has become both easier and more common. Cameras or viewing holes may be placed in changing rooms or public toilets, which are public spaces where individuals generally expect a reasonable degree of privacy, and where their body may be exposed. Voyeurism is an act which blatantly defies reasonable expectations of privacy that individuals have about their bodies, such as controlling its exposure to others.[7] Voyeurism is an offence to both the privacy as well as the dignity of a person, by infringing upon the right of individuals to control the exposure of their bodies without their consent or knowledge, either through unwarranted observation of the individual, or through distribution of images or videos against the wishes or without the knowledge of the victim.

Voyeurism is a criminal offence in many jurisdictions across the world such as Australia,[8] the United States,[9] Canada,[10] and the UK,[11] which criminalise either the capturing of certain images, or observation of individuals, or both. In India, the capturing, distribution and transferring of images of ‘private areas’ of a person’s body, under circumstances where the person would have a reasonable expectation of privacy that their body would not be exposed to public view, is punishable with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. However, this does not cover instances where a person observes another in places and situations where they do not consent to being observed. The inclusion of voyeurism as an offence in the IPC would close several loopholes in the voyeurism law and hopefully be a precedent for the state to better work towards securing the bodily privacy of its citizens.

Examination of Sexual History and Privacy
Draft provision: The amendment to Section 53A of the Indian Evidence Act in the Bill reads, “In a prosecution for an offence under section 354, section 354A, section 354B, section 354C, sub-section (1) or sub-section (2) of section 376, section 376A, section 376B, section 376C, section 376D or section 376E of the Indian Penal Code or for attempt to commit any such offence, where the question of consent is in issue, evidence of the character of the victim or of such person’s previous sexual experience with any person shall not be relevant on the issue of such consent or the quality of consent.”

A similar proviso is added to Section 376 of the Indian Evidence Act.

According to the above provision, in a trial for sexual assault or rape the evidence supplied of a victim’s previous sexual experience or her ‘character’ would not be admissible as relevant evidence to determine the fact of the consent or the quality of the consent.

Current law and need for amendment: The Indian Evidence Act is the legislation which governs the admissibility of evidence in the different courts. In cases of rape or sexual assault and related crimes, the evidence of consent often considered is not just that of the consent of the woman in the act at that time itself, but rather her previous sexual experience and “promiscuous character”. Even though it has been widely censured by the highest court,[12] such practices continue to dominate and prejudice the justice of victims of sexual assault and harassment.[13] The examination of the victim’s sexual history in court is an unwarranted intrusion into their privacy through public disclosure of the sexual history and details of her sexual life, which causes potential embarrassment and sexual stereotyping of the victim, especially in a conservative, patriarchal society like in India. With the new amendments, such evidence will not be permitted in a court of law, hence, it will act as a safeguards against defendants attempting to influence the court's decision through disparaging the ‘character’ of the victim, and will protect the disclosure of intimate, personal details like previous sexual encounters of the victim.

Conclusion
Privacy, crime, and safety of women are intricately linked in any legal system. An essential part of the security of citizens is the safety of their privacy and personal information. If any legal system does not protect the privacy — both of body and of information — of its people, there will always be insecurity in such a system. With the recent debates on women’s safety, several crucial privacy and security issues have been raised, such as the criminalization of voyeurism and stalking, which is a huge boost for privacy rights of citizens in India, and it is hopeful that the government will continue the trend of considering privacy issues along when addressing security concerns for the state.

Update to the Criminal Law Amendment Bill 2013 - Penalising Peeping Toms and other privacy issues

The Criminal Law (Amendment) Bill, 2013, was made into law on April 3, 2013. Several provisions under the Act differ from the provisions in the ordinance. Under the Act, unlike in the Ordinance, the terms or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person are not included as a part of the offence of stalking. Hence, the offence is limited to the physical act of following or contacting a person, provided that there has been a clear sign of disinterest, or to monitoring the use by a woman of the internet, email or any other forms of electronic communication.

Hence, from the confusing language of the provision, it would seem that the offence of stalking related to monitoring of activities of a woman is restricted to the monitoring of online communications, and not physical acts. The caveat of such monitoring having to cause serious alarm, distress or interference with the mental peace of the victim is also removed. The removal of unwaranted intrusion through watching or spying of a person, and indeed, the removal of any subjective test to determine the effect of stalking is a departure from stalking provisions accross the world, and is a setback for individual privacy, because stalking per se is a privacy offence, relating not only to the physical interference but also the mental harassment it causes to the victims.

The provision has also increased the puinishment for the crime in the first offence to upto three years, and subsequently to upto five years. Further, the provisions sought to be included within Section 53A and Section 376 of the Indian Evidence Act are now included in Section 146 of the Act.

Link to the Criminal Law (Amendment) Act, 2013

[1]. Criminal Law (Amendment) Ordinance, 2013, available at http://mha.nic.in/pdfs/criminalLawAmndmt-040213.pdf

[2]. http://bit.ly/10nMSTT

[3]. Anita Gurumurthy and Nivedita Menon, Violence against Women via Cyberspace, Economic and Political Weekly, 44 (40), 19, (October, 2009).

[4]. For example, see laws listed http://bit.ly/126hBpO

[5]. Section 66E, The Information Technology Act, 2000: ‘66E. Punishment for violation of privacy.- Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation - For the purposes of this section--

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that--(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[6]. Oxford English Dictionary, available at http://bit.ly/YN2ZvI

[7]. Lance Rothenberg, Rethinking Privacy: Peeping Toms, Video Voyeurs, and the failure of criminal law to recognize a reasonable expectation of privacy in the public space, American University Law Review, 49, 1127, (1999).

[8]. Section 91J, Crimes Act, 1910: "A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act without the consent of the person being observed to being observed for that purpose, and knowing that the person being observed does not consent to being observed for that purpose, is guilty of an offence."

[9]. Video Voyeurism Protection Act, 2004.

[10]. Section 162, Criminal Code of Canada: " (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if
(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;
(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or
(c) the observation or recording is done for a sexual purpose.

[11]. Section 67, Sexual Offences Act, 2003.

[12]. http://bit.ly/10nNDwg

[13]. http://reut.rs/13CIDXU

For more details visit https://cis-india.org/internet-governance/blog/the-criminal-law-amendment-bill-2013

March 2013 Bulletin

praskrishna — 2013-04-14T11:45:29Z

The Centre for Internet & Society (CIS) welcomes you to the third issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), Programme Officer (Access to Knowledge and Openness), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One of this is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

National Resource Kit for Persons with Disabilities
Anandhi Viswanathan from CIS and Manojna Yeluri from the Centre for Law and Policy Research are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapters on Lakshadweep, Meghalaya and Uttar Pradesh:

The Lakshadweep Chapter (by Anandhi Viswanathan, March 25, 2013): The union territory of Lakshadweep has not passed any legislation for persons with disabilities, but implements the provisions under the central laws. The benefits currently available to persons with disabilities in Lakshadweep include disability pension, unemployment allowance and grant for setting up kiosks.
The Meghalaya Chapter (by Manojna Yeluri, March 25, 2013): Meghalaya is one of the few north-eastern states, which has appointed a Commissioner for Disabilities. Most of the schemes and benefits given to persons with disabilities in Meghalaya are under centrally sponsored schemes. Very few schemes are initiated by the state government.
The Uttar Pradesh Chapter (by Manojna Yeluri, March 31, 2013): The Government of Uttar Pradesh has established shelter homes and vocational training centres in several parts of the states — most recently in Meerut, Bareilly and Gorakhpur. It has also undertaken to finance nearly 4340 corrective surgeries for polio across nine cities of Uttar Pradesh. It also intends to start several projects in 2013. These include the establishment of a Braille Press in order to produce Braille books, magazines and other study material.

Resources
We now have a new section on our website which contains all government notifications, RTI applications, and accessibility related resources: cases, statutes, etc. The following were published earlier this month:

Information about Schemes for Disabled Persons in Haryana We received this notification on schemes and policies for persons with disabilities from the Government of Haryana.
Haryana Government Notification (Hindi version): The notification that we received from the state government was in Hindi. We will put up the English translation soon.
West Bengal (Govt) Notifications: We received a series of notifications from the West Bengal Government from its various departments such as finance, higher education, transport, health and family welfare, labour, land and land reforms, panchayats and rural development, etc. OCR versions of the same have been published.
Lakshadweep (Govt) Notifications: Notifications received from the Lakshadweep Government including guidelines for functioning of KIOSKS, grant of unemployment allowance and special jobs to persons with disabilities, issuing identity card to persons with disabilities for availing government benefits, etc., are published. OCR versions have also been put up.

Event Participated In

A Discussion on Intercept between UNCRPD & CEDAW (organized by the Shanta Memorial Institute of Rehabilitation – Odisha, CBR Network and Mitra Jyoti, Bangalore, Karnataka, February 4, 2013): Anandhi Viswanathan participated in this event.

Access to Knowledge and Openness

The Wikimedia Foundation awarded CIS a two year grant of INR 26,000,000 to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Wikipedia

Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon, Subhashish Panigrahi and Noopur Raval, and one team member Dr. U.B. Pavanaja who is working from Bangalore office.

Indic Wikipedia Visualisation Project

Visualising Basic Parameters (by Sajjad Anwar and Sumandro Chattapadhyay, March 26, 2013): Sajjad and Sumandro bring you a visualisation of the growth of Indic Wikipedia in this first post on Indic Wikipedia Visualisation project. They look into the different aspects of the past and present activities of Indic Wikipedias, and divide the visualisation into three different focus areas: (1) basic parameters, (2) geographic patterns of edits, and (3) exploring the topics that receives the greatest number of edits.

Events Organised

Introductory Wikipedia session at BITS Goa (organised by CIS, Birla Institute of Technology & Science, Pilani, Goa, March 7, 2013). The Access to Knowledge team was invited by Nikhil Dixit from BITS to organise a Wikipedia editing session. Nitika Tandon led the session on IP editing.
Kannada Wikipedia Workshop (organised by CIS, Institution of Engineers, JLB Road, Mysore, March 24, 2013). Dr. U.B. Pavanaja led this workshop.

Events Co-organised

Wiki Women's Day in Goa (organised by the Wikimedia India Chapter and CIS, Nirmala Institute of Education, Panaji, Goa, March 8, 2013). Nitika Tandon participated in this workshop held on International Working Women's Day, and shares the developments in this report.
Wikipedia Workshop for Kannada Science Writers (organised by Wikimedia India Chapter, Karnataka Rajya Vijnana Parishath and CIS, Karnataka Rajya Vijnana Parishath Conference Hall, Banashankari 2nd Stage, Bangalore, March 17, 2013). Dr. U.B. Pavanaja participated in the event.

Upcoming Event

Telugu Wiki Mahotsavam 2013 (co-organised with the Telegu Wikipedia community, Hyderabad, April 9 to 11, 2013). Vishnu Vardhan is participating in this event as a speaker. A public event will be held on April 11 from 5.00 p.m. to 8.00 p.m. at Golden Threshold (Sarojini Naidu's house) in Hyderabad.

Events Participated

Wikipedia Women's Workshop Bangalore 2013 (organised by Wikimedia India, Servelots Infotech, Jayanagar, Bangalore, March 8, 2013). The event was covered by Kannada Prabha on March 9, 2013. Dr. U.B. Pavanaja participated in the event.
Wikipedia at Avenir (organised by the Wikipedia community, Netaji Subhash Engineering College, Kolkata, West Bengal, March 11, 2013). CIS supported this event.

Event Report from Other Organisations
Wikipedia Community members helped the Higher Education Innovation and Research Applications Programme (HEIRA) of CSCS Bangalore to organize a day-long workshop on ‘Digital Literacy’ at Ahmednagar College, Ahmednagar, Maharasthra on January 17, 2013. Tanveer Hasan of HEIRA shares with us the developments in this report.

Other Openness Updates

Event Report

Iraqi Public Data Scenario Workshop: A Summary (by Sumandro Chattapadhyay, March 26, 2013): A workshop on public data was conducted by Sunil Abraham and Sumandro Chattapadhyay for the officials of the Government of Iraq. It was organized by UNDP Iraq in Amman, Jordan from October 18 to 23, 2012. Sumandro Chattapadhyay shares with us the developments from the workshop held over five days.

Event Participated

Open DataCamp - 2013 (organized by Open Data Camp, Dharmaram Vidya Kshetram (inside Christ University Campus), Dairy Circle, Bangalore, March 2 and 3, 2013): Sunil Abraham was a panelist.

HasGeek
HasGeek creates discussion spaces for geeks and has organised conferences like the Fifth Elephant, Droidcon India 2011, Android Camp, etc. HasGeek is supported by CIS and works from the CIS office in Bengaluru.

Upcoming Events

Pig Workshop (organized by HasGeek, Alchemy Solutions, Domlur, Bangalore, 9.00 a.m. to 6.00 p.m.): A workshop on how to use Pig for mining useful information from data. It is open to programmers who have a background in Java programming, some familiarity with Hadoop and MapReduce algorithms, and have worked with large chunks of data.
The Fifth Elephant 2013 (organized by HasGeek, July 11 to 13, 2013, NIMHANS Convention Centre, Bangalore).

Internet Governance

The Internet Governance programme conducts research around the various social, technical, and political underpinnings of global and national Internet governance, and includes online privacy, freedom of speech, and Internet governance mechanisms and processes. Currently, CIS is doing a project with Privacy International, London to facilitate research and events around surveillance, and freedom of speech and expression.

Privacy

Policy

Draft Human DNA Profiling Bill (April 2012): High Level Concerns (by Elonnai Hickok, March 12, 2013). The post examines the high level concerns that CIS has with the April 2012 draft of the Bill.
Human DNA Profiling Bill 2012 Analysis (by Jeremy Gruber, Council for Responsible Genetics, US, March 19, 2013). Jeremy provides an analysis of the Human DNA Profiling Bill, 2012. He says that India’s updated 2012 Human DNA Profiling Bill offers largely superficial changes from its predecessor, the Draft DNA Profiling Bill, 2007.

The Privacy (Protection) Bill 2013: A Citizen's Draft (by Bhairav Acharya, March 26, 2013). Bhairav Acharya has drafted the Privacy (Protection) Bill 2013. It contains provisions that speak to data protection, interception, and surveillance and also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Upcoming Events

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Event Organized

Analyzing the Draft Human DNA Profiling Bill 2012 (organized by the Centre for Internet and Society, Bangalore, March 1, 2013): Maria Xynou shares a summary of the workshop in this report.

Events Participated In

Global Partners Meeting @ London (organized by Privacy International, London School of Economics and Political Science, March 22 – 25, 2013). Sunil Abraham and Malavika Jayaram participated in the event.
India’s Civil Liberties Crisis: Of Bans, Blocks, Bullying and Biometrics (organized by the Center for Global Communication Studies, Annenberg School of Communication, University of Pennsylvania, Philadelphia, March 28, 2013). Malavika Jayaram participated as a speaker.
Future of Privacy in India (organized by DSCI and ICOMP, Oberoi Hotel, New Delhi, April 5, 2013). Sunil Abraham is a speaker at this event.

Blog Posts

Hacking without borders: The future of artificial intelligence and surveillance (by Maria Xynou, March 15, 2013). In this post, Maria looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.
Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes... (by Maria Xynou, March 26, 2013). Maria examines red light cameras, RFID tags and black boxes used to monitor vehicles in India.
Microsoft Releases its First Report on Data Requests by Law Enforcement Agencies around the World (by Maria Xynou, March 27, 2013). CIS presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.
The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues (by Divij Joshi, March 31, 2013). The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

IT Act

Featured Blog Post

CIS Welcomes Standing Committee Report on IT Rules (by Pranesh Prakash, March 27, 2013). CIS welcomes the report by the Standing Committee on Subordinate Legislation, in which it has lambasted the government and has recommended that the government amend the Rules it passed in April 2011 under section 79 of the Information Technology Act. The post was quoted in: The Times of India (March 28, 2013), The Statesman (March 28, 2013), Economic Times (March 28, 2013), Data Quest (March 28, 2013), and The Hindu (April 1, 2013).

Submissions
Bhairav Acharya, on behalf of CIS submitted comments to the Committee on Subordinate Legislation of the 15^th Lok Sabha for the following rules:

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on April 11, 2011.
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on April 11, 2011.
Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on April 11, 2011.

Note: The above rules were submitted earlier but published on our website only recently.

Unique ID Project

Event Organized

Unique Identity Number (UID), National Population Register (NPR), and Governance (organized by CIS and Say No to UID Campaign, TERI, Bangalore, March 2, 2013): CIS interviewed Usha Ramanathan and Anant Maringanti. Watch the videos uploaded in this blog post by Maria Xynou. This was covered in newzfirst on March 3, 2013 and in the Hindu on March 3, 2013.

Interview

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance (by Elonnai Hickok, March 14, 2013). The post examines the UID, NPR and Governance as it exists in India. A video on the UID interview Questions and Answers is published.

News and Media

Indian ID crisis unveils Aadhaar doubts (ZDNet, March 14, 2013). Sunil Abraham is quoted.
New $1 Billion RIC Project Casts Doubts on Aadhaar (AEG India, March 16, 2013). Sunil Abraham is quoted.

Blog Entry

India's Biometric Identification Programs and Privacy Concerns (by Divij Joshi, March 31, 2013).

Free Speech and Expression

News and Media

Foreign Funding of NGOs (by Prashant Reddy, Open Magazine, March 2, 2013).
Iceland’s proposed porn ban ‘like repression in Iran, N. Korea’ – activists (RT, March 1, 2013). Sunil Abraham is quoted.
Chidambaram to Talk Budget on Google+ Hangout (by Dhanya Ann Thoppil, Wall Street Journal, March 4, 2013). Sunil Abraham is quoted.
Responding to govt requests is a challenge for online firms: Colin Maclay (LiveMint, March 13, 2013). Colin M. Maclay, managing director of Berkman Center for Internet and Society at Harvard mentioned CIS.
Indian police set up lab to monitor social media (originally published by AFP, March 18, 2013, and also carried in Global Post on the same day). Sunil Abraham is quoted.
Namaste, Mr. Eric Schmidt (by R. Jai Krishna, Wall Street Journal, March 20, 2013). Sunil Abraham is quoted.
Parliament panel blasts govt over ambiguous internet laws (by Ishan Srivastava, The Times of India, March 28, 2013). Pranesh Prakash is quoted.
What if the Net shut down for a few days (by Atul Sethi, The Times of India, March 30, 2013). Sunil Abraham is quoted.
Press controls ‘send wrong message to rest of world’ (by Jerome Starkey from Johannesburg, Francis Elliott from Delhi and David Brown, The Times, UK).

Event Organized

Freedom Song: Film Screening and Discussion (IIHS Bangalore City Campus, March 21, 2013). Freedom Song, a documentary film produced by the Public Service Broadcasting Trust and directed by Paranjoy Guha Thakurta and Subi Chaturvedi was screened.

Events Participated In

Is Social Media Incredible? (organized by Indian Institute of Journalism & New Media, Bangalore, March 2, 2013). Snehashish Ghosh participated in a panel discussion. The New Indian Express published a post-event report.
Rethinking the Internet: The Way Forward (organized by Telecom Italia and Financial iTimes, Telecom Italia Future Centre, Italy, March 21 – 22, 2013). Pranesh Prakash participated in this event.

Others

Events Organised

DML 2013: Fourth Annual Conference (co-organised by CIS and Digital Media & Learning Research Hub Central, Sheraton Chicago Hotel & Towers - Chicago, Illinois, March 14 – 16, 2013). We had a special track that ran through the conference on "Whose Change Is It Anyway? Futures, Youth, Technology And Citizen Action In The Global South (And The Rest Of The World)". Noopur Raval was one of the 16 presenters that we had selected on the tracks. Nishant Shah was one of the members in the Conference Committee.

Blog Posts

WGIG+8: Stock-Taking, Mapping, and Going Forward (Fontenoy Building, conference room # 7, UNESCO Headquarters, Paris, February 27, 2013). Pranesh Prakash was the moderator for the session. A summary of the discussion has been published.
What’s In a Name? — DNS Singularity of ICANN and the Gold Rush (by Sharath Chandra Ram, March 31, 2013). March 2013 being the 28th birthday of the first ever registered Internet domain as well as the exigent launch of the Trademark Clearing House disguised as a milestone in rights protection by ICANN for its new gTLD program, Sharath Chandra Ram, dissects the transitory role of ICANN from being a technical outfit to the Boardroom Big Brother of Internet Governance.
An Introduction to Bitfilm & Bitcoin in Bangalore, India (by Benson Samuel, March 12, 2013). Video of the event organized by CIS on January 23, 2013 is published in this blog post.

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project on Internet Access. It covers the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access and will touch upon various polices and regulations which has an impact on internet access and bodies and mechanism which are responsible for formulation policies related to internet access. The blog posts and modules will be published in a new website: www.internet-institute.in.

Upcoming Event
We are hosting an “Institute on Internet and Society” in collaboration with the Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details will be announced soon on our website.

The following units have been published:

Internet Protocols (by Srividya Vaidyanathan, March 18, 2013).
How email works, how do you get your email? Email Protocols (SMTP, POP, IMAP), SPAM/Phishing (by Srividya Vaidyanathan, March 19, 2013).
Internet Corporation for Assigned Names and Numbers (by Snehashish Ghosh, March 19, 2013).
ITU sectors — ITU-R, ITU-T, ITU-D, etc. (by Snehashish Ghosh, March 27, 2013).
World Conference on International Telecommunications 2012 (by Snehashish Ghosh, March 29, 2013).

Telecom

CIS is involved in promoting access and accessibility of telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Are India's Glory Days Over? (by Shyam Ponappa, Organizing India Blogspot, March 8, 2013, originally published in the Business Standard, March 6, 2013).

Digital Natives

Digital Natives with a Cause? examines the changing landscape of social change and political participation in light of the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who critically engage with discourse on youth, technology and social change, and look at alternative practices and ideas in the Global South:

Events Participated In

Video Vortex # 9 Re:assemblies of Video (organized by the Institute of Network Cultures, Post Media Lab, Moving Image Lab, Leuphana, et.al, February 28 – March 2, 2013). Nishant Shah gave the key note. Videos of the event are published.

Digital Humanities

From 2012 to 2015, the Researchers @ Work series is focusing on building research clusters in the field of Digital Humanities. We organised the first Habits of Living workshops in Bangalore last year. The next workshop is being held in Brown University

Event Co-organised

Habits of Living: Networked Affects, Glocal Effects (co-organised with Brown University, March 21 – 23, 2013, Brown University, Rhode Island). Nishant Shah was a speaker at this event. He made a presentation on network ontologies.

Event Participated

Korean Trans Cine-Media in Global Contexts: Asia and the World (organized by Trans-Asia Screen Culture Institute, Cinema Studies, Korean National University of Arts, Korean Film Archive and Tsubouchi Memorial Theatre Museum, Waseda University, Seoul, March 27 – 29, 2013). Nishant Shah was a speaker at this event. He spoke on "The Asian Intercourse: Reimagining the Inter-Asia moment through ‘net-porn’ in networks".

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/march-2013-bulletin

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns

What’s In a Name? — DNS Singularity of ICANN and The Gold Rush

sharath — 2013-03-31T05:35:33Z

March 2013 being the 28th birthday of the first ever registered Internet domain as well as the exigent launch of the Trademark Clearing House disguised as a milestone in rights protection by the Internet Corporation for Assigned Names and Numbers (ICANN) for it’s new gTLD program, Sharath Chandra Ram, dissects the transitory role of ICANN from being a technical outfit to the Boardroom Big Brother of Internet Governance.

Click to read more about the Trademark Clearing House.

As a non-profit organization, established in agreement with the US Department of Commerce in 1998, the current arrangement of ICANN has come under serious questions in recent years, with the United Nations wanting the ITU to oversee Internet Governance while Europe seeking more public participation in the decision making process that currently comprises a majority of private stakeholders as ICANN board members with vested interests. In this post we shall look at a few instances that give room for thought about the regulatory powers and methods adopted by ICANN as well as reparatory measures taken to reaffirm it’s image as an able governing body amidst disputes over trademarks and fair competition that might actually call for a wider and objective inclusion in future. An outline of functional and structural arrangements of ICANN maybe found at the CIS Knowledge Repository page.

The Business Model

Earlier this month, (March 15, 2013) was the 28^th birthday of symbolics.com, the first ever domain name registered in 1985 through the formal ICANN process. (nordu.net being the first domain name created by the registry on January 1, 1985 for the first root server, nic.nordu.net) Symbolics, that spun-off the MIT AI Lab and specialized in building workstations running LISP finally sold the domain for an undisclosed amount to XY.com, an Internet investment firm that has been proudly boasting about their acquired relic for over three years now. The golden days of fancy one word domain name resale at exorbitant prices are over, as Google’s page ranking crawler now really looks at unique content and backlinks. Nevertheless, those with the same archaic view of a real estate agent still believe that a good domain name does have a high ROI and have managed to find naïve takers who will offer ridiculous amounts. One of many such examples is the plain looking www.business.com that was bought initially for $1,50,000 and changed hands twice from $7.5 million to an absurd $345 million of R.H. Donnelley Inc., that soon filed for bankruptcy!

The top level domain market however, is consistently lucrative. A TLD registry on an average receives $5 - $7 per domain registered under it. So the .COM registry run by VeriSign which, as of 2013 has over a 100 million registered domains, receives a revenue of $500 to $700 million per year of which a fraction is paid to ICANN periodically on a per-registration or per-renewal basis. Competing registrars and registries across TLDs, their revenue generation practices as well as the application process for new TLDs gradually began to be regulated by ICANN in mysterious ways, as we will see in the following legal case studies.

VeriSign vs. ICANN

VeriSign began to operate the .COM and .NET TLD after taking over Network Solutions Inc. and entering into a contractual agreement with ICANN in 2001. Let’s take a look at some methods used by VeriSign to garner internet traffic and registrant revenue, that were clamped down by the ICANN, which resulted in a lawsuit by plaintiff VeriSign claiming prevention of fair competition and revenue by impeding innovation.

Clamping of Site Finder & WLS: In September 2003, VeriSign introduced a Wild Card DNS Service called Site Finder for all .com and .net domains. This meant that any user trying to access a non-existent domain name no longer received the 404 Error but were instead redirected to the VeriSign website with adverts and links to affiliate registrars. Often a result of a misspelled domain, in ICANN’s view, the redirection by VeriSign amounted to typo squatting internet users as within a month VeriSign’s traffic rose dramatically moving it to the top 20 most visited websites on the web. As seen below in this archived image of Alexa’s 2003 traffic statistic (Courtesy: cyber.law.harvard.edu).

Shortly, in October 2003, ICANN issued a suspension ultimatum pointing Site Finder in violation of the 2001 .Com agreement. This was not the first time ICANN clamped down on VeriSign’s ‘profiteering’ methods. In 2001, ICANN prevented VeriSign’s WLS (Wait Listing Service) that allowed a registrant (through selected participating affiliate registrars of VeriSign) to apply to register an already registered domain in the event that the registration is deleted – a nifty scheme considering the fact that about 25000 domains are deleted everyday!

Remarks and Submissions

The long drawn case of VeriSign Vs. ICANN ended on a reconciliatory note, with ICANN bringing the Site Finder service to a halt at the cost of VeriSign walking away happier with a free 5 year extension on the .COM domain (2007 extended to 2012).

While the ingenious Site Finder service did pose a huge problem to spam filters, both the WLS and yet another service that VeriSign launched to allow registration of non-English language SLDs were also met with a cringe by ICANN.

However looking closer, one may realize that the act of ICANN permitting a DNS root redirect service such as Site Finder for all TLD operators (with an acceptable template that also carried information about the 404 error besides other marketing options) meant the first step towards paving the way towards a plausible scenario of multiple competing DNS roots across TLDs being able to interact with each other — a system often argued by network theorists to be the most efficient and competitive model that would reduce the disjoint between the demand and supply of TLDs in a decentralized infrastructure, and that definitely was not in the best interest of ICANN’s monopolistic plan. Hence, this could be seen as a move by ICANN to nip the Site Finder bud while still young.

Finally, as brought to public notice in more than one instance (name.Space Vs. ICANN, IOD Vs. ICANN), the vested interests of ICANN board members has come under glaring light. Can the ICANN leadership consisting of members from the very same domain name business industry be able to objectively deal with competing registry services and legal issues? Conspicuous targets have been chairperson Steve Crocker who owns a consulting firm Shinkuro, whose subtle investor is infact AFILIAS INC which runs the .INFO and .MOBI TLDs, provides backend services to numerous TLDs (.ORG, .ASIA, .AERO (aviation)), has applied for a further 31 new TLDs and has it’s CTO Ram Mohan on the Board of Directors of ICANN. Also ICANN Vice Chariman, Bruce Tonkin is Senior Executive at Australia’s largest domain name provider Melbourne IT, and Peter Thrush former chairman of the ICANN Board of Directors is Executive Chairman of Top Level Domain Holdings,Inc which filed 92 gTLD applications in 2012.

Trademark Protection and Domain Names

Image Online Design (IOD) is a company that since 1996 has been providing Internet registry services using the trademark .WEB (trademark #3,177,334 including computer accessories) registered with the US Patents and Trademarks Office (USPTO).

It’s registry services however, were not through the primary DNS root server maintained by ICANN, but through an alternate DNS root that required prospective users to manually make changes in their browser settings in order to resolve .WEB domains registered through IOD. Despite not running the primary DNS root server for. WEB, by the year 2000 IOD had acquired about 20,000 registered .WEB customers.

The beacon of ‘hope’ arrived upon IOD in mid-2000 as ICANN (on advise of supporting organization GNSO) opened a call for proposals for registrations of new TLDs, with a non-refundable deposit of $50,000 for an application to be considered. By then the importance of the .WEB TLD for e-commerce was well known amongst ICANN board members with Louis Touton lobbying for his preferred applicant AFILIAS INC to be given the .WEB TLD, with others raising concerns about IOD’s preregistration of .WEB domains. One of the founding fathers of the internet, Vinton Cerf, the then Chairman of ICANN took a benevolent stance-- "I'm still interested in IOD," he repeated over Touton's objections. "They've worked with .WEB for some time. To assign that to someone else given that they're actually functioning makes me uneasy," he said, prompting board member Linda Wilson to chime in, "I agree with Vint." (http://goo.gl/d1v6X , http://goo.gl/eV9Jd).

Finally amidst all the contention, no one was offered the .WEB domain and ICANN announced that all applications not selected will remain pending and those who submitted will have the option of being re-considered when additional TLD selections are made in future. And the future being, 2012, when ICANN invited a new round of TLD applicants, this time with the non-refundable deposit of whopping $185,000 for a single application (1 TLD/application as opposed to the $50,000 in the year 2000 that allowed multiple TLD requests within the same application) to be considered. While 7 new applicants for the .WEB TLD registered their interest, IOD considered their application to be still pending and did not join the new pool that included AFILIAS INC. and GOOGLE.

The litigation of IOD Vs ICANN ended in Feb 2013, with IOD claiming weak causes of action under “Trademark Infringement” and “Breach of Contract” &“Fair Dealing” hinging on the fact that the initial $50,000 application was still pending and never was officially rejected by ICANN. Further, there was not enough room to make a valid trademark infringement, as there was no substantial room for consumer confusion in the .WEB case.

Remarks and Submissions

The IOD Vs. ICANN case not only increased concerns globally, over the uncertainty associated with the ICANN application process for generic TLDs along with questions regarding the objectivity of its board members, but at the same time has alerted ICANN to take the necessary big sister steps to ensure that it’s well in the game.

The fact of the matter is that the USPTO does not provide trademark protection services for the Top level Domain industry citing the reason that TLDs trademarks do not provide a distinct service mark that can identify or differentiate the service of an applicant from others, and further cannot be used to ascertain the source of an applicant’s services. This view is flawed, as by looking at a TLD, say BBC.com, an informed person can easily say that VeriSign INC manages the service of directing a user to a correct location on the .COM registry. With introduction of new gTLDs, perhaps BBC would shift it’s content to BBC.news, where the source may be an abstracted Registrar and the nature of service being quite evident. And to those registered trademarks, especially those that shall result in substantial brand confusion to the customer if infringed, granting a TLD like .ibm or .bbc may well be granted to the owner of the trademark who may then outsource registry services to a service provider. This shall invert the current model by relegating the role of a TLD registry holder to that of a contracted service provider.

So the question is, should have the US Department of Commerce, who contracted ICANN in the first place, mediated with USPTO to place the business of a registrar on par with other trades and businesses, and modify it’s trademark infringement policies? And more importantly, will ICANN view this as introducing yet another key stakeholder to the gTLD assignment process?

The answer to the latter is already clear as ICANN being in the top of it’s game decided to take matters into its own hands and on March 26, 2013) launched http://trademark-clearinghouse.com/ with a new set of guidelines for accepted trademarks and a mechanism that allows trademark holders to submit their application to a central repository.

Accepted trademark holders shall be given priority to register gTLDs during the ‘sunrise’ period. Deloitte Enterprise Risk Services have been assigned the responsibility of evaluating submitted trademarks while IBM shall maintain the actual database of trademarks by the later half of 2013.

The tip of the iceberg is well in scope of view. ICANN46 is currently being hosted in Beijing, at the China Internet Network Information Centre (CINIC) from April 7 to 11, 2013 while hopefully parallel discussions will happen on all other global forums to hopefully re-consider a future of multiple competing DNS root servers towards healthy competition that is decentralized.

Key References

http://www.icann.org/en/news/litigation
http://cyber.law.harvard.edu/tlds/
Lynn, S. [2001] “Discussion Draft: A Unique, Authoritative Root for the DNS” Internet Corporation for Assigned Names and Numbers, 28 May, 2001.
Internet Architecture Board [2000] “IAB Technical Comment on the Unique DNS Root.” RFC 2826, Internet Society, May 2000.

For more details visit https://cis-india.org/internet-governance/blog/dns-singularity-of-icann-and-the-gold-rush

What if the Net shut down for a few days

praskrishna — 2013-04-03T11:01:38Z

When spammers attacked Spamhaus, a European spam-fighting group in what was billed as the "biggest cyber attack in history", they managed to temporarily slow down the internet. But what if dedicated attackers succeeded in shutting down the internet for a longer time, maybe a few days? What would be the potential impact of such a scenario in a world where crucial data is stored on emails, most financial transactions have shifted online and an entire generation has grown up not realising what life without the web could be like?

The article by Atul Sethi was published in the Times of India on March 30, 2013. Sunil Abraham is quoted.

"The thought itself is frightening," says Vijay Mukhi, president of the Foundation of Information Security and Technology and co-founder of the Internet Users Community of India. "Most people use their email or cloud computing to store their data. What happens when you can't access your crucial information? Also, financial activity in the absence of the internet will come to a standstill since there would be no money flow happening between banks or transactions in the stock market. The implications are huge. And I'm not even thinking of the withdrawal symptoms that many youngsters are going to go through when they can't log on. "

However, contrary to the horror that this situation might elicit from those whose lives revolve around the web, the impact on India, at least, should not be much, says Sunil Abraham, director of the Bangalore-based Centre for Internet and Society. "An internet blackout in India can at most be compared to a bandh. Life becomes uncomfortable but it still goes on. This is because in India, the internet is used by just about 20% of the population. At the most, one can argue that since this 20% also constitutes the elite of the country - bureaucrats, politicians, businessmen, media, etc, any disruption in their work could also affect the remaining 80% of the country indirectly."

Even though complete shutdown of the internet is believed to be virtually impossible - since it is made up of thousands of interconnections which ensure its infallibility - hackers haven't stopped trying as the latest cyber attack shows. Internet security consultant Ankit Fadia points out that the only way somebody can bring down the internet is if a few million hackers combine together as part of a sustained project. "Even then, it's a remote possibility that they can pull it off," he says.

If it does happen, though, remember to polish up your letter-writing skills and go over to your friend's house if you want to chat.

For more details visit https://cis-india.org/news/times-of-india-atul-sethi-march-30-2013-what-if-the-net-shut-down-for-a-few-days