Access To Knowledge (A2K)

Critics of India's ID card project say they have been harassed, put under surveillance

Admin — 2018-02-24T07:50:55Z

Researchers and journalists who have identified loopholes in India’s massive national identity card project have said they have been slapped with criminal cases or harassed by government agencies because of their work.

This was published by Reuters on February 13, 2018. Reporting by Rahul Bhatia; Editing by Raju Gopalakrishnan

Last month, the Unique Identification Authority of India (UIDAI), the semi-government body responsible for the national identity project, called Aadhaar, or “Basis”, filed a criminal case against the Tribune newspaper for publishing a story that said access to the card’s database could be bought for 500 rupees ($7.82).

Reuters spoke to eight additional researchers, activists and journalists who have complained of being harassed after writing about Aadhaar. They said UIDAI and other government agencies were extremely sensitive to criticism of the Aadhaar programme.

Aadhaar is a biometric identification card that is becoming integral to the digitisation of India’s economy, with over 1.1 billion users and the world’s biggest database.

Indians have been asked to furnish their Aadhaar numbers for a host of transactions including accessing bank accounts, paying taxes, receiving subsidies, acquiring a mobile number, settling a property deal and registering a marriage.

The Tribune said one of its reporters purchased access to a portal that could provide data linked to any Aadhaar cardholder.

The UIDAI complaint, filed with the police cyber cell in the capital, New Delhi, accused the newspaper, the reporter, and others of cheating by impersonation, forgery and unauthorised access to a computer network.

Media associations sharply criticised the action - the Editors Guild of India said UIDAI’s move was “clearly meant to browbeat a journalist whose story was of great public interest. It is unfair, unjustified and a direct attack on the freedom of the press.”

In response, the agency said “an impression was being created in media that UIDAI is targeting the media or whistleblowers or shooting the messenger.”

“That is not at all true. It is for the act of unauthorised access, criminal proceedings have been launched,” it said in a statement.

Osama Manzar, the director of the Digital Empowerment Foundation, a New Delhi-based NGO, called the government’s prickliness “a clear sign that rather than it wanting to learn how to make Aadhaar a tool of empowerment, it actually wants to use it as a coercive tool of disempowerment”.

Data Leakage

Last May, the Centre for Internet and Society (CIS), an independent Indian advocacy group, published a report that government websites had inadvertently leaked several million identification numbers from the project.

UIDAI sent the CIS a legal notice within days, said Srinivas Kodali, one of the authors of the report.

The notice alleged that some of the data cited in the report would only be available if the site had been accessed illegally. The UIDAI wrote that the people involved had to be “brought to justice.”

According to Kodali, two more notices followed, addressed to the group’s directors and two researchers, containing more accusations. “They said it was a criminal conspiracy, and demanded that we send individual responses,” he said.

CIS then received questions about its funding from the home ministry section that grants NGOs permission to receive foreign funding, said a source in the group who saw the letter. CIS viewed this as a threat to its funding, the source said. CIS declined to comment on the notices or on the questions about funding.

UIDAI did not reply to multiple e-mails seeking comment on the accusations about CIS and similar complaints by other activists and journalists, and officials could not be reached by phone. Officials at the Ministry of Information Technology that supervises UIDAI were unreachable by phone.
In a column in the Economic Times newspaper in January, Ajay Pandey, the head of the UIDAI, wrote: “The data of all Aadhaar holders is safe and secure. One should not believe rumours or claims made on its so-called ‘breach’.”

R.S. Sharma, the head of India’s telecom regulatory body, said there was an “orchestrated campaign” against Aadhaar as it was against the interests of those who operated in the shadow economy with fictitious names, or were skimming off subsidies.

“It is going to clean up many systems,” Sharma told a television channel last month. “That’s probably one of the reasons why people realise that this is now becoming too difficult or too dangerous for them.”

That trip to Turkey

A Bangalore researcher who contributed to the CIS report said scrutiny by police and government officials was a common occurrence, but harassment was stepped up after it was published.

“Sometimes people from the police station visit you. Other times from the Home Ministry. It was intimidating,” the researcher said.

The person, who asked not to be named for fear of reprisal, said police officers asked questions like “How was that trip to Turkey?',” to make it clear the subjects were under surveillance.

When Sameer Kochhar, a social scientist and author of books on Aadhaar, demonstrated how the system’s biometrics safeguards could be bypassed last year, UIDAI filed a police report in New Delhi, a person familiar with the matter said.

Subsequently, Kochhar received at least three notices from the Delhi Police alleging that he had violated 14 sections under three separate laws, the person said.

Kochhar’s lawyer declined comment. Delhi Police officials declined comment.

Critics have warned Aadhaar could be used as an instrument of state surveillance while data security and privacy regulations are still to be framed.

Former central bank governor Raghuram Rajan said last month that the government needed to prove it would protect the privacy of Aadhaar.

“I do think that we have to assure the public that their data is safe,” Rajan said. “All these reports about easy availability of data are worrying and we have to ensure security. We cannot just say trust us, trust us, it’s all secure.”

For more details visit https://cis-india.org/internet-governance/news/reuters-february-13-2018-rahul-bhatia-critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance

Criticism mounts over India censorship

praskrishna — 2012-08-27T06:38:51Z

India’s government is facing fierce criticism from privacy groups, political opponents and irate internet users accusing it of an excessive and poorly targeted censorship drive as it seeks to contain social alarm triggered by communal unrest.

This article written by James Crabtree in Mumbai and Tim Bradshaw in San Francisco was published in Financial Times on August 24, 2012. Pranesh Prakash is quoted.

Following panicked scenes among groups from the nation’s troubled north-east and fearing an escalation of urban violence between Muslim and Hindu groups, the administration this week instructed internet companies, including Facebook and Google, to block more than 300 web pages and more than a dozen Twitter accounts it claimed were inflaming communal tensions.

But by Friday the order was being assailed as an example of administrative incompetence, as internet analysts revealed that many of the pages contained seemingly harmless material from foreign media organisations, political columnists and critics of India’s government.

Pranesh Prakash, a legal expert at the Bangalore-based Centre for Internet and Society, said: “I am not questioning their original motives, but I do think this is excessive and incompetent censorship.”

Political opponents also accused the government of over-reach, including Narendra Modi, the controversial chief minister of the state Gujarat and a member of the Hindu nationalist BJP party, who on Friday used a Twitter post to call the moves a “crackdown on freedom of speech”.

The government denies it is being heavy handed. “We are only taking strict action against those accounts or people which are causing damage or spreading rumours,” said Kuldeep Dhatwalia, an Indian home ministry spokesman. “We are not taking action against other accounts, be it on Facebook, Twitter or even SMSes.”

Twitter found itself at the centre of the growing controversy, as government spokespeople accused the US-based social networking site of failing to respond to requests to block users, some of which involved accounts appearing to impersonate Manmohan Singh, the prime minister.

Twitter responded by suspending a number of impersonator accounts and is now in discussions with the prime minister’s office in an attempt to defuse the row, according to people familiar with the matter. A spokesperson for Twitter declined to comment.

Angry users also used the site to attack the restrictions using the hashtags #GOIblocks and #Emergency2012, the latter a highly charged reference to prime minister Indira Gandhi’s two-year period of rule by decree in the late 1970s.

India has a long history of censorship measures designed to prevent communal violence, ranging from restrictions introduced under the British Raj in the early 20th century to more recent edicts banning Salman Rushdie’s novel The Satanic Verses and restricting derogatory portrayals of religious figures in Bollywood movies.

“Blocking content to help mitigate a volatile situation involving civilian security could be justified,” says Meenakshi Ganguly, South Asia director at Human Rights Watch. “But when the government expresses equal concern about fake Twitter handles or criticism of political leaders, it begins to look like censorship.”

The online restrictions followed related measures restricting to five the number of text messages that could be sent from most Indian mobile phones, although this was lifted to 20 on Thursday.

They also came during a week of deepening political crisis in the world’s largest democracy, as opposition leaders repeatedly halted parliamentary proceedings and called for Mr Singh’s resignation in the aftermath of a critical report from India’s government auditor.

“These threats to social harmony are real, but like almost everything the Indian state is doing at present, the restrictions incompetently deal with a few symptoms rather than addressing causes,” says Pratap Bhanu Mehta of the Centre for Policy Research, a think tank in New Delhi. “They are simply exacerbating a crisis of trust, not solving it.”

For more details visit https://cis-india.org/news/www-ft-com-aug-24-2012-james-crabtree-tim-bradshaw-criticism-mounts-over-india-censorship

Crisis for identity or identity crisis?

praskrishna — 2011-04-02T08:16:30Z

The hurry with which the government is pushing its most ambitious project to assign a number (UID) to every citizen without any feasibility study or public debate has raised many questions.

“It will empower all”, declared Prime Minister Manmohan Singh when he issued the first UID card to a villager from Tembhli village in Maharashtra. But as days pass and relevant issues come for public discourse, many people have begun to doubt prime minister’s assurance.

Unique identification number (UID), named Aadhaar is a 12 digit identification number that the government plans to issue to all citizens that will not only be an identity card but will also serve multiple purposes for its holder.

Infosys co-founder Nandan Nilekani has been assigned the responsibility to execute this proposal as Chairman of the Unique Identification Authority of India (UIDAI). Mr Nilekani leads a team of 120 people having the task of assigning unique identities to 1.2 billion people. He plans to take Aadhaar beyond being just a 12-digit identification number for every Indian. This ambitious and mammoth project is pitched to handle projects as diverse as a national-highway toll-collection system, a technology backbone for the forthcoming Goods and Services Tax (GST) and reform of the vast public distribution system (PDS) for subsidized foodgrains.

Government plans to cover 60 per cent of the nation’s population under this project in the next three years starting October this year. This project is intended to collect identification data about all residents in the country. It is said that it will impact the PDS and NREGA programmes, and plug leakages and save the government large sums of money.

But the UID will not replace ration cards and passports, and is not mandatory as of now. No questions would be asked related to language, caste or religion of the person applying for UID.

The UID number is linked to the fingerprints and the pattern of the eyes of the person assigned that number. This inimitable biometric data ensures that any given number is linked to only one person. So there is hardly a chance of any misgiving or stealing of rations and wages from the holder. It is believed that soon banks, insurance companies, cell phone providers and hospitals will demand UID number before doing business with you.

In short, in the future our name, address, bank account numbers, personal information and identity as a whole will be solely linked and governed by those 12 digit number we hold.

Critics say that there has been no feasible study conducted about UID project, neither has there been a cost benefit analysis done. To add to it, there are serious concerns about data and identity theft.

But apart from the buzz about this new project, there is an air of suspicion surrounding it too.

The launch of the UID has led to a flurry of debate amongst policy-makers, legal experts and civil society at large. In response, Mr Nilekani claims the UID to be “a foolproof project implemented at a low cost”.

However, some critical issues remain unanswered.

One of the major objections about UID is that there has been no feasible study conducted, neither has there been a cost benefit analysis done. There is no project document as such.

To add to it, there are serious concerns about data and identity theft.

In a world where cyber terrorism is the new threat, and the countries are gearing themselves to protect against such a threat, projects like UID come as an open invitation to terrorist outfits to infiltrate their defences.

The UID number is linked to fingerprints and the patterns of the holder’s eye. But medical studies show that our eye's iris patterns can change due to aging, disease or malnourishment. More over the government has no alternative option for many millions who fall outside this pattern of identification owing to callused hands, corneal scars and cataract induced by malnourishment. Even as enrollment is poised to begin, authentication is still an unstudied field. Fake fingerprints can very easily be made. Hence, the unique element of these numbers can be tampered.

Recently, Sunil Abraham, Director, Centre for Internet and Society has remarked, “If I leave my fingerprints around, my identity can be stolen and transactions done on my behalf. They could use that number, to share information about anybody.”

A cyber-criminal having access to any person’s identification number can virtually control that person. Telephone numbers, addresses, family history can all be tracked down. Bank accounts can be manipulated and transactions done without the person knowing. Since these days, a lot of money transactions are done through internet, a cyber criminal can easily steal few UID numbers and impersonate those persons to manipulate the bank or credit card accounts.

In an even uglier scenario, where people might be tracked and judged by their numbers, a criminal’s fingerprints left behind on a scene of crime can be mixed with some one else through a slight manipulation and exchange of UID numbers, making an entirely innocent person a suspect in the eyes of law. Some incompetent or revengeful government officials can also frame innocents for a crime one never committed.

Human rights activists claim that a tech-savvy person can hack into the system and gain any person’s information from the servers unless the government tightens the defenses. A reminiscence of the Bruce Willis starrer Hollywood blockbuster Die Hard 4, a bunch of techno geeks operating from trailer truck hold the entire United States hostage as they hack into every main frame computing network from transportation, communication, power, defence and individual accounts.

The number can also be used for real time tracking, profiling, mounting surveillance and ‘convergence’ of information. Apart from the concerns about identity theft, the number can also invade our private space. If in the future insurance companies and hospitals merge their databases, the insurance companies can increase premium, or simply refuse insurance cover to a person who is not keeping well.

Poor labourers and immigrants who are on the move in search of work could also be the victims of the ‘Aadhaar’. In future, in case of card being lost or misplaced, poor labour would be threatened with financial and welfare exclusion. Where being a legal resident is to be closely tied in with having a UID number, it could render the poor vulnerable to exclusion and expulsion by exploitative employers and others.

Interestingly, few months back in June, UK government scrapped the plans for the controversial 5 billion pounds National Identity Card scheme. The UK government now plans to destroy all information held on the National Identity Register, effectively dismantling the whole system.

Though Mr Nilekani claims that UID would be a cost effective project, however deeper analysis throws a different story. It is reported that the UIDAI project will cost Rs 45,000 crores to the exchequer in the next 4 years. This does not seem to include the costs that will be incurred by Registrars, Enrollers, additional costs on the PDS system to connect it to the UID, the estimated cost to the end user and to the number holder.

Defending himself from the flurry of queries, Mr Nilekani has stressed that the identification number is not mandatory for everyone and only those interested can enroll. The project aims to first enroll the poor and uneducated masses promising them better wages and ration schemes. As was reported, the first villager to get the UID card was ‘happy but did not know its benefits’. Critics allege that the reason why Aadhaar is selling itself to millions of poor in the country is to create a foundation of legitimacy to deflect concerns over its possible misuse, unsafe technology and huge costs. Later, with a larger foundation, the UID can be enforced upon all citizens in the near future as the apex identity proof, making everyone vulnerable to several risks described above.

The UIDAI project has proceeded so far without any legal authorization. There has been no feasibility study or cost-benefit analysis preceding the setting up of such a pervasive project. All calculations are of the back-of-the envelope variety. Data theft is a very serious threat to every individual and the country as a whole. There are deeply disconcerting facts about the project that should make even a die-hard UID supporter worry about its long term implications.

This article has been written by Sushant Sharma. He is a college fresher and avid reader.

Interestingly, few months back in June, UK government scrapped the plans for the controversial 5 billion pounds National Identity Card scheme. The decision came after about 15,000 citizens had already been enrolled and given their numbers. The UK government now plans to destroy all information held on the National Identity Register, effectively dismantling the whole system.

The UK system like the Indian UID had also started with much fanfare, claiming to save nearly 900 million pounds for the taxpayers. While the project was axed, UK’s Home Secretary Theresa May stated - “It (the identity card project) is intrusive and bullying, ineffective and expensive. It is an assault on individual liberty that does not promise a great good.”

The same logic implies to the India as well. But instead of scraping this over-hyped-failure-in-the-making project, our Prime Minister claims the UID project “will empower all”. But will it actually? That is for us to decide now.

Read the original article here.

For more details visit https://cis-india.org/news/identity-crisis

Criminal Defamation: The Urgent Cause That has United Rahul Gandhi, Arvind Kejriwal and Subramanian Swamy

praskrishna — 2015-07-16T13:45:04Z

Three years ago when the then Janata Party president Subramanian Swamy accused Congress vice president Rahul Gandhi and his mother of misappropriation of funds while trying to revive the National Herald newspaper, the Nehru-Gandhi scion threatened to sue him.

The article by Betwa Sharma was published in Huffington Post on July 15, 2015. Sunil Abraham gave his inputs.

Swamy's response was characteristic: "Grow up and file a defamation case".

In a strange turn of events, the matter of criminal defamation has brought together an unlikely cast of characters in an ongoing petition in the Supreme Court--Swamy, Gandhi and Delhi chief minister Arvind Kejriwal, who knows a thing or two about making allegations.

They are petitioning the Apex Court to strike down penal provisions criminalising defamation, which they argue, has a "chilling effect" on the fundamental right to free speech. Opinion is divided around the world on whether or not defamation ought to be a criminal offence. Because some jurisdictions have stricter defamation laws, some indulge in a practise known as 'forum shopping', or suing in jurisdictions with harsher views on libel and slander.

The three leaders have filed separate petitions that are now being jointly heard by the court. They are challenging the constitutional validity of Sections 499 and 500 of the Indian Penal Code which make defamation a criminal offence punishable with up to two years in prison.

A verdict striking down the colonial-era S. 499, used by the British to suppress those opposing their rule, could prove to be a huge victory for free speech in India. Earlier this year, the Supreme Court struck down the draconian Section 66A of the Information Technology Act as "unconstitutional and void".

There is cause for optimism. The Supreme Court has already said that the validity of criminal defamation laws must be tested against the free speech guarantees of the constitution. The bench comprising of Justices Dipak Misra and Prafulla C Pant have observed that political debates maybe excluded as a criminal defamation offence.

While Gandhi, Subramanian and Kejriwal have been slapped with defamation suits by political rivals, there have been long-standing concerns over the threat posed by these provisions to the media and those who use social media to express their opinions against the rich and the powerful.

The government of the day is keen to maintain the status quo. In a recent submission, it has argued that S.499 is now the only provision to deal with defamation on social media and the only protection for reputation of citizens. But free speech activists say there is no evidence to show that a defamation law deters a person who is out to spread lies.

The questionable utility of S.499, the scope for its abuse and the culture of self-censorship, they argue, removes it from the ambit of "reasonable restrictions" which the state can impose on free speech under article 19 (2) of the constitution.

"Hardly a day goes by in India without some rich and powerful person initiating or threatening to initiate defamation suits against rivals or traditional media or ordinary citizens on social media," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet & Society. "It is unclear how much self-censorship is going on because Indians fearing jail terms avoid speaking truth to power.

On the issue of protecting people's dignity, Abraham said there is no prima facie evidence in India that criminalising defamation in India has resulted in the protection of the reputations of citizens from falsehoods.

"On the the other hand every other national media house and quite of few investigative journalists have been and continue to be harassed by criminal suits filed by the powerful," he told HuffPost India. "The chilling effect on speech is a disproportionate price for citizenry to pay for what is only a personal harm."

Under the leadership of Chief Minister J Jayalalithaa, the Tamil Nadu government filed 125 defamation cases against The Hindu and other publications between 2001 and 2004. On Tuesday, she filed a defamation suit against news portal Rediff.com for running two articles related to speculations about her health.

In the United States, defamation claims by public officials and public figures were severely curtailed after its Supreme Court ruled in 1964 that the complainant needs to prove actual malice with "clear and convincing" evidence. Further, truth is an absolute defence against defamation in the U.S.

On Tuesday, Swamy and Gandhi also argued that truth should be defence in defamation suits. “Truth is not a complete defence in criminal defamation. For a nation with a national motto of Satyameva Devata it is ironic," Swamy said.

BJP leader Swamy is of the view that defamation should only be subject to a civil suit which can be redressed by payment of monetary compensation. But the central government has argued that a defamer could be too poor to compensate the complainant.

"I am not saying there is no such thing as defamation. You can sue someone for defamation, but you cannot deprive someone of his liberty," he said in a recent interview with The Sunday Guardian.

Jayalalithaa filed a defamation suit against the senior BJP leader who alleged that most of the boats of Indian fishermen captured by Sri Lanka belong to the AIADMK chief, her close aide Sasikala and DMK leader TR Baalu.

The suit against the Congress Vice President was filed by the Rashtriya Swayamsevak Sangh for allegedly blaming the Hindu right-wing organisation for the assassination of Mahatma Gandhi.

BJP leader Nitin Gadkari sued Kejriwal after his name was included in AAP's list of "India's most corrupt."

"The accused is in the habit of making false and defamatory statements without any basis. The statements made by the accused and his party members have damaged and tarnished my image in the eyes of the people," Gadkari told the court, last year.

Legal analysts also find it hard to predict just how far the Supreme Court will go to protect free speech. Its judgment against S.66A of the IT Act is regarded as one of the biggest victories for free speech in India. Justice Misra was on the bench that struck down the provision for being “open-ended and unconstitutionally vague," and not fit to be covered under Article 19 (2).

But last month, in a judgment regarded as a blow to free speech, it was Justices Misra and Pant who ruled that freedom of speech is not an absolute right.

Senior Advocate Gopal Subramanium had argued, "Freedom to offend is also a part of freedom of speech.”

For more details visit https://cis-india.org/internet-governance/news/huffington-post-july-16-2015-betwa-sharma-criminal-defamation-the-urgent-cause-that-has-united-rahul-gandhi-arvind-kejriwal-and-subramanian-swamy

Criminal Defamation and the Supreme Court’s Loss of Reputation

bhairav — 2016-06-03T03:05:14Z

The Supreme Court’s refusal, in Subramanian Swamy v. Union of India, to strike down the anachronistic colonial offence of criminal defamation is wrong. Criminalising defamation serves no legitimate public purpose; the vehicle of criminalisation – sections 499 and 500 of the Indian Penal Code, 1860 (IPC) – is unconstitutional; and the court’s reasoning is woolly at best.

The article was published in the Wire on May 14, 2016.

Politics and censorship

Two kinds of defamation actions have emerged to capture popular attention. First, political interests have adopted defamation law to settle scores and engage in performative posturing for their constituents. And, second, powerful entities such as large corporations have exploited weaknesses in defamation law to threaten, harass, and intimidate journalists and critics.

The former phenomenon is not new. Colonial India saw an explosion of litigation as traditional legal structures were swept away and native disputes successfully migrated to the colonial courts. These included politically-motivated defamation actions that had little to do with protecting reputations. In fact, defamation litigation has long become an extension of politics, in many cases a new front for political manoeuvring.

The latter type of defamation action is far more sinister. Powerful elites, both individuals and corporations, have cynically misused the law of defamation to silence criticism and chill the free press. By filing excessive and often unfounded complaints that are dispersed across the country, which threaten journalists with imprisonment, powerful elites frighten journalists into submission and vindictively hound those who refuse to back down. Such actions are called Strategic Lawsuits against Public Participation (SLAPPs) which Rajeev Dhavan warns have created a new system of censorship.

Petitions and politicians

Defamation originates from the concept of scandalum magnatum – the slander of great men – which protected the reputations of aristocrats. The crime was linked to sedition, so insulting a lord was akin to treason. In today’s neo-feudal India, political leaders are contemporary aristocrats. Investigating them can invite devastating consequences, even death. Most of the time, they retaliate through defamation law. Since the criminal justice system is most compromised at its base, where the police and magistrates directly interact with people, the misuse of criminal defamation law hurts ordinary citizens.

This is different from politicians prosecuting each other since they rarely, if ever, suffer punishment. Of all the petitions before the Supreme Court concerning the decriminalisation of defamation, the three that received the most news coverage were those of Subramanian Swamy, Rahul Gandhi, and Arvind Kejriwal. They are all politicians, their petitions were made in response to defamation complaints filed by rival politicians. On the other hand, there are numerous cases which politicians have filed against private members of civil society to silence them. When presented with these concerns, the Supreme Court simply failed to seriously engage with them.

The architecture of defamation

Defamation has many species, a convoluted history, and complex defences. Defamation can be committed by the spoken word, which is slander, or the written word, which is libel. The historical distinction between these two modes of defamation is based on the permanence of written words. Before the invention of the printing press, the law was chiefly concerned with slander. But as written ideas proliferated through mass publication technologies, libel came to be viewed as more malevolent and the law visited serious punishments on writers and publishers.

Such a distinction presumes a literate readership. In largely illiterate societies, the spoken word was more potent. This is why films and radio have long attracted censorship and state control in India. Before mass publishing forked defamation into libel and slander, there existed only the historical crime of libel. Historical libel had four species: seditious libel, blasphemous libel, obscene libel, and defamatory libel.

Seditious libel, which has been repealed in Britain, prospers in India as the offence of sedition which is criminalised by section 124A of the IPC. Blasphemous libel, repealed in Britain, fares well in India as the offence of blasphemy under section 295A of the IPC. Obscene libel, as the offence of obscenity, is criminalised by section 294 of the IPC. And defamatory libel, repealed in Britain, which is the offence of criminal defamation that the Subramanian Swamy case upheld, continues to exist under section 499 of the IPC.

Confusing harms

Of the many errors that litter the Supreme Court’s May 13, 2016 judgment in the Subramanian Swamy case, perhaps the most egregious is the failure to recognise the harm that criminal defamation poses to a healthy civil society in a free democracy. At the crux of this mistake is the Supreme Court’s failure to distinguish between private injury and social harm. Two people may, in their private capacities, litigate a civil suit to recover damages if one feels the other has injured her reputation. This private action of defamation was not in issue before the court.

On the other hand, by criminalising defamation, why should the state protect the reputations of individuals while expending public resources to do so? This goes to the concept of crime. When an action is serious enough to harm society it is criminalised. Rape strikes at the root of public safety, human dignity, equality, and peace, so it is a crime. A breach of contract only injures the party who was expecting the performance of contractual duties; it does not harm society, so it is not a crime. Similarly, a loss of reputation, which is by itself difficult to quantify, does no harm to society and so it should not be a crime.

Truth and the public good

It may be argued, and the Supreme Court hints, that at its fundament, society is premised on the need for truth; so lies should be penalised. This is where defamation law wanders into moral policing. In Indian and European philosophies, truth is consecrated as a moral good. The Supreme Court quotes from the Bhagavad Gita on the virtue of truth. But while quotes like these are undoubtedly meaningful, they have no utility in a constitutional challenge. In reality, society is composed of truth, lies, untruths, half-truths, rumour, satire, and a lot more. In fact, the more shades of opinion there are, the livelier that society is. So lies should not invite criminal liability.

If we concede the moral debate and arrive at a consensus that the law must privilege truth over lies, then truth alone should be a complete defence to defamation. If the law criminalises untruth, then it must sanctify truth. That means when tried for the crime of defamation, a journalist must be acquitted if her writing is true. But the law and the Supreme Court require more. In addition to proving the truth, the journalist must prove that her writing serves the public good. So speaking truth is illegal if it does not serve the public good.

In fact, truth has only recently been recognised as a defence to defamation, albeit not a complete defence. This belies the social foundations of criminal defamation law. The purpose of the offence is not to uphold truth, it is to protect the reputations of the powerful. But what is reputation? The Supreme Court spends 25 pages trying to answer this question with no success. Instead, the court declares that reputation is protected by the right to life guaranteed by Article 21 of the Indian Constitution but it offers no sound reasoning to support this claim. The court also fails to explain why the private civil action of defamation is insufficient to protect reputation.

The constitution and constitutionalism

There are two core constitutional questions posed by the Subramanian Swamy case. They are:

Does the crime of defamation fall within one of the nine grounds listed in Article 19(2) of the constitution; and
Are sections 499 and 500 of the IPC which criminalise and punish defamation reasonable restrictions on the right to free speech?

Article 19(2) contains nine grounds in the interests of which a law may reasonably restrict the right to free speech. Defamation is one of the nine grounds, but the provision is silent as to which type of defamation, civil or criminal, it considers. However, B.R. Ambedkar’s comments in the Constituent Assembly arguably indicate that criminal defamation was intended to be a ground to restrict free speech.

The answer to the second question lies in measuring the reasonableness of the restriction criminal defamation places on free speech. If the restriction is proportionate to the social harm caused by defamation, then it is reasonable. However, restating an earlier point, criminalising defamation serves no legitimate public purpose because society is unconcerned with the reputations of a few individuals. Even if society is concerned with private reputations, the private civil action of defamation is more than sufficient to protect private interests. Further, the danger that current criminal defamation law poses to India’s free speech environment is considerable. Dhavan says: “Defamation cases [are] a weapon by which the rich and powerful silence their critics and censor a democracy.”

The Subramanian Swamy case highlights several worrying trends in India’s constitutional jurisprudence. The judgment is delivered by one judge speaking for a bench of two. Such critically significant constitutional challenges cannot be left to the whims of two unelected and unaccountable men. Moreover, from its position as the guarantor of individual freedoms, the Supreme Court appears to be in retreat. This will have far-reaching and negative consequences for India’s citizenry. If the court fails to enhance individual freedoms, what is its constitutional role? The judiciary would do well to stay away from policy mundanities and focus on promoting India’s democratic project, lest it injure its own reputation.

For more details visit https://cis-india.org/internet-governance/blog/criminal-defamation-and-the-supreme-court2019s-loss-of-reputation

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves

Admin — 2019-01-12T02:13:25Z

Several social media users have no idea of how much of their information is stored on the Internet and what kind of information they are allowing the applications to access.

The blog post by Sanyukta Dharmadhikari was published by the New Minute on January 10, 2019. Pranesh Prakash was quoted.

Imagine someone knowing exactly where you are, where you live, what your routine is, where you will be and then waiting there for a ‘chance encounter’ to happen. This near-horror phenomenon is something Netflix’s new show You delves into. It follows a seemingly charming bookstore manager and his ‘love story’ with an aspiring writer – except he stalks her, breaks into her home, steals her phone and keeps tabs on her location in an attempt to be ‘at the right place at the right time’ and weasel into her life.

The nightmarish experience of the woman he pursues in the series led many users to check their own privacy settings on social media. But several users still have no idea of how much of their information is stored on the cloud and what kind of information they are allowing the applications to access.

How social media uses your data

“There might be much more information about you out there on the Internet than you sign up for. People do not really realise how much of their data is out there. Things are made out to be very opaque, so it is difficult to know who stores how much of your data,” says Anja Kovacs, director at Delhi-based Internet Democracy Project.

Pranesh Prakash, a fellow at the Centre for Internet and Society, explains that most websites put the onus of privacy onto the user but recently, there have been some features that social media giants have introduced after privacy concerns were voiced.

“On Twitter, I think you don’t need to use your real name and you do not have to use your location. On Facebook, apart from your name, you can restrict other information to friends only or use the option ‘Only Me’. With these kinds of possibilities existing, one just needs to know how to navigate through these tools,” Pranesh says.

The problem with this, he adds, is that the onus of privacy is put onto the user. “It is a difficult situation for social networks. One of Facebook’s most used feature is the ‘people you may know’ feature. Sometimes, that can go really bad, sometimes it may throw up your ex as a suggestion or let your stalker see your profile or it may allow people who visit a common psychologist to see each other as suggestions without knowing why,” he says.

While it is difficult for social media giants to calibrate such settings, the users have recently been given options to help control what kind of audience sees what information.

After Google Plus was launched, Facebook introduced a feature that allows users to choose who can see their status updates. Pranesh adds that users should make use of such features.

Understanding your data online

Not many users realise that basic information about them can be used against them. Seemingly harmless information like your date of birth, your birthplace or the pages that you follow on social media may contain leads for identity thefts.

“All the information that you put up publicly can be used by police, future employees or even your stalkers as well. For example, your date of birth, which most users add to their social media profiles, is usually used to verify bank accounts. If that is public, anyone can pretend to be you,” says Pranesh.

A way out is to relay this information only to people you trust. Another thing is to remember that on the internet, information received from one website can be used to access information on another website.

“You might upload a picture with your pet and name your pet in that post. However, that name could be the answer to one of the security questions asked on another website. If you use the same email address and username across social media profiles, it is easier to find information about you. Users should be aware that websites can be connected,” Pranesh explains.

Apps and permissions

Another crucial thing to remember is that users must always look into privacy settings of social networks that they use.

When you install new applications on your mobile phones, they often ask for certain permissions – like seeking access to your location – and users usually mechanically click on allow.

Most of these permissions apps request are often based on the type of application – for example, it is natural for Google Maps to ask permission to access your location – and users need to be vigilant if apps ask for absurd permissions.

“I once saw a torchlight app that sought access to my address book. Why would my flashlight need access to my contacts? There are a lot of apps who don't read these permissions. It is quite easy to figure out what kind of permissions an app needs and users need to apply their mind when installing the apps,” Anja adds.

She states that there are a lot of people who do not read through the terms and conditions of a particular website or app or the permissions they seek. And once access is granted, there is no way of taking your data back.

Last year, it was revealed that a Facebook breach had exposed data of 50 million people. Last month, Facebook reported another security breach where nearly 6.8 million users risked their private photos being exposed to third-party apps.

Facebook also found itself refuting serious claims of wrongdoings in giving access to user information to certain device makers, including China-based Huawei, and certain large technology companies and popular apps like Netflix or Spotify.

Anja says users should be more critical of such companies and organisations that store data or sell users' data.

“People feel that things can’t change, but that is because they don't make enough noise. You must ask whether companies can store your data and not just who has what data – ask who can access it,” Anja said. “Think more critically about which companies you trust and why you trust them.”

For more details visit https://cis-india.org/internet-governance/news/news-minute-sanyukta-dharmadhikari-january-10-2019-creeped-out-by-netflixs-you

CPRsouth 2016 – Young Scholars Programme

praskrishna — 2016-05-30T02:01:21Z

Rohini Lakshané, Amber Sinha and Vidushi Marda have been selected to attend the two-day Young Scholars' Programme to be held in Zanzibar, Tanzania in early September this year. The programme is a part of the CPRSouth conference.

Read the original announcement published by CPRSouth here.

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar, and will include sessions on cutting-edge developments on ICT policy and regulation in the South and discussion of the research-policy interface.

30 Young Scholars from Africa and the Asia-Pacific region will be selected to participate in a tutorial programme taught by recognised scholars and practitioners from Africa and Asia, and they will attend the main conference thereafter.

Tutorials are scheduled to be held on the 6^th and 7^th of September 2016, prior to the main CPRsouth conference.

Who will qualify?

Masters/PhD students in Economics, Public policy, Communications and Journalism
Officers of government/regulatory agencies undertaking ICT policy research, developing/gathering indicators (monitoring and evaluation)
Staff of private companies in the communication industries working in regulatory affairs
Officers in NGOs/INGOs working in policy and regulation
Researchers from think tanks, university research centres
Journalists covering communication public policy and regulation

Seminar

The seminar will cover a number of topics of the two days, such as:

policy analysis using supply-side or demand-side data;
ICT impact analysis;
convergence, net neutrality;
funding broadband network extension, open access networks, spectrum;
sector and competition regulation;
research to policy interventions;
Internet governance – privacy, surveillance, human rights online; and
introduction to big data, open data.

(2016 tutorial programme still to be confirmed)

Previous tutorial presentations can be accessed at http://www.cprsouth.org/

Application deadline: 22 April 2016

Application guidelines

Applications should be submitted via this link by 22 April 2016, and must contain the following:

one-page curriculum vitae; and
one-page write-up outlining why you wish to become an African or Asia-Pacific based expert capable of contributing to ICT related policy and regulatory reform in the region

Applicants’ write-ups and biographies should be in a single word document, and named: CPRsouth2016_YoungScholar_ApplicantLastName.

Kindly note: Late applications and applications that do not conform to the prescribed format above will automatically be disqualified.

Review Criteria

Applications will be reviewed according to the following criteria:

content of application;
evidence of interest in, and commitment to, policy-relevant research for Africa or the Asia-Pacific region;
quality of writing; and
gender and country representation

The selection committee may contact your supervisor or mentor before making the final selections.

Candidates selected to participate in the tutorial programme must:

provide a one-page research proposal upon acceptance onto the tutorial programme
participate in all tutorial sessions
participate in the entire CPRsouth 2016 conference

Funding

Selected young scholars who are passport holders of, and travelling from, low and middle income countries within the Asia Pacific and Africa (as classified by the World Bank http://data.worldbank.org/about/country-classifications/country-and-lending-groups#Low_income) will be provided with:

lowest-cost economy airfare to conference destination (less USD 150 registration fee);
ground transfers between the conference venue and airport; and
twin sharing accommodation on bed and breakfast basis, 5 lunches and 1 dinner for the duration of the conference and tutorials (6 – 10 September 2016). Not all meals are covered.

The registration fee for young scholars to attend the conference and tutorials is USD150, and airfares will be reimbursed less this registration fee. Participants will be required to cover:

transport to and from airports in their home countries;
visa fees (if any);
meals not provided; and
any other incidental costs

As the registration fee is so low and should be met personally even if there is no institutional support for attendance of the course and conference, please note that only under exceptional circumstances of extreme financial hardship may the organisers consider a waiver of the conference registration fee. Such waivers will be considered on a case-by-case basis and only where a scholar would otherwise be prevented from attending the YS programme and conference.

Visas

Letters of invitation will be provided for purposes of visa applications after participant selections have been made. Participants are responsible for securing their own visas to enter Tanzania, and are strongly advised to initiate visa approval procedures immediately on receipt of confirmation of their participation.

Kindly direct all enquiries to Ondine Bello: admin@researchictafrica.net orinfo@CPRsouth.org

For more details visit https://cis-india.org/internet-governance/news/cprsouth-2016-2013-young-scholars-programme

CPDP 2015

praskrishna — 2014-09-30T09:52:52Z

The eighth international conference on computers, privacy and data protection will be held in Brussels from January 21 to 23, 2015. The Centre for Internet and Society is a moral supporter of CPDP.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University and has grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond. As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world in Brussels offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. CPDP2014 welcomed 854 guests including 343 speakers from 43 different countries dispersed over more than 60 panels which took place during three full days. It attracted another 500 people in several public evening events including debates, a pecha kucha evening and an art exhibition. CPDP2015 aims to repeat the success of last year and will stage panels within the following main topical themes: Data Protection Reform: European and Global Developments, Mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, Health, privacy and data protection, Love and lust in the digital age, Internet governance and privacy.

In 2015 CPDP will take place from January 21 to 23, 2015 in the Halles de Schaerbeek, Brussels, Belgium. Registrations are already open: http://www.cpdpconferences.org/Registration.html. For more details see here.

For more details visit https://cis-india.org/internet-governance/news/cpdp-2015

CPDP 2014 Reforming Data Protection: The Global Perspective

praskrishna — 2013-12-11T03:39:50Z

Already in its 7th edition, the annual Computer Privacy and Data Protection conference (organised by CPDP) is being held in Brussels from January 22 to 24, 2014. Malavika Jayaram will be speaking at this event.

The Centre for Internet and Society is one of the sponsors for this event. Click here to read the full programme.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University, which has now grown significantly and incorporates a consortium of 21 conference partners.

CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. In an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world.

CPDP2014 has become truly global: it is co-organized by conference partners from Europe and the United States, and devotes panels to Latin-America and India. Moreover, CPDP is reaching out to the Asia-Pacific with speakers coming from all over the region.

The progressive growth of CPDP will culminate in an unprecedented 7^th edition. A terrific programme will include more than 60 panels held over three consecutive days. The panels will focus on key issues that cover all current debates: The data protection reform in the European Union, PRISM, big data, cybercrime, data retention, cloud computing, enforcement by Data Protection Authorities, biometrics, e-health, privacy by design, and much, much more. In addition, there will be a day event on the ethical issues of data collection on minorities, and the use of technology to advance the status of Roma.

CPDP will offer valuable contributions from the leading names in the field, including key representatives from all the major European institutions - the European Commission, the European Parliament, the European Data Protection Supervisor, and the Council of Europe.

In addition to the well-known classic Pecha Kucha side event, there will be several public debates held in the evenings – both in Dutch and English.

CDP2014 will continue to pay particular attention to high-level and innovative research from PhD Students and outstanding junior researchers by organizing sessions completely devoted to their work. CPDP2014 will also remain home to several award ceremonies, such as the award for the best Multidisciplinary Privacy Paper and the EPIC International Champion of Freedom Award.

Whether you are involved in the Conference as a sponsor, supporter, partner or participant or not, CPDP2014 welcomes you to join the event and contribute to the debate on emerging privacy and data protection issues.

For up to date information, registration and the programme, please visit http://www.cpdpconferences.org/ and follow CPDP on Facebook (cpdpconferences) and Twitter (@cpdpconferences).

If you have any questions please contact: info@cpdpconferences.org

For more details visit https://cis-india.org/events/cpdp-2014-reforming-data-protection-global-perspective

CPDP (Computers, Privacy and Data Protection) 2017

praskrishna — 2017-02-03T02:02:05Z

Amber Sinha participated as a panelist in a panel on 'EU Adequacy Status for International Data Transfers' in Brussels, Belgium on January 26, 2017. The event was organized by Privacy International.

EU Adequacy Status for International Data Transfers

According to EU data protection laws, countries only have blanket freedoms to receive and process personal data from the EU if they have been awarded an adequacy status by the Commission. Given the vital importance of data transfers between countries in the global economy, having such a status is a valuable asset, as other available legal means of transfer are more limited. India, for e.g. is said to be losing in excess of Euro 30 billion per year through lost trade with the EU, as it lacks such adequacy status. In the 20+ years since the data protection Directive was passed, only 11 states have been decided to be ‘adequate’ by the Commission – which include the US with its recently awarded Privacy Shield. The Commission methodology and procedures for granting adequacy to countries is increasingly under scrutiny – for e.g. a recent study found that the way it makes adequacy decisions for its trade partners could be accused of being obscure, inconsistent and without clear criteria or rules or timeframes. This also makes EU data protection laws vulnerable to challenge under world trade rules. This panel will address the following questions:

Questions to be considered:

On what basis does the EU and the Commission make decisions on whom to grant adequacy status?

In the light of the Schrems judgement defining adequacy as ‘essentially equivalent’, should all past decision be revised?

Given that more than 100 countries now have general data protection laws, how should countries be chosen for adequacy judgements?
What criteria and methodologies should be used to ensure all countries are treated equally, to ensure fundamental rights are equally upheld, and to avoid possible challenge under WTO rules?
(New) What are your views on the EC proposal to facilitate international transfers of personal data, recently published?

Panel:

Chair: Jan Albrecht MEP

Panel:

Kristina Irion, Institute of Information Law (IVIR), University of Amsterdam:

Kristina is expert academic in both data protection and related trade issues, author of recent study ‘Trade and Privacy: complicated bedfellows’

Amber Sinha, Centre for Internet and Society (CIS), India

Amber is policy researcher specialising in privacy and big data ; CIS is an India NGO and partner organisation of Privacy International.

Daniel Cooper, Covington and Burling ;

Dan is partner at this global law firm, which advises both business and government clients round the world ; he leads the data protection practice in London

Bruno Gencarelli, European Commission DG Justice ;

Bruno is the head of the new DG Justice unit on data flows and data protection, and as such the Commission boss of adequacy

Veronica Perez-Asinari, European Data Protection Supervisor (EDPS).

Veronica is the EDPS head of unit for supervision and enforcement; she has also recently spent some months working with the Argentina DPA (Argentina has EU adequacy).

Moderator: Anna Fielder, Privacy International

For more details visit https://cis-india.org/internet-governance/news/cpdp-computers-privacy-and-data-protection-2017

CoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?

Shweta Mohandas and Pallavi Bedi — 2023-07-04T09:39:03Z

Recent health data policies have failed to even mention the CoWIN platform.

The article was originally published in the Quint on 19 June 2023.

Last week, it was reported that due to an alleged breach of the CoWIN platform, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.

While Minister of State for Information Technology Rajeev Chandrashekar put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.

This data leak is yet another example of our health records being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.

In December last year, five servers of the All India Institute of Medical Science (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.

In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks publicly available.

The COVID-19 Pandemic Created Opportunity

The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).

Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.

Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.

However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.

The rollout of the NDHM also saw Health IDs being generated for citizens.

In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.

The beneficiaries who have had their Health IDs created through the vaccination process had not been informed about the creation of such an ID or their right to opt out of the digital health ecosystem.

A Web of Health Data Policies

Even before the pandemic, India was working towards a Health ID and a health data management system.

The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.

The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.

The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.

2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.

However, since its call for public consultation, no progress has been made on this front.

In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:

the Health Data Management Policy (which was revised three times; the latest version released in April 2022)
the Health Data Retention Policy (released in April 2021)
Consultation paper on the Unified Health Interface (UHI) (released in December 2022)

Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).

Interestingly, the recent health data policies do not mention CoWIN. Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.

Can a Data Protection Bill Be the Solution?

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”

However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.

The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

While these steps, if implemented through legislation, would make organisations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.

The absence of a clear indication of security standards will affect data principals and fiduciaries.

Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.

The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.

However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.

While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.

The first step to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.

For more details visit https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:48:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.pdf

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:56:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression.

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.odt

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon