Access To Knowledge (A2K)

Why was the Gwalior court in such a hurry to block IIPM URLs?

praskrishna — 2013-02-19T11:51:43Z

Is it really that easy to get courts to block online content as it appears from the latest case of the blocking of 73 URLs related to IIPM? Legally speaking, yes.

The article by Danish Raza was published in FirstPost on February 19, 2013. Snehashish Ghosh's analysis on blocked sites is quoted.

In cases of defamation, violations of copyright and trademark law and threats to national security, courts can direct the government agency (CERT-in or Computer Emergency Response Team- India) to take down the offending content. And these can be ex-parte orders. Meaning the person or organisation posting the content online is not intimated every time the material is blocked.

Legality aside however, advocates of free speech say that such court orders should be exceptions and not the rule. There is a perception that the process in its current form – right from the filing of court case to the content being taken offline- is opaque.

Traditionally the Internet has been viewed as a more liberal, open and democratic platform as compared to traditional media. Through such orders, says Delhi based advocate and expert on cyber law Apar Gupta, courts seem to give out a warning that online content is not outside the purview of the law.

The problem in this case however, is not the ‘warning’ itself. It is the way that the warning is being given that is setting the wrong precedent.

The blocks on IIPM related URLs is based on an interim order passed by a Gwalior court. The head of the institute, Arindam Chaudhuri in an exclusive interview with Firstpost, said that the case was filed last year by one his ‘channel partners’. He added that the court had made him a party in the case only in January and he would soon respond to court orders.

Three of the affected parties (Careers 360, Caravan and Kafila), however, said that they were never informed about the blocks, reported Mint.

After the block orders, Shivam Vij, founder of the blog, Kafila, told Firstpost, “This is against the principle of natural justice. The court blocked the URL of my blog without giving me a chance to defend myself.

While there are occasions warranting the urgent removal of content, experts say similar exigency need not be shown in cases of defamatory content.

In his analysis of blocked URLs related to IIPM, Snehashish Ghosh from the Centre for Internet and Society (CIS), a Bangalore based organisation, notes that according to the Bonnard Rule, in a defamation case, interim injunction should not be awarded unless a defence of justification by the defendant was certain to fail at trial level. “Therefore, it appears that the (Gwalior) Court order has moved away from the settled principles of law while awarding an interim injunction for blocking of content related to IIPM”, says the report.

Commenting on court ordered blocks, Parminder Jeet Singh, executive director of IT for change, a Bangalore based organisation which works on internet governance issues, says, “When there is clear imminent danger or threat to the society, as in case of possible rioting, immediate removal of content without notifying and hearing the other party is understandable. But defamatory content does not fall in this category. Decisions on such largely civil matter should be taken with due deep consideration, after listening to all parties. And by far the considerations of free speech should have overwhelming weight in making decisions.”

Singh adds that “Even if it is considered necessary to remove any content, a fully transparent process has to be followed.”

The most common reason cited for not sending notices before removing the content is the tiresome process of zeroing in on the one person or authority responsible for posting the content, says Prabir Purkayastha of Knowledge Commons, an organisation which promotes open source information. “If you approach intermediaries such as Google or Yahoo, they will rightly say that they can provide details only if they are allowed to do as per international treaties,” says Purkayastha. But when there is clarity on who put the content online, like in the IIPM case, he says, “DoT cannot absolve itself from the responsibility of writing at least an email to these entities.”

In the case of Tata Sons Ltd. vs Green Peace International, cited by Ghosh of CIS, the Delhi High Court addressed the question whether posting or publishing of libelous material on the Internet calls for a different standard. Ghosh writes, “The court decided that there cannot be a separate standard for the Internet while awarding temporary injunction in defamation cases. The wider viewership or accessibility compared to other medium does not alter the fact that it is a medium.”

Purkayastha agrees. “Freedom of speech and expression and the restraints on it, as enshrined in the constitution, should not depend on the medium of expression. But due to the haste shown by courts in blocking online content, it appears that courts seem be applying two sets of standards with respect to Internet and traditional media,” he says.

For more details visit https://cis-india.org/news/first-post-feb-19-2013-danish-raza-why-was-the-gwalior-court-in-such-a-hurry-to-block-iipm-urls

The Omnishambles of UID, shrouded in its RTI opacity

elonnai — 2013-02-19T11:04:30Z

The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013.

Click below to see Colonel Mathew Thomas's presentation

Omnishambles of UID Shrouded in its Opacity

For more details visit https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity

Freedom of Expression Gagged

chinmayi — 2013-02-18T08:55:36Z

The use of law to bully people into silence, called ‘heckler’s veto’, is not unique to India, writes Chinmayi Arun in this op-ed published in Business Line on February 15, 2013.

Click to read the original published in the Business Line.

Freedom of expression in India is under threat. This year we have the Tamil Nadu government’s ban on Vishwaroopam, the Ashis Nandy FIR, the smothering of Kashmir’s first all girls rock band’s music, and the removal of semi-nude paintings of Hindu deities from an art gallery upon the police’s ‘suggestion’. Another Rushdie-banning controversy is upon us, and yet another Facebook user’s arrest has made the news.

Clearly, our right to freedom of expression is under an ongoing siege. The onslaught comes in varied forms: bullying by members of society, informal government action with the overhanging threat of the law, and direct use of the law (and of a variety of legislations within it). Each form is encouraged, exacerbated even, by our problematic interpretation of freedom of expression principles. Our law allows a group of intolerant people to silence a speaker by creating a threat to public order or by threatening the speaker directly, and our state is proving utterly ineffectual in protecting speech from intolerance.

Instruments Deployed

India’s first Kashmiri all-girls band is tragic proof of horizontal attacks on speech – their music was silenced by the grandmufti’s declaring it ‘un-Islamic’, and the attendant social pressure that tends to follow. They were not protected from this horizontal attack. The Palghar incident also had echoes of horizontal pressure, which was used to directly bully Shaheen Dhada, via friends advising her to apologise and strangers slapping her, before the instrument of the law was used to bully her further.

The instrument of the law can be used in invisible, informal ways, as Bangalore’s Chitrakala Parishath incident illustrates. Here, the pressure of police ‘suggestion’, carrying the implied threat of the force of the law, was used to ensure that semi-nude paintings of Hindu deities were removed from an exhibition. It appears that this police ‘suggestion’ was motivated by the fear that those paintings could trigger law and order problems.

Vishwaroopam was banned using the law, specifically section 144 of the Code of Criminal Procedure, which empowers the government to issue orders “in urgent cases of nuisance or apprehended danger”. However, orders issued under section 144 would still need to observe the boundaries drawn for it in Article 19(2) of the Constitution.

Freedom and Public Order

Some may argue that controversial or offensive speech can legitimately be restricted since “public order” is one of the grounds for which our Constitution permits the restriction of the freedom of expression. However the original text of the Constitution did not include “public order” among its permissible grounds for restriction. This was inserted in the First Amendment of the Constitution, but was fortunately accompanied by the word ‘reasonable’ before restriction, thus ensuring that the freedom of expression can only be reasonably restricted under the exceptional circumstances listed in the Constitution.

This insertion of ‘public order’ came after the Supreme Court’s invalidation of government pre-censorship of speech on public order grounds in Romesh Thapar v. State of Madras (1950), declaring that the Constitution required that “nothing less than endangering the foundations of the State or threatening its overthrow could justify curtailment of the rights to freedom of speech and expression”. Therefore, Parliament amended the Constitution to expand the grounds on which the state could restrict speech, and included ‘public order’ among the expanded grounds. The trouble with this is that the intolerant are now able to create a public order problem to silence speakers.

The Supreme Court of India, in Babulal Parate vs State Of Maharashtra (1961) found that public order must be “maintained in advance in order to ensure it”, and ruled that restriction of Article 19 freedoms of expression and assembly in the interests of public order is permissible. However, all such restrictions must continue to satisfy the reasonability test laid down in the Constitution, providing our judiciary with the opportunity to ensure that intolerance does not continue to oppress speech.

The Heckler's Veto

The use of law to bully people into silence is not unique to India. Harry Kalven termed this ‘the hecklers’ veto’: if police action silences speakers for fear that the offended listeners might create a law and order problem, this effectively allows the listeners to veto what the speaker can say. There was a time when the heckler’s veto held sway in the United States and the United Kingdom. However, both countries’ legal principles have evolved to stop pandering to the intolerant, and it is time that India does the same.

Justice Hugo Black of the US Supreme Court, in his Feiner v. New York (1951) dissent, argued that the police must make all reasonable efforts to protect the speaker’s constitutional right to speak before interfering with this right. This dissenting opinion was later hailed as visionary. The US Supreme Court subsequently gradually recognised the evils of the heckler’s veto, which privileges and encourages intolerance. The United Kingdom also progressively narrowed its reading of the Public Order Act to ensure that speech is not restricted unless immediate violence is feared, and is now decriminalising insults which are not directed at a clearly identifiable victim.

The Indian Supreme Court’s judgment in the Rangarajan v. P. Jagjivan Ram (1989) echoes Justice Black’s denouncement of the heckler’s veto. It declares, “freedom of expression cannot be suppressed on account of threat of demonstration and processions or threats of violence. That would tantamount to …surrender to blackmail and intimidation. It is the duty of the State to protect the freedom of expression since it is a liberty guaranteed against the State. The State cannot plead its inability to handle the hostile audience problem”. However other judgments have shied away from confronting the fact that speech-related public order problems created by intolerance, not by speech.

Our legal system needs to take a firm, consistent stand against the heckler’s veto. We need to stop mirroring the evils of outdated law in fresh legislations like the Information Technology Act, and work instead to remove law and practices that institutionalise intolerance.

(The author teaches at National Law University, Delhi and is Fellow, Centre for Internet and Society.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindubusinessline-feb-15-2013-chinmayi-arun-freedom-of-expression-gagged

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

snehashish — 2013-02-17T07:35:25Z

The Department of Telecommunications (DoT) in its order dated February 14, 2013 has issued directions to the Internet Service Providers (ISPs) to block seventy eight URLs. The block order has been issued as a result of a court order. Snehashish Ghosh does a preliminary analysis of the list of websites blocked as per the DoT order.

Medianama has published the DoT order, dated February 14, 2013, on its website.

What has been blocked?

The block order contains seventy eight URLs. Seventy three URLs are related to the Indian Institute of Planning and Management (IIPM). The other five URLs contain the term “highcourt”. The order also contains links from reputed news websites and news blogs including The Indian Express, Firstpost, Outlook, Times of India, Economic Times, Kafila and Caravan Magazine, and satire news websites Faking News and Unreal Times. The order also directs blocking of a public notice issued by the University Grants Commission (UGC).

The block order does not contain links to any social media website. However, some content related to IIPM has been removed but it finds no mention in the block order. Pursuant to which order or direction such content has been removed remains unclear. For example, Google has removed search results for the terms <Fake IIPM> pursuant to Court orders and it carries the following notice:

"In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org."

Are there any mistakes in the order?

The direction issued by the DoT is once again inaccurate and mired with errors. In effect, the DoT has blocked sixty one unique URLs and the block order contains numerous repetitions. By its order the DoT has directed the ISPs to block an entire blog [http://iipmexposed.blogspot.in] along with URLs to various posts in the same blog.

Reasons for Blocking Websites

According to news reports, the main reason for blocking of websites by the DoT is a Court order issued by a Court in Gwalior. The reason for issuing such a block order might have been a court proceeding with respect to defamation and removal of defamatory content thereof. However, the reasons for blocking of domain names containing the term ‘high court’, which is not at all related to the IIPM Court case is unclear. The DoT by its order has also blocked a link in the website of a internet domain registrar which carried advertisement for the domain name [www.highcourt.com].

Are the blocks legitimate?

The block order may have been issued by the DoT under Rule 10 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

The Court order seems to be an interim injunction in a defamation suit. Generally, Courts exercise utmost caution while granting interim injunction in defamation cases. According to the Bonnard Rule (Bonnard v. Perryman, [1891] 2 Ch 269) in a defamation case, “interim injunction should not be awarded unless a defence of justification by the defendant was certain to fail at trial level.” Moreover, in the case of Woodward and Frasier, Lord Denning noted “that it would be unjust to fetter the freedom of expression, when actually a full trial had not taken place, and that if during trial it is proved that the defendant had defamed the plaintiff, then should they be liable to pay the damages.” The Delhi High Court in Tata Sons Ltd. v. Green Peace International followed the Bonnard Rule and the Lord Denning’s judgements and ruled against the award of interim injunction for removal of defamatory content and stated:

“The Court notes that the rule in Bonnard is as applicable in regulating grant of injunctions in claims against defamation, as it was when the judgment was rendered more than a century ago. This is because the Courts, the world over, have set a great value to free speech and its salutary catalyzing effect on public debate and discussion on issues that concern people at large. The issue, which the defendant’s game seeks to address, is also one of public concern. The Court cannot also sit in value judgment over the medium (of expression) chosen by the defendant since in a democracy, speech can include forms such as caricature, lampoon, mime parody and other manifestations of wit.”

Therefore, it appears that the Court order has moved away from the settled principles of law while awarding an interim injunction for blocking of content related to IIPM. It is also interesting to note that in Green Peace International, the Court also answered the question as to whether there should be different standard for posting or publication of defamatory content on the internet. It was observed by the Court that publication is a comprehensive term, ‘embracing all forms and medium – including the Internet’.

Blocking a Public Notice issued by a Statutory Body of Government of India

The block order mentions a URL which contains a public notice issued by University Grants Commission (UGC) related to the derecognition of IIPM as a University. The blocking of a public notice issued by the statutory body of the Government of India is unprecedented. A public notice issued by a statutory body is a function of the State. It can only be blocked or removed by a writ order issued by the High Court or the Supreme Court and only if it offends the Constitution. However, so far, ISPs such as BSNL have not enforced the blocking of this URL.

Implementation of the order by the ISPs

As pointed out in my previous blog post on blocking of websites, the ISPs have again failed to notify their consumers the reasons for the blocking of the URLs. This lack of transparency in the implementation of the block order has a chilling effect on freedom of speech.

For more details visit https://cis-india.org/internet-governance/blog/analyzing-latest-list-of-blocked-urls-by-dot

Hate speech: ban or ignore?

praskrishna — 2013-02-13T09:40:37Z

The Social Network discusses the hate speeches: whether they should be banned or ignored. Why does the state take action against some and not against some others. This on a day when Togadia and Owaisi were simultaneously trending on the social media.

This discussion was aired on NDTV on February 5, 2013

Pranesh Prakash, Policy Director, Centre for Internet and Society, and Shivam Vij of Kafila.com joined NDTV in the studio while actor and standup comic Sanjay Rajoura joined via webcam.

Pranesh said that the talk of banning these videos is foolish. He added, I don't think that is a solution. But the issue is one of criminal prosecution – whether that should happen or not, and with regard to the interesting dichotomy that Shivam pointed out some people are calling for somethings to be banned but not others. I think that kind of hypocrisy should be pointed out. I am happy that these small incidents of hate mongering are actually being blown out of proportion on social media because it actually gets people to react...to say wait a second...that is not right I might have a certain leanings towards Hindutva but that kind of speech is not what I support, or I might have a certain leanings towards what is called "pseudo-secularism" but that kind of speech is not what I support. So getting out that discussion out is important.

If we were on one hand a society where we had communal peace and then social media were focusing on these small kinds of incidents and blowing it out of proportion then that would be a problem.

Watch the full discussion aired on NDTV

For more details visit https://cis-india.org/news/ndtv-video-the-social-network-feb-5-2013-hate-speech-ban-or-ignore

Anonymous joins protests against Internet shutdown in Kashmir

praskrishna — 2013-03-01T04:46:06Z

Hacktivist group Anonymous joined thousands of others to protest the shutdown of internet services in Kashmir for the fourth consecutive day by authorities after the hanging of Afzal Guru, a key accused in the Parliament attack case.

Indu Nandakumar's article was published in the Economic Times on February 12, 2013. Sunil Abraham is quoted.

Anonymous, which shot to fame in India after it brought down the websites of the Supreme Court and Congress Party last year, on Tuesday expressed its support to the people of Kashmir until the ban on internet and media services are lifted.

"We stand with # Kashmiras it comes to the end of its 3rd day under curfew. The comms blockade will fall. We are with you. # KashmirNow," a message posted on one of the Twitter accounts of Anonymous read.

Another Twitter account of the same group said, "#OpKashmir - Lift the media and internet blackout in #Kashmir".

Mobile internet services were suspended across Kashmir Valley on Saturday after the hanging of Afzal Guru in New Delhi. Online protests gathered steam by evening and thousands took to Twitter to express their anger censorships and blockades.

A senior official from the Department of Telecom, which had last year ordered the blocking of several Twitter accounts and websites, said internet services were blocked to avoid any further escalation of violence in Kashmir. But internet experts said a ban of communication services do not result in peace, instead it curtails the basic right of citizens to exchange messages.

"Government can ban certain class of messages and certain class of users, but definitely not a blanket ban of all services," said Sunil Abraham, executive director of Bangalore-based research organisation, the Centre for Internet and Society.

Essential commodities such as medicines, newspapers etc too are in short supply in Kashmir, where three people died and over 50 were injured in clashes since Saturday.

Anonymous has also been posting photographs from the region. One of the Twitter accounts of the group, @ anon_warlockon Tuesday tweeted, "A gag has been put on everything, information at best is trickling down".

Last year, Anonymous, known for its use of Guy Fawkes masks, had organised rallies across Indian cities to protest internet censorship after India's Department of Telecom blocked over 250 websites and 30 Twitter accounts for posting communal images and videos that led to people from Northeast exit Bangalore and a few other Indian cities.

"Internet service providers in the Valley were asked by officials in the Ministry of Home Affairs to switch off connectivity on Saturday morning. There has been no further communication from the Ministry until now and we don't expect any withdrawal in the next few days," a senior industry executive with direct knowledge of the matter told ET. He added that any decision on withdrawal of the ban will be taken only after the MHA and intelligence officials take stock of the situation.

Centre of Internet's Abraham said he was not sure if messages on social media were being taken seriously by the government. "Research shows that during the times of public disruption, ban of communication services will only make things worse. Enlightened governments should know this and act accordingly."

For more details visit https://cis-india.org/news/economic-times-feb-12-2013-indu-nandakumar-anonymous-joins-protests-against-internet-shutdown-in-kashmir

Indian net service providers too play censorship tricks

praskrishna — 2013-02-13T04:20:53Z

The study by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology.

The article by T Ramachandran was published in the Hindu on February 9, 2013. Sunil Abraham is quoted.

Your internet service provider (ISP) could be blocking some content. A study conducted by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology widely used in China and some West Asian countries.

The findings, published on January 15, were the result of a search for censorship software and hardware on public networks like those operated by ISPs.

A research team at Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, found a software-hardware combo package called PacketShaper being used in many parts of the world, including India.

The study identified the presence of four PacketShaper installations on the networks of three major ISPs in India during the period of study in late 2012. These ISPs had been earlier “implicated in filtering to some degree,” the report said.

The deployment of such traffic management technologies by ISPs could threaten privacy, freedom of expression and competition, said Sunil Abraham, Executive Director of the Bangalore-based NGO, Centre for Internet and Society.

He said tools like PacketShaper could be used by ISPs for two types of censorship —“to block entire websites or choke traffic on certain services or destinations in a highly granular fashion.”

The U.S.-based producers of the technology, Blue Coat Systems, are quite open about the product features on the company’s website. They say it could be used to control and weed out undesirable content. It could also be used to slow down or speed up the operation of programmes and content flow to achieve the goals set by the operators of the networks.

Transparency is the key

Technology experts said such products could be used to exercise legitimate control over the internet traffic and prioritise the use of bandwidth and resources, if used ethically.

“If done in a transparent manner that does not discriminate against different actors within a class it does benefit the collective interest of the ISP’s clients. However, it could also be used to engage in hidden censorship against legitimate speech and also for anti-competitive behaviour,” said Mr. Abraham.

The study focussed on countries where concerns exist over “compliance with international human rights law, legal due process, freedom of speech, surveillance, and censorship.”

For more details visit https://cis-india.org/news/the-hindu-feb-9-2013-t-ramachandran-indian-net-service-providers-too-play-censorship-tricks

2012: Privacy Highlights in India

elonnai — 2013-02-12T12:39:05Z

In this blog post, Elonnai Hickok summarizes the top privacy moments of 2012 in India. In doing so she lists out the major ones like the Report of Group of Experts on Privacy, the RIM Standoff, the Nira Radia controversy, the Centralized Monitoring System, Unmanned Aerial Vehicles, NATGRID, CCTNS, the growth of CCTVs, the leaked DNA Profiling Bill, and the UID project.

The Report of Group of Experts on Privacy: In October 2012 the "Report of Group of Experts on Privacy" was published by a governmental committee chaired by Justice A.P. Shah. The report contains recommendations for comprehensive privacy legislation, including defining nine privacy principles, establishing a regulatory framework consisting of privacy commissioners at the regional and central level, and self regulatory organizations, and analyzing the present challenges to privacy in India.[1]

Before the report was published, two draft privacy bills had been leaked to the public, and a concept paper drafted in 2010. The report received mixed reviews from the media, including questions about the relationship between the Right to Information and the Right to Privacy. Before the publishing of the Report, Prime Minister Manmohan Singh recognized that disclosures under the RTI Act could, in some instances, violate individual privacy. In a statement to the public, the Prime Minister stated "citizens’ right to know should definitely be circumscribed if disclosure of information encroaches upon someone's personal privacy. But where to draw the line is a complicated question".[2]

Three months before the report was published, the EU had publicly stated that current data protection provisions in India are not sufficient enough, and that India is not considered to be 'data secure'.[3] If the recommendations in the report are turned into legislation, among other things, individuals in India will have a right to privacy and a right to redress for violations of privacy.

Governmental Interception: In early 2013 it was revealed that the Ministry of Home Affairs ordered interception of 10,000 phones and 1300 email ids during October 2012 to December 2012.[4] Continuing its efforts to access all communications, in May 2012, the Government of India gave service providers a month to develop a method for intercepting calls using VoIP services.[5] In February 2012 the Telecom Department proposed a new set of security guidelines that would allow for real time interception of communications and the tracking of the location of users. Among other things, the proposal establishes telecom security assurance and testing labs for the purpose of testing and certifying telecom equipment.[6] Additionally, in October of 2012, Bharti Airtel refused to wiretap telephones for RAW. The Department of Telecommunications eventually ordered Bharti Airtel to comply with the order, which they did.[7] The events around interception in 2012 show that the Indian government is still trying to gain access to as much information as possible. The constant push for real time access by the government is concerning, as many safeguards are missing from the Indian interception regime such as, penalty to security agencies for unauthorized interception and avenues of redress for the individual.

The RIM Standoff: Since 2008, the Indian government has been negotiating with RIM access to BlackBerry communications. Over the years, a number of solutions have been proposed by RIM and the GoI, yet a final agreement was never reached. Continuing the negotiations, In October 2012, RIM agreed to set up a server in Mumbai, which would allow security agencies to access Blackberry Messenger services.[8] Blackberry also provided a solution that would allow access to Blackberry Internet Services.[9] Following this, the Government of India mandated that Telecom Service Providers must incorporate the Blackberry interception solution, or risk being forced to shut their service by December 31, 2012. In compliance with this order, many service providers have set time frames for incorporation of the interception solution including and installed the necessary software.[10] It is important to note that the lawful access solutions provided do not extend to the Blackberry Enterprise Server.[11] Though it seems that the BlackBerry controversy might be resolved, the solution does not appear to be a long term solution, as BES communications are still not accessible, and the solution is not universal for all international providers. Thus, the Indian government will have to negotiate individually with each provider and service that they currently cannot access communications of.

The Nira Radia Controversy: Continuing the Nira Radia controversy, which began in 2008-2009, in September 2012 the Supreme Court ordered the Income Tax Department to transcribe the 5,831 recorded conversations that were originally intercepted by the department. In January this year, the Supreme Court of India ordered that a "random check" be run through the Radia Tapes to check for instances of possible criminality.[12] This case has become an important moment for privacy in India, as it intersects the dilemma between the right to privacy and public interest. Since 2010, Ratan Tata has been claiming that his right to privacy was violated by the publishing of the leaked tapes.[13] The Supreme Court’s final decision will be important for drawing another contour of how the right to privacy is shaped in India.

The Centralized Monitoring System: In 2012 the Telecom Ministry set aside Rs. 400 crore for the Central Monitoring System, which is projected to be finished by August 2014.[14] The project, which first began in 2007, is envisioned to allow security agencies to bypass service providers and intercept communications on their own. The system is designed to have regional databases and a central database which will be accessible to law enforcement and security agencies. Privacy concerns related to the project include how the system will incorporate current legal regulations for interception in India, as a system that bypasses service providers essentially means that every communication can be read by law enforcement. Furthermore, it is not clear exactly who, and on what conditions will officials be allowed and authorized to access and use the system. The exact capabilities of the system have also not been identified. For example, will the CMS be able to intercept VoIP calls, will it be able to decrypt messages, and will it employ techniques such as Deep Packet Inspection.

Unmanned Aerial Vehicles (UAVs): Since the late 90’s the Defense Research Development Organisation (DRDO) has been developing UAV’s for military purposes, and before this, India was acquiring UAV’s from Israel.[15] Since that time there has been an increase in domestic companies and institutes developing UAVs, and an increase in the procurement of the technology by state police for generic reasons purposes as crowd control, traffic management, and security. For example, in August of 2012 the city of Mumbai used the UAV "Netra", as part of their security protocol during the Raj Thackeray rally to capture and send real time images back to the police. Netra is manufactured by the company Idea Forge.[16] The Mumbai police also used the Netra in September 2012 after the Azad Maidan riots, and again on New Year’s Eve to monitor and track crime such as sexual harassment.[17] Similarly, Chennai city police are looking to procure from Anna University a UAV developed by the Madras Institute of Technology. The UAV will be used to assist in traffic monitoring and control.[18] The increased procurement and use of UAV’s by state police is concerning as there is no clear legal regulation over the deployment of the vehicles. Thus, they have shifted from being used as a tool by the military, and are being used for monitoring traffic, crowd monitoring, etc. Furthermore, the process for authorization for use of the vehicles is not clear, and it is not clear how the captured information is protected and handled. Though UAV’s are clearly a useful tool for the military, for military purposes, the permitted use of them by other actors should be defined and regulated. The use of UAV’s for generic purposes could place individual privacy at risk, because of the amount of information and the level of detail that the vehicles are able to capture without the knowledge of the individual.

The National Intelligence Grid (NATGRID): Plans for the NATGRID project, which was first piloted after the Mumbai attacks, has been continuing forward through 2012 and is envisioned to be operational sometime in 2013. During 2012, a detailed project report was submitted for the project, and in June the government approved Rs. 1,100 crore for purchase of technological equipment.[19] NATGRID is a project that envisions networking 21 databases for purposes of crime investigation including tax, health, and travel information. The information will be accessible to 11 security agencies and law enforcement agencies. Though it has been clarified that NATGRID will ensure that privacy is protected, the design of NATGRID is one that could create potential risks – as it brings together large amounts of personal data for easy access by security agencies. In doing so it could potentially eliminate the steps security agencies must take currently to access information – such as submitting a request and obtaining permission for access. Furthermore, it is unclear how current legal protections such as secrecy clauses in banking legislation will be incorporated and upheld by the NATGRID system. Other questions that the project raises include – though currently there are only eleven agencies listed that will have access to NATGRID – will this list expand? Without a policy in place how will this standard and other standards be enforced?

The Crime and Criminal Tracking Network & System (CCTNS): Though the CCTNS project has been in the works since 2009, a call for companies to develop the technology for the system was taken in early 2012, and pilot projects were launched later that year. The CCTNS is being headed by the National Crime Records Bureau, and will allow for the sharing of crime related information on a national level, in real time. In 2012, the system was allocated 2,000 crores by the government, and currently 2,000 police stations and other offices have been connected under the system.[20]

For example, police in Chhattisgarh,[21] Uttarakhand[22] and Odisha have all been connected to the CCTNS system.[23] Though it will be beneficial for the police to have access to a networked system, it has not been made clear yet what type of security system the project will adopt to ensure that the information is not compromised or accessed without authorization. It has also not been clarified what information will be placed on the database, and will all records be accessible to any individual accessing the system. Because the project is still in pilot stages it is hard to tell if it could put individual privacy at risk. Hopefully, before the project is realized in its full, many of the details will be clarified.

The Growth of CCTVs: Throughout 2012 the use of CCTV’s has continued to grow across India. For example, the Maharashtra government has undertaken a "CCTV surveillance project" in which it is in the process of taking bids for.[24] The state of Karnataka is also planning on installing CCTV cameras in Bangalore and other major cities to help detect incidents of crime.[25] While the Delhi Transport Department is contemplating installing CCTVs in buses,[26] and the Indian Rail Authorities have also decided to install CCTVs throughout stations to increase security.[27] There still does not exist regulation of the use of CCTV cameras, thus it is unclear who can operate a CCTV camera, which departments of the government can mandate for the installation of CCTVs, if public notice must be given that a CCTV camera is in use, and who can access the footage from a CCTV.

Study on Privacy Perceptions: In a study that came out in December 2012 by Ponnurangam K, among other things, it was found that 75 per cent of participants never read the privacy policy on a website – including social networking sites, participants also thought that there was a privacy legislation in place in India, and that individuals in India are most concerned about financial privacy.[28]

The National Counter Terrorism Centre (NCTC): The NCTC was originally created in response to the Mumbai terror attacks, under the Unlawful Prevention Act, 1967. The NCTC was meant to be realized in 2012, but in March, plans for the Centre were put on hold, because of the controversial nature of the project.[29] The Centre was meant to bring Indian intelligence agencies under one umbrella, and analyze and store information related to terrorism. The proposed body has been highly controversial, as states object to the powers given to the Centre and see it as intruding on their powers and jurisdiction. If passed, the NCTC will have the powers of arrest, search and seizure, and the ability to access information from other intelligence agencies.[30]

The Leaked DNA Profiling Bill: In 2012, a version of the DNA Profiling Bill, originally drafted in 2007, was leaked to the public. The Bill is being piloted by the department of biotechnology, and seeks to establish DNA databases at the regional and central level for forensic purposes, yet the Bill does not establish strong protections for the privacy of DNA samples taken and important technical standards for ensuring that DNA samples are not misused or tampered with.[31] What will happen to the Bill in 2013 is yet to be seen, but hopefully it will not be passed without the appropriate safeguards incorporated into its provisions.

The Unique Identification Project and the National Population Registrar: Throughout 2012, the UID has continued to carry out enrollments across the country, and sign MoU's with private sector companies for the adoption of the UID platform. Parallel to the UID project, the NPR project is also being implemented. The NPR seeks to provide every citizen of India with an identity that will be stored in an identity database maintained by the Registrar General and Census Commissioner of India.[32] According to the NPR scheme, individuals who had already enrolled with the UID and given their biometrics would not need to re-submit their biometrics with the NPR. Yet, this has not been the case, and instead individuals are now being required to provide their biometrics for enrollment with the UID and the NPR.[33]

Privacy has been raised as a concern of the UID since the start of the project. For both the UID and the NPR now the transaction record will be stored by agencies, and whether it will be possible to track individuals across databases using their NPR or UID identity?

[1]. The Report of Group of Experts on Privacy. See http://bit.ly/VqzKtr

[2]. Tikku, A., "RTI doesn’t trample upon privacy, says expert panel", Hindustan Times, October 29, 2012, available at http://bit.ly/TNAzRF, last accessed on January 8, 2013.

[3]. Sen, A. India protests European Union study of data laws. Economic Times. July 9, 2012, available at http://bit.ly/Y9ahHs, last accessed on January 8, 2013.

[4]. Harismran, J., Thomas, J. "Home Ministry ordered 10k wire taps in last 90 days, order tapping of 1300 email Ids", The Economic Times, January 3, 2013, available at http://bit.ly/TKk7yN, last accessed on January 7th 2013.

[5].The Economic Times, "Provide solution to intercept VoIP within a month: Govt", May 6, 2012, available at http://bit.ly/VQDQ4k, last accessed on January 7, 2013.

[6]. The Economic Times, "New policy for real time interception to security agencies", February 1, 2012, available at http://bit.ly/11DrlvB, last accessed on January 7, 2013.

[7]. The Economic Times, "RAW irked as Airtel keeps its request for phone tapping on hold", October 21, 2012, available at http://bit.ly/12IujhF, last accessed on January 7, 2013.

[8]. Reyes, D., "RIM installs BlackBerry server in Mumbai", CrackBerry, February 23, 2012, available at http://bit.ly/yBQsSo

[9]. Economic Times, "DoT makes telecom operators fall in line on Blackberry issue", December 30, 2012, available at http://bit.ly/1169ufn

[10]. Economic Times, "MTNL, BSNL fail to give dates for Blackberry interception", October 29, 2012, available at http://bit.ly/1169ufp, last accessed on January 7, 2012.

[11]. The Economic Times, "Telecom companies agreed to provide real-time intercept facilities for BlackBerry smartphones", December 31, 2012, available at http://bit.ly/Y9gjYt, last accessed on January 7, 2012.

[12]. Mahapatra, D., "SC to examine Radia tapes for criminality", Times of India, January 9, 2013, available at http://bit.ly/VD7eWX

[13]. Times of India, "Ratan Tata softens stand on Radia tapes", August 23, 2012, available at http://bit.ly/158CZxl, last accessed on January 7, 2013.

[14]. The Economic Times, "Govt. to place phone tapping system worth Rs. 400 cr by 2014", March 21, 2012, available at http://bit.ly/V2P9q6, last accessed on January 7, 2013.

[15]. Monsonis, G., "UAVs gaining currency with Indian Armed Forces", Indian Defence Review, October 30, 2012, available at http://bit.ly/KVYyIr, last accessed on January 7, 2013.

[16]. Mumbai Mirror, "Raj Thackeray’s mega rally: Unmanned Aerial Vehicle kept an eye on Azed Maidan", Economic Times, August 22, 2012, available at http://bit.ly/PYTGAG, last accessed on January 7, 2013.

[17].Ali, A. & Narayan. V., "Netra cameras to keep a close watch , over New Year’s Eve hotspots", Times of India, December 31, 2012, available at http://bit.ly/Z7orxt, last accessed on January 7, 2013.

[18]. Venugopal, V., "It flies, it swoops, it records and monitors", The Hindu, December 20, 2012, available at http://bit.ly/V89sLo, last accessed January 7, 2013.

[19]. The Economic Times, "Cabinet Committee on Security approves Rs. 1,100 crore for NATGRID", June 14, 2012.

[20]. Mohan, V., "Centre launches pilot project to track criminals", The Times of India, January 5, 2013, available at http://bit.ly/UPk2fh

[21]. The Pioneer, "Civil Lines Police Station gets connected with CCTNS", January 2012, available at http://bit.ly/VRXKGJ

[22]. CIOL Bureau, "CCTNS to be made public through internet: Dehradun DGP", January 4, 2012, available at http://bit.ly/X4JISx, last accessed on January 7, 2013.

[23]. The Hindu, "Odisha to launch CCTNS on January 12", January 7, 2013, available at http://bit.ly/Vd9Ay1, last accessed on January 7, 2013.

[24]. Padmakshan, M., "Maharashtra plans to invite new bids for CCTV surveillance project", September 18, 2012, available at http://bit.ly/VRYrQm, last accessed on January 7, 2013.

[25]. Ashoka, R., "Karnataka to install CCTV cameras in Bangalore, major cities", Economic Times. July 26, 2012, available at http://bit.ly/11Dxt6Z, last accessed on January 7, 2013.

[26]. Economic Times, "Buses to come with CCTV cameras for safety of women: Delhi government", December 17, 2012, available at http://bit.ly/158Gtjo, last accessed on January 7, 2013.

[27]. Economic Times, "Railways to step by security apparatus at stations", February 15, 2012, available at http://bit.ly/11DxSX8, last accessed on January 7, 2013.

[28]. Times of India, "Most Indians ignorant about privacy issues on Facebook, Twitter: Study", December 10, 2012, available at http://bit.ly/X4KVt1, last accessed on January 7, 2013.

[29]. Kumar, H., "Does India Need a National Counter Terrorism Center?", The New York Times, India Ink, February 28, 2012, available at http://nyti.ms/A5VU5P

[30]. Times of India. CM to attend National Counter- Terrorism Centre Meet in Delhi. May 4, 2012, available at http://bit.ly/12IDoH9, last accessed on January 8, 2012.

[31]. Hickok, E., "Rethinking DNA Profiling in India", Economic Political Weekly, October 27, 2012, available at http://bit.ly/TUrH7j, last accessed on January 7, 2013.

[32]. Department of Information Technology, "National Population Register", available at http://bit.ly/12rzyOh

[33]. Pandit, A., "NPR must even if you have Aadhar number", Times of India, October 31, 2012, available at http://bit.ly/Y9oXGq, last accessed on January 8, 2013.

For more details visit https://cis-india.org/internet-governance/privacy-highlights-in-india

Online Abuse of Teen Girls in Kashmir Leads to Arrests

praskrishna — 2013-03-06T03:51:20Z

Online abuse and a fatwa aimed at a rock band of Muslim teenage girls in Kashmir have led to arrests and a threat of a lawsuit.

This article by Betwa Sharma was published in the New York Times on February 8, 2013. Pranesh Prakash is quoted.

Three men were arrested this week for posting threatening messages on the Facebook page of Praagaash, an amateur rock band in Indian-occupied Kashmir made of up Muslim girls. “The investigation is ongoing,” said Manoj Pandita, spokesman for the Jammu and Kashmir police, indicating that more arrests may follow.

The three men were charged under Section 66A of the Information Technology Act, which applies to “offensive” messages being sent through communication services, and Section 506 of the Ranbir Penal Code, which applies to criminal intimidation. Mr. Pandita said that it had been easy to track the I.P. addresses of the Facebook users.

A prominent human rights lawyer, Parvez Imroz of the Jammu and Kashmir Coalition of Civil Society, is planning to sue the top religious leader in Kashmir, who called for the fatwa, for “demonizing Kashmir before the international community” and for “running a parallel judicial system in the valley.”

Mr. Imroz told India Ink that human rights organizations like his needed support from the international community to highlight their concerns, and such fatwas reflected badly on the Kashmiri society. “He is diverting attention away from real issues of human rights to nonissues like music and purdah,” Mr. Imroz said.

The fatwa against the band was issued by the Grand Mufti Bashiruddin Ahmad.

In his fatwa, Mr. Ahmad advised women to only sing inside the house to other female members of the family, and wear a veil whenever they left the house. “They must stay within limits,” he said.

Following the band’s first live performance in December, Aneeqa Khalid, Noma Nazir and Farah Deeba, 10th-grade students who are 15 and 16 years old, became the target of abuse and threats on Facebook by people who accused them of being un-Islamic because they had performed in public, especially before men. Some commenters called them “sluts” and “prostitutes;” others suggested that they should be raped.

The band Praagaash, which means “darkness into light,” disbanded following a national controversy surrounding these threatening messages. The threats were condemned by many, including the state’s chief minister.

To many Kashmiris, both the fatwa and the arrests by the government are unnecessary. Some say that the controversy erupted after the state’s chief minister, Omar Abdullah, got involved by expressing his support for the band on Twitter and then calling for investigation against those writing the threatening messages.

“Nobody here had a problem with the rock band,” said Aala Fazili, a doctorate student at Kashmir University, pointing out that the band’s performance in December had not led to any protests or physical threats against them.

Mr. Fazili, 32, added that people shouldn’t be arrested for writing abusive posts on Facebook. “You cannot call an abuse a threat,” he said.

Mr. Pandita, the Kashmir police spokesman, said the investigators were making a distinction between a threat and abuse on the basis of “gravity.”

Pranesh Prakash, from the Center for Internet and Society in Bangalore, asked whether people who hold protests calling for the death of the author Salman Rushdie should also be arrested for making threats.

“I would hold that no expression of violent thoughts, online or offline, should be made criminal, even if it is repugnantly misogynistic, unless it takes the form of a credible threat that causes harm, or is harassment that constitutes harm,” he said.

For more details visit https://cis-india.org/news/ny-times-feb-8-2013-betwa-sharma-online-abuse-of-teen-girls-in-kashmir-leads-to-arrests

Censorship and sensibility in India

praskrishna — 2013-03-06T04:09:02Z

The past few weeks in India have seen films, an all-girl rock band, a fashion show, a Booker prize-winning novelist and a reputed academic become targets of harassment, legal action or threats of violence.

This article by Samanth Subramanian was published in the National on February 6, 2013. Pranesh Prakash is quoted.

The most prominent case involved Vishwaroopam, a Tamil film that will be released in Tamil Nadu on Friday after a two-week delay. The film was blocked by the state government after some Muslim groups protested that it depicted Muslims in poor light. The director, Kamal Haasan, had to agree to cut seven scenes.

"The culture of taking offence has acquired an epidemic proportion, and we are moving in a direction where nothing, it seems, is a safe topic," said Salil Tripathi, who wrote the 2009 book Offence: The Hindu Case, on how Hindu fundamentalists have succeeded in censoring and banning many cultural works and teachings.

"If India doesn't step back from this abyss, it will begin to resemble the dictatorships where people speak in coded language, where real thoughts go underground," Mr Tripathi added.

On Sunday, a fashion show in the southern city of Visakhapatnam was cancelled after the Vishwa Hindu Parishad (VHP), a right-wing Hindu group, protested against women modelling dresses bearing images of Hindu deities.

In Delhi, an art gallery had to temporarily shut down on Monday after the VHP called for a ban on a retrospective of the modern nude because the exhibit included "indecent pictures". The VHP's women's wing, the Durga Vahini, harrassed women who were smoking and drinking in a restaurant in Mangalore last week.

Meanwhile, on Sunday, a Muslim cleric in Kashmir a fatwa against Pragaash, an all-girl high school rock band that was deemed "un-Islamic". The band has dissolved, although Omar Abdullah, the chief minister of Jammu and Kashmir, defended them last weekend on Twitter, saying: "I hope these talented young girls will not let a handful of morons silence them."

Last week, the author Salman Rushdie cancelled a visit to a literary festival in Kolkata, citing security concerns after protests by Muslim groups. The fair's organisers subsequently denied having invited him. Yesterday, the Indian Christian Republican Party complained to the police that Kadal, a new movie set in a Tamil Catholic fishing community, shows a framed picture of Jesus Christ being thrown to the floor.

These instances have sparked widespread criticism of what an editorial last week in The Hindu newspaper called India's "flourishing outrage industry". In the International Herald Tribune, the columnist Manu Joseph called modern India "a paradise for those who take offence".

The Indian constitution guarantees freedom of speech and expression, but it is not without caveat. The constitution allows for "reasonable restrictions" on this right, in the interests of "public order, decency or morality".

Further, the Indian Penal Code contains two laws that have been invoked repeatedly to cramp free speech.

Section 295A punishes those who "outrage [the] religious feelings of any class" by spoken, written or visual means, with a fine or a prison term of up to three years.

Section 505(2) promises a similar punishment to those who make "statements creating or promoting enmity, hatred or ill-will between classes" on grounds of religion, caste, language or race.

Nikhil Mehra, a lawyer who practises in the Supreme Court, said both laws are antiquated holdovers from colonial India.

"The problem is that these laws are so broadly worded that cases can be impossible to quash, because it is difficult for a judge to take the view that some piece of speech does not promote enmity between groups," Mr Mehra said.

"I'd say there's no chance that these laws will be struck off the books," he said. "Politically, nobody will do it, because we have such a huge vacuum of leadership that nobody has the guts to step up and suggest such changes."

Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society, has extensively analysed cases where these laws are applied in conjunction with India's information technology act, which governs online speech.

"Given India's history of communal violence, it would be extraordinary for courts to directly criticise such laws," Mr Prakash said. But these laws are two among many "patently unconstitutional laws" in India's statute books, he pointed out.

"How could it be constitutional to prevent the free broadcast of news over radio, for instance, or to prohibit speech online that causes 'annoyance'?" Mr Prakash said. "Not only are antiquated and speech-restricting laws not being struck off, more such laws are being added to the statute books all the time."

An example, he said, was section 66a of the information technology act, which aims to curtail "offensive messages" online but is often used to target dissidents and even posts on social media.

For more details visit https://cis-india.org/news/the-national-feb-6-2013-samanth-subramanian-censorship-and-sensibility-in-india

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

elonnai — 2013-07-12T15:40:51Z

This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/

The Principles:

1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.

The Indian Telegraph Act, 1885

The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.

2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.

Below are the circumstances for which access is allowed by each Act, Rule, and License:

The TA Rules 2007: Interception is allowed in the following circumstances:

On the occurrence of any public emergency

In the interest of the public safety

In the interests of the sovereignty and integrity of India

The security of the state

Friendly relations with foreign states

Public order

Preventing incitement to the commission of an offence

ITA Interception and Monitoring Rules: Interception, monitoring, and decryption of communications is allowed in the following circumstances:

In the interest of the sovereignty or integrity of India,
Defense of India
Security of the state
Friendly relations with foreign states
Public order
Preventing incitement to the commission of any cognizable offence relating to the above
For investigation of any offence

ITA Monitoring of Traffic Data Rules: Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security:

Forecasting of imminent cyber incidents
Monitoring network application with traffic data or information on computer resources
Identification and determination of viruses or computer contaminant
Tracking cyber security breaches or cyber security incidents
Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
Any other matter relating to cyber security.

UASL License: Assistance must be provided to the government for the following reasons and times:

Reasons defined in the Telegraph Act. (Section 41.20 (xix))
National Security. (Section 41.20 (xvii))
To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
In the interests of security. (Section 41.7)
For security reasons. (Section 41.20 (iii))

ISP License: Assistance must be provided to the government for the following reasons and times:

To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
In the interests of security. (Section 34.4)
For security reasons. (Section 34.28 (iii))
Reasons defined in the Telegraph Act. (Section 35.2)

3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.

Below are summaries of the relevant provisions:

TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.

5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.

Below are summaries of relevant provisions:

The TA Rules 2007: Under the Telegraph Act the authorizing authorities are:

The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
The Secretary to the State Government in charge of the Home Department in the case of the State Government.
In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.

Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.

Below is a summary of the relevant provisions:

TA Rules 2007:

Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).

7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)

Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.

TA Rules 2007:

All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.

8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.

9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.

10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)

Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007:

A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).

11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.

Relevant provisions are summarized below:

TA Rules 2007: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. (Section 20, 20A 21, 23).

ITA Interception and Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 20).

ITA Traffic Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 5&6).

UASL License: The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. (Section 39.1, Section 39.2, Section 41.4).

ISP License: The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. (Section 32.1) The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. (Section 32.2) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. (Section 32.3).

Provisions requiring the provision of facilities, assistance, and retention:

ITA Interception and Monitoring Rules:

The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).

ITA Monitoring of Traffic Rules:

The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).

UASL License:

The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).

ISP License:

The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).

12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.

Below is a summary of the relevant provisions:

ITA 2000: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. (Section 1(2))

UASL License: The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. (section (41.20 (viii))

ISP License: For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. (Section 34.28 (iii)) ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) (Section 34.28 (viii))

13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007: The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation. (Section 20, 20A, 23, and 24 Indian Telegraph Act).

ITA Interception and Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 21).

ITA Traffic Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 6).

UASL License:

In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).

ISP License:

In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).

14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.

Below are summaries of relevant provisions:

UASL License:

Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications

January 2013 Bulletin

praskrishna — 2013-06-11T11:56:35Z

We at the Centre for Internet & Society (CIS) wish you all a great year ahead and welcome you to the first issue of our newsletter for the year 2013. This issue brings you an overview of our research programs, events organised and participated, news and media coverage, and videos of recent events.

Jobs

CIS is seeking applications for the posts of Programme Officer (Access to Knowledge — Indic Language Initiatives), Developer (NVDA Project), Programme Officer (Access to Knowledge and Openness), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org. For our Privacy project, we are seeking applications for the post of Researcher, Technology/Security Expert, Graphic Designer as well as for internships. To apply for these posts, please send in your resume to Elonnai Hickok (elonnai@cis-india.org).

Accessibility

CIS is carrying out two projects in partnership with the Hans Foundation. The first one is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and the second one is for developing a screen reader and text to speech synthesizer for Indian languages. We are also working with the World Blind Union to develop the Treaty for Improved Access for Blind, Visually Impaired and other Reading Disabled Persons, and assisting in the negotiations at WIPO:

National Resource Kit for Persons with Disabilities

Anandhi Viswanathan from CIS and Manojna Yeluri from the Centre for Law and Policy Research are working in this project. Shruti Ramakrishnan has left the project. Draft chapters have been published. Feedback and comments are invited from readers for the chapter on Haryana:

The Haryana Chapter (by Anandi Viswanathan, January 31, 2012): The state implements the provisions under the central laws, particularly the Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act 1995 and the National Trust for Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act 1999.

Submission / Notification

Making Public Libraries Accessible to People with Disabilities (by Rahul Cherian, January 23, 2013): CIS was one of the 20 disability rights groups that wrote to the Ministry of Culture.
Government of Madhya Pradesh initiates ICT Accessibility in Public Communication (by Nirmita Narasimhan, January 31, 2013): CIS with Daisy Forum of India member Arushi in Bhopal submitted a request for a notification mandating that all communication by the Government of Madhya Pradesh should be accessible to persons with disabilities.

Report

Accessible Broadcasting in India (by Srividya Vaidyanathan, January 11, 2013): The abridged version of ITU’s report "Making Television Accessible" which was initially put up for comments last year has been updated once again.

Blog Entry

Linking Commercial Availability and Exceptions in the Treaty for Visually Impaired/Persons with Disabilities (by Rahul Cherian, January 23, 2013).

Access to Knowledge

In partnership with the International Development Research Centre we are doing a project on Pervasive Technologies examining the relationship between production of pervasive technologies and intellectual property. The Wikimedia Foundation’s India Program to support and develop free knowledge in India is now being executed by us. We are also supporting the Iraq government in developing an eGovernment Interoperability Framework:

Wikipedia

Beginning from September 1, 2012, Wikimedia Foundation has awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon, Subhashish Panigrahi and Noopur Raval.

New Project Director

T. Vishnu Vardhan is the new Programme Director-Access to Knowledge at CIS. Vishnu has over the last 11 years worked in various capacities as researcher, grant manager, teacher, project consultant, information architect and translator. Vishnu managed the Art, Crafts and Culture portfolio of Sir Ratan Tata Trust and also worked as Research Coordinator at the Centre for the Study of Culture and Society.

New Distinguished Fellow at CIS

Tejaswini Niranjana, a Senior Fellow at the Centre for the Study of Culture and Society (CSCS), Bangalore, and Visiting Professor at the Tata Institute of Social Sciences (TISS), Mumbai is joining our team as an Adviser to the 'Access to Knowledge' project. She will guide the A2K team in expanding the Indian language Wikipedias and in increasing the number of active editors through strategic partnerships with Higher Education institutions across India.

Reports

Access to Knowledge Report — September to December 2012 (by Noopur Raval, January 31, 2013): The report covers an overview of the activities done by the Access to Knowledge team under the grant provided by the Wikimedia Foundation from September 2012 to December 2012.
Indic Language Wikipedias — Statistical Report — 2012 (by Shiju Alex, January 21, 2013): A statistical update of the Indic language Wikipedias for the year 2012 providing perspectives on the health of various Indic language communities as well as the state of various Indic language wikipedias.

Wiki Event Reports
CIS organised a series of Wiki workshops in Goa in the month of December 2012, we bring you the reports from those events.

Note: The workshops were held in the month of December 2012 but the reports were published only in the month of January.

Two-day Wiki Workshop in Goa University: An Introduction (by Nitika Tandon, January 15, 2013).
Wikipedia in St. Xavier's College, Mapusa, Goa (by Nitika Tandon, January 19, 2013).
Bringing Konkani Encyclopedia in Public Domain (by Nitika Tandon, January 22, 2013).
Promoting GLAM in Goa (by Nitika Tandon, January 24, 2013).
Konkani in Wikipedia Incubator — Taking it to the Next Level (by Nitika Tandon, January 25, 2013).

CIS also organised a Wiki workshop in Ghaziabad:

A Wiki Workshop at Raj Kumar Goel Institute of Technology, Ghaziabad (RKGIT, Ghaziabad, January 17, 2013).

Wiki Event Participated

Celebrating the success of Wikipedia in Wikipedia Summit Pune 2013 (organized by Wikipedia Club, Pune, January 12 – 13, 2013). Subhashish Panigrahi participated in the event.

Wikipedia News Coverage

First Odia Wikipedia Education Program concludes at IIMC, Dhenkanal (Odisha Diary Bureau, Dhenkanal, January 27, 2013).
Odia Wikipedia's 9th Anniversary and Workshop on Application of Odia in Media (Sambad, January 30, 2013).

Wiki Events Organised

Odia Education Program (Indian Institute of Mass Communication, Dhenkanal, Orissa, January 26, 2013).
Odia Wikipedia 9th Anniversary Celebration (Academy of Media Learning, Samantha Vihar, Bhubaneswar, Orissa, January 29, 2013).

Pervasive Technologies

The Pervasive Technologies project carries out research on the intellectual property implicated in the hardware, software and content available in low-cost mobile devices.The long-term outcome of this project is to create a legitimate, legal space for these technologies to exist on the Indian market.

Events Participated

Pervasive Technologies: Access to Knowledge in the Market Place — A Presentation by Sunil Abraham (FGV Law School, Rio de Janeiro, December 15, 2012).
Fifth International IPR Conference (GIPC 2013) (organised by ITAG Business Solutions, Hotel Lalit Ashok, Bangalore, January 30, 2013): Snehashish Ghosh made a presentation on the Pervasive Technologies Project.

Other Openness Updates

Blog Posts / Columns

The Violence of Knowledge Cartels (by Nishant Shah, Hybrid Publishing Lab, January 17, 2013).
Remembering Aaron Swartz, Taking Up the Fight (by Nishant Shah, DML Central, January 24, 2013).

Interview

Aaron Swartz: The First Martyr of the Free Information Movement: Prabir Purkayastha interviewed Lawrence Liang on Newsclick, January 19, 2013. The video is published.

Media Coverage

Bangalore hackers write code as tribute to Aaron Swartz (by Deepa Kurup, Hindu, January 21, 2013. Sunil Abraham is quoted.

HasGeek
HasGeek creates discussion spaces for geeks and has organised conferences like the Fifth Elephant, Droidcon India 2011, Android Camp, etc. HasGeek is supported by CIS and works out from CIS office in Bengaluru.
Event Organized Aaron Swartz Memorial Hacknight (CIS, Bangalore, January 19 – 20, 2013): Aaron’s collaborators such as Anand Chitipothu and A S L Devi participated in the event.

Internet Governance

With Privacy International, London we signed an agreement to facilitate the implementation of activities related to surveillance and freedom of speech and expression. In this month we have blog posts on data retention, international principles of surveillance and human rights and comparitive analysis of Indian legislation vis-à-vis draft of the International Principles on Surveillance of Communications by Ellonai Hickok, and columns by Sunil Abraham and Nishant Shah:

Privacy Research

Data Retention in India (by Elonnai Hickok, January 30, 2013): The post provides an insight into the data retention mandates from the Government of India and data retention practices by service providers.
Draft International Principles on Communications Surveillance and Human Rights (by Elonnai Hickok, January 16, 2013): These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications.
A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications (by Elonnai Hickok, January 31, 2013): The principles, first drafted in October 2012 and developed subsequently seek to establish an international standard for surveillance of communications in the context of human rights. CIS is contributing feedback to the drafting of the principles.

Columns/Op-eds

Web of Sameness (by Nishant Shah, Indian Express, January 18, 2013).
TV versus Social Media: The Rights and Wrongs (by Sunil Abraham, The Tribune, January 20, 2013).

Statement

Statement of Solidarity on Freedom of Expression and Safety of Internet Users in Bangladesh (by Pranesh Prakash, January 15, 2013): This is a statement on the violent attack on blogger Asif Mohiuddin by the participants to the Third South Asian Meeting on the Internet and Freedom of Expression.

Blog Entries

No Civil Society Members in the Cyber Regulations Advisory Committee (by Pranesh Prakash, January 10, 2013).
Five Frequently Asked Questions about the Amended ITRs (by Chinmayi Arun, January 28, 2013): The author discusses the five major questions that have been the subject of debate after the World Conference on International Telecommunications 2012 (WCIT).

Upcoming Event

DML Conference 2013 (co-organised by CIS and Digital Media & Learning Research Hub Central, Sheraton Chicago Hotel & Towers - Chicago, Illinois, March 14 – 16, 2013).

Event Organized

An Introduction to Bitfilm and Bitcoin – A Discussion by Aaron Koenig (CIS, Bangalore, January 23, 2013): Aaron Koenig, Managing Director, Bitfilm Networks of Hamburg, Germany gave a talk.

Events Participated

Panel Discussion on E-Commerce at NLSIU (organised by National Law School of India University, Bangalore, January 7, 2013). Pranesh Prakash was a panelist.
Mobile Broadband: Leveraging for Business Transformation (Chancery Pavilion, Bangalore, January 9, 2013): Sunil Abraham was a panelist in this event.
Third South Asian Meeting on the Internet and Freedom of Expression (organized by Internet Democracy Project, Voices for Interactive Choice & Empowerment and Global Partners & Associates, Dhaka, January 14 – 15, 2013): Pranesh Prakash moderated the session on "Understanding cyber security and surveillance in South Asia”.
Is Freedom of Expression under Threat in the Digital Age? (organized by Editors Guild of India, Index on Censorship and Sage, India International Centre, New Delhi, January 15, 2013): Sunil Abraham was a panelist at this event.
7th India Digital Summit 2013 (organised by Internet and Mobile Association of India, Lalit Hotel, New Delhi, January 16 – 17, 2013): Sunil Abraham was the moderator for Plenary Session 3: Discussion on Social Media – Freedom, Moderation or Regulation.

Upcoming Event

9th International Asian Conference (organised by ITechLaw, February 14 – 15, 2013): Sunil Abraham will be participating as a panelist in the session on “Censorship of Online Content”.

Media Coverage

2012 in Review: Biometric ID Systems Grew Internationally...and So Did Concerns about Privacy (by Rebecca Bowe, Right Side News, January 1, 2013)
Cool Jobs | Parmesh Shahani, Head, Godrej India Culture Lab (LiveMint, January 4, 2013).
Clash of the cyberworlds (by Latha Jishnu, Dinsa Sachan and Moyna, Down to Earth, January 15, 2013 issue). Pranesh Prakash is quoted.
Is freedom of expression under threat in digital age? (originally published by Indo Asian News Service, January 16, 2013 and also covered in the Business Standard, Vancouver Desi, DNA, and Tech2). Sunil Abraham is quoted.
Is freedom of expression under threat in the digital age? (by Mahima Kaul, Index on Censorship, January 18, 2013).
Internet Freedom in India – Open to Debate (by Kirsty Hughes, Index on Censorship, January 22, 2013). CIS research on censorship is quoted.
Cyber security, surveillance and the right to privacy: country perspectives (by Richa Kaul Padte, Internet Democracy Project).
Surveillance Camp: Privatized State Surveillance (by Katitza Rodriguez, Electronic Frontier Foundation, January 28, 2013). Elonnai Hickok is quoted.
An innovative concept comes to the fore (Deccan Herald, January 29, 2013).

Internet Access – Knowledge Repository
In partnership with Ford Foundation, CIS was tasked to produce and disseminate modules on various aspects of telecommunications including policy, regulations, infrastructure and market. However, as on November 9, 2012 there was a change in the mandate of the project. Currently, we are working on building a knowledge repository on “Internet Access”. This new repository will cover the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access. It will also touch upon various polices and regulations which has an impact on internet access and bodies and mechanism which are responsible for such policy formulation. For this purpose we will be hosting a new website: www.internet-institute.in.
We are also organizing an “Institute on Internet and Society” in collaboration with the Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registrations and relevant details will be soon announced on our website.

Telecom

While the potential for growth and returns exist for telecommunications in India, a range of issues need to be addressed. One aspect is more extensive rural coverage and the other is a countrywide access to broadband which is low. Both require effective and efficient use of networks and resources, including spectrum.:

Column by Shyam Ponappa

What's Needed Is User-Centric Design, Not Good Intentions (by Shyam Ponappa, Business Standard, January 3, 2013 and Organizing India Blogpost, January 6, 2013).

Event(s) Participated

21^st Convergence Conference Conference India 2013 (organized by Exhibitions India Group, January 16 – 17, 2013, Pragati Maidan, New Delhi). Snehashish Ghosh participated in the event.

Digital Humanities

From 2012 to 2015, the Researchers At Work series is focusing on building research clusters in the field of Digital Humanities. We organised the first Habits of Living workshops in Bangalore last year. The next workshop is being held in Brown University:

Habits of Living Workshop

Habits of Living: Networked Affects, Glocal Effects (organised by CIS and Brown University, March 21 – 23, 2013, Brown University, Rhode Island). Nishant Shah will be speaking at this event.

About CIS
CIS was registered as a society in Bangalore in 2008. As an independent, non-profit research organisation, it runs different policy research programmes such as Accessibility, Access to Knowledge, Openness, Internet Governance, and Telecom. The policy research programmes have resulted in outputs such as the e-Accessibility Policy Handbook for Persons with Disabilities with ITU and G3ict, and Digital Alternatives with a Cause?, Thinkathon Position Papers and the Digital Natives with a Cause? Report with Hivos, etc. We have conducted policy research for the Ministry of Communications & Information Technology, Ministry of Human Resource Development, Ministry of Personnel, Public Grievances and Pensions, Ministry of Social Justice and Empowerment, etc., on WIPO Treaties, Copyright Bill, NIA Bill, etc.
CIS is accredited as an observer at WIPO. CIS staff participates in the Standing Committee for Copyright and Related Rights (SCCR) meetings regularly held in Geneva, and participate in the discussions and comments on them from a public interest perspective. Our Policy Director, Nirmita Narasimhan won the National Award for Empowerment of Persons with Disabilities from the Government of India and also received the NIVH Excellence Award.

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/january-2013-bulletin

RTI on Complaints under Section 79 of IT Act

praskrishna — 2013-06-12T09:50:40Z

The Department of Electronics and Information Technology, Ministry of Communications and Information Technology, gave its reply to an RTI application filed by Saket Bisani. We are reproducing the text below:

No. 14(146)/2012-ESD
M/o Communications & Information Technololgy
Department of Electronics & Information Technology
Electronics Niketan,6, CGO Complex
New Delhi-110003

																					Dated: 15.1.13

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application requesting for the following information.

In an article titled "We believe in the freedom of speech and expression" published in Mint of February 1, 2012, Dr. Gulshan Rai has been quoted saying:

"if the police say something has to be disabled, we tell then (Google and others) that a complaint has come under section 79 of the IT Act. We feel them: "we're bringing it to your notice. Please look at it and do whatever best you can do under the law."

With respect the above quote I request you to provide me the following information under Right to Information Act, 2005:

Please provide me a copy of every complaint that has been received by the Department of Information Technology (now the Department of Electronics and Information Technology) under Section 79 of the Information Technology Act, 2000.
Please provide me a copy of every notice and complaint that your office has sent pursuant to complaints received under section79 of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Department of Electronics and Information Technology has not received any complaint quoting specifically under Section 79 of the Information Technology Act,2000.
Not applicable.

																		(A.K. Kaushik) Additional Director & CPIO (E-Security & Cyber Laws)

Shri Saket Bisani
No. 194, 2nd ׳C Cross
Domlur 2nd Stage *
Bangalore-560 071

Read a scanned version of the reply that we got from the Department of Electronics and Information Technology.

For more details visit https://cis-india.org/internet-governance/resources/rti-on-complaints-under-it-act-section-79

An innovative concept comes to the fore

praskrishna — 2013-01-30T06:04:14Z

There’s very little awareness about Bitcoin — a new digital currency and payment system, designed for the voting process of ‘Bitfilm 13’ — in the City. Aaron Koenig, the managing director at Bitfilm Networks Hamburg, addressed this issue recently, during a talk held at The Centre for Internet and Society. The talk was based on the creation of Bitcoin and its various uses.

The article was published in the Deccan Herald on January 29, 2013.

"The potential of Bitcoin is huge. It’s easy to use and currently, there are about 21 million (units of) Bitcoin in the world and everyone accepts it. It works differently, but it is the same as gold and has an intrinsic value," explains Aaron.

Aaron also showed cryptographic diagrams of how a Bitcoin transaction works. "It is a clever way of encryption and it is easy to open an account. You just need to download some software and then, you get a virtual wallet and a user ID and password. The identity of the person is kept anonymous and hence, there have been instances of people misusing Bitcoin," he says.

An animated short film about Bitcoin, which Aaron produced along with an animation team based in Bangalore, was also screened during the talk. "I have paid all the animators in Bitcoin. Initially, they were hesitant and did not want to accept it. But when they got to know about how its value almost doubles itself in the span of a year, they readily accepted it," he explains.

"There is a German restaurant where Bitcoin is accepted. Slowly, more such places are coming up, as people are realising its worth. It is easy to transfer," he adds. There was an interactive session with the audience after the talk, which was equally interesting. Many wanted to know if Bitcoin can be liquidated.

"I am very curious to know if Bitcoin can be liquidated. Also, what is the exact process that one should follow when they want to liquidate Bitcoin?" questions Geane, who was attending the session. These queries, as well as many others, were addressed.

Vinod, who also attended the session, says that it was a new concept and interesting for those who wanted to know more. "The concept of a new form of money sounds great and Aaron really helped us get to know more about it. For people like us, who had no clue about Bitcoin, it was an enlightening session," he informs.

For more details visit https://cis-india.org/news/deccan-herald-january-29-2013-an-innovative-concept-comes-to-the-fore

Data Retention in India

elonnai — 2013-07-12T15:51:13Z

As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Debate around Data Retention

According to the EU, data retention “refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”.[1]

The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or a priori data retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.[2] Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.

Data Retention vs. Data Preservation

Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.[3] Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.[4] Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.[5] Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.[6]

Data Retention in India

In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.

ISP License

According to the ISP License,[7] there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.

According to the ISP License, each ISP must maintain:

Users and Services: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).

Outward Logins or Telnet: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).

Packets: Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).

Subscribers: A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).
Internet Leased Line Customers: A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).

Diagram Records and Reasons: A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).
Commercial Records: All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).
Location: The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).

Remote Activities: A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).

UASL License

According to the UASL License[8], there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept.

According to the license, service providers must maintain and make available:

Numbers: Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).
Interception records: Time, date and duration of interception when required (Section 41.10).
Location: Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).
All call records: All call data records handled by the system when required (Section 41.10). This includes:
1. Failed call records: Call data records of failed call attempts when required. (Section 41.10).
2. Roaming subscriber records: Call data records of roaming subscribers when required. (Section 41.10)
Commercial records: All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).
Outgoing call records: A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).
Calling line Identification: A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).
Location: The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).
Remote access activities: Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section 41.20 (xv)).

RTI Request to BSNL and MTNL

On September 10, 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices:

Does MTNL/BSNL store the following information/data:

Text message detail (To and from cell numbers, timestamps)
Text message content (The text and/or data content of the SMS or MMS)
Call detail records (Inbound and outbound phone numbers, call duration)
Bill copies for postpaid and recharge/top-up billing details for prepaid
Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)

If it does store data then

For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?
What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?
What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?
What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?

BSNL Response

BSNL replied by stating that it stores at least three types of information including:

IP session information - connection start end time, bytes in and out (three years offline)
MAC address of the modem/router/device (three years offline)
Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).

MTNL Response

MTNL replied by stating that it stores at least () types of information including:

Text message details (to and from cell number, timestamps) in the form of CDRs (one year)
Call detail records including inbound and outbound phone numbers and call duration (one year)
Bill copies from postpaid (one year)
Recharge details for prepaid (three months)
Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)

It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.

Conclusion

The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:

What constitutes a ‘commercial record’ which must be stored for one year by service providers?
How much data is retained by service providers on an annual basis?
What is the cost involved in retaining data? For the service provider? For the public?
How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?
How many criminal and civil cases rely on retained data?
What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?

Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation.

Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection,

A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level. If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:

Any request for preservation and access to records must be legitimate and proportional
Accessed and preserved records must be used only for the purpose indicated

Accessed and preserved records can only be shared with authorized authorities

Any access to preserved records that do not pertain to an investigation must be deleted

These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place.

[1]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21st 2013
[2].Draft International Principles on Communications Surveillance and Human Rights: http://bit.ly/UpGA3D
[3]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o . Last accessed: January 21^st 2013.
[4]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21^st 2013.
[5]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: http://bit.ly/WOfzaX. Last Accessed: January 21^st 2013.
[6]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: http://bit.ly/VoQxQ9. Last accessed: January 21^st 2013
[7]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.
[8]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3^rd 2009.

For more details visit https://cis-india.org/internet-governance/blog/data-retention-in-india

Access To Knowledge (A2K)

Why was the Gwalior court in such a hurry to block IIPM URLs?

The Omnishambles of UID, shrouded in its RTI opacity

Freedom of Expression Gagged

Instruments Deployed

Freedom and Public Order

The Heckler's Veto

Analyzing the Latest List of Blocked URLs by Department of Telecommunications (IIPM Edition)

What has been blocked?

Are there any mistakes in the order?

Reasons for Blocking Websites

Are the blocks legitimate?

Blocking a Public Notice issued by a Statutory Body of Government of India

Implementation of the order by the ISPs

Hate speech: ban or ignore?

Anonymous joins protests against Internet shutdown in Kashmir

Indian net service providers too play censorship tricks

Transparency is the key

2012: Privacy Highlights in India

Online Abuse of Teen Girls in Kashmir Leads to Arrests

Censorship and sensibility in India

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

January 2013 Bulletin

National Resource Kit for Persons with Disabilities

Pervasive Technologies

Other Openness Updates

HasGeek

Internet Access – Knowledge Repository

Follow us elsewhere

Support Us

Request for Collaboration

RTI on Complaints under Section 79 of IT Act

An innovative concept comes to the fore

Data Retention in India

The Debate around Data Retention

Data Retention vs. Data Preservation

Data Retention in India

ISP License

UASL License

RTI Request to BSNL and MTNL

BSNL Response

MTNL Response

Conclusion