We are anonymous, we are legion

Comments to ICANN Supporting the DNS Industry in Underserved Regions

jyoti — 2014-07-04T06:48:36Z

Towards exploring ideas and strategies to help promote the domain name industry in regions that have typically been underserved, ICANN published a call for public comments on May 14, 2014. In particular, ICANN sought comments related to existing barriers to Registrar Accreditation and operation and suggestions on how these challenges might be mitigated. CIS contributed to the comments on this report, which will be used to determine next steps to support the domain name industry in underserved regions.

Domain names and the DNS are used in virtually every aspect of the Internet, and without the DNS, the Internet as we know it, would not exist. The DNS root zone has economic value and ICANN's contract with Verisign delineates the selling of domain names via only ICANN accredited registrars. By the indirect virtue of its control of the root, ICANN has the power and capacity to influence the decisions of entities involved in the management and operations of the DNS, including registrars.

Too far, too many?

We acknowledge some of the efforts for improvements, in particular with reference to barriers to participation in DNS-related business in regions such as Africa and the Middle East, including the creation of a fellowship program, and increased availability of translated materials. However, despite these efforts, the gaps in the distribution of the DNS registrars and registries across the world has become an issue of heightened concern.

This is particularly true, in light of the distribution of registrars and given that, of the 1124 ICANN-accredited registrars, North America has a total of 765 registrars. US and Canada together, have more than double the number of registrars than the rest of the world taken collectively. To put things further into perspective, of the total number of registrars 725 are from the United States alone, and 7 from the 54 countries of Africa.

A barrier to ICANN's capacity building initiatives has been the lack of trust, given the general view that, ICANN focuses on policies that favour entrenched incumbents from richer countries. Without adequate representation from poorer countries, and adequate representation from the rest of the world's Internet population, there is no hope of changing these policies or establishing trust. The entire region of Latin America and the Caribbean, comprising of a population of 542.4 million internet users[1] in 2012, has only 22 registrars spread across a total of 10 countries. In Europe, covering a population of 518.5 million internet users[2], are 158 registrars and 94 of those are spread across Germany, UK, France, Spain and Netherlands. The figures paint the most dismal picture with respect to South Asia, in particular India, where just 16 registrars cater to the population of internet users that is expected to reach 243 million by June 2014[3].

While we welcome ICANN's research and outreach initiatives with regard to the DNS ecosystem in underserved regions, without the crucial first step of clarifying the metrics that constitute an underserved region, these efforts might not bear their intended impact. ICANN cannot hope to identify strategies towards bridging the gaps that exist in the DNS ecosystem, without going beyond the current ICANN community, which, while nominally being 'multistakeholder' and open to all, grossly under-represents those parts of the world that aren't North America and Western Europe.

The lack of registries in the developing world is another significant issue that needs to be highlighted and addressed. The top 5 gTLD registries are in the USA and it is important that users and the community feels that the fees being collected are equivalent compensation for the services they provide. As registries operate in captive markets that is allocated by ICANN, we invite ICANN to improve its financial accountability, by enabling its stakeholders to assess the finances collected on these registrations.

Multistakeholderism—community and consensus

As an organization that holds itself a champion of the bottom-up policy development process, and, as a private corporation fulfilling a public interest function, ICANN, is in a unique position to establish new norms of managing common resources. In theory and under ICANN’s extensive governance rules, the board is a legislative body that is only supposed to approve the consensus decisions of the community and the staff wield executive control. However in reality, both board and the staff have been criticised for decisions that are not backed by the community.

The formal negotiations between ICANN and Registrar Stakeholder Group Negotiating Team (Registrar NT) over the new Registrar Accreditation Agreement (RAA), is an example of processes that have a multistakeholder approach but fail on values of deliberation and pluralistic decision making.[4] ICANN staff insisted on including a "proposed Revocation (or "blow up") Clause that would have given them the ability to unilaterally terminate all registrar accreditations" and another proposal seeking to provide ICANN Board ability to unilaterally amend the RAA (identical to proposal inserted in the gTLD registry agreement - a clause met with strong opposition not only from the Registry Stakeholder Group but from the broader ICANN community).

Both proposals undermine the multistakeholder approach of the ICANN governance framework, as they seek more authority for the Board, rather than the community or protections for registrars and more importantly, registrants. The proposed amendments to the RAA were not issues raised by Law Enforcement, GAC or the GNSO but by the ICANN staff and received considerable pushback from the Registrar Stakeholder Group Negotiating Team (Registrar NT). The bottom-up policy making process at ICANN has also been questioned with reference to the ruling on vertical integration between registries and registrars, where the community could not even approach consensus.[5] Concerns have also been raised about the extent of the power granted to special advisory bodies handpicked by the ICANN president, the inadequacy of existing accountability mechanisms for providing a meaningful and external check on Board decisions and the lack of representation of underserved regions on these special bodies. ICANN must evolve its accountability mechanisms, to go beyond the opportunity to provide comments on proposed policy, and extend to a role for stakeholders in decision making, which is presently a privilege reserved for staff rather than bottom-up consensus.

ICANN was created as a consensus based organisation that would enable the Internet, its stakeholders and beneficiaries to move forward in the most streamlined, cohesive manner.[6] Through its management of the DNS, ICANN is undertaking public governance duties, and it is crucial that it upholds the democratic values entrenched in the multistakeholder framework. Bottom up policy making extends beyond passive participation and has an impact on the direction of the policy. Presently, while anyone can comment on policy issues, only a few have a say in which comments are integrated towards outcomes and action. We would like to stress not just improving and introducing checks and balances within the ICANN ecosystem, but also, integrating accountability and transparency practices at all levels of decision making.

Bridging the gap

We welcome the Africa Strategy working group and the public community process that was initiated by ICANN towards building domain name business industry in Africa, and, we are sure there will be lessons that will applicable to many other underserved regions. In the context of this report CIS, wants to examine the existing criteria of the accreditation process. As ICANN's role evolves and its revenues grow across the DNS and the larger Internet landscape, it is important in our view, that ICANN review and evolve it's processes for accreditation and see if they are as relevant today, as they were when launched.

The relationship between ICANN and every accredited registrar is governed by the individual RAA, which set out the obligations of both parties, and, we recommend simplifying and improving them. The RAA language is complex, technical and not relevant to all regions and presently, there are no online forms for the accreditation process. While ICANN's language will be English, the present framing has an American bias—we recommend—creating an online application process and simplifying the language keeping it contextual to the region. It would also be helpful, if ICANN invested in introducing some amount of standardization across forms, this would reduce the barrier of time and effort it takes to go through complex legal documents and contribute to the growth of DNS business.

The existing accreditation process for registrars requires applicants to procure US$70,000 or more for the ICANN accreditation to become effective. The applicants are also required to obtain and maintain for the length of accreditation process, a commercial general liability insurance with a policy limit of US$500,000 or more. The working capital and the insurance are quite high and create a barrier to entrance of underserved regions in the DNS ecosystem.

With lack of appropriate mechanisms registrars resort to using US companies for insurance, creating more foreign currency pressures on themselves. The commercial general liability insurance requirement for the registrars is not limited to their functioning as a registrar perhaps not the most appropriate option. ICANN should, and must, increase efforts towards helping registrars find suitable insurance providers and scaling down the working capital. Solutions may lie in exploring variable fee structures adjusted against profits, and derived after considering factors such as cost of managing domain names and sub-domain names, expansion needs, ICANN obligations and services, financial capacities of LDCs and financial help pledged to disadvantaged groups or countries.

Presently, the start-up capital required is too high for developing countries, and this is reflected in the number of registries in these areas. Any efforts to improve the DNS ecosystem in underserved regions, must tackle this by scaling down the capital in proportion to the requirements of the region.

Another potential issue that ICANN should consider, is that users getting sub-domain names from local registrars located in their own country, are usually taxed on the transaction, however, online registration through US registrars spares users from paying taxes in their country.[7] This could create a reverse incentive for registering domain sub-names online from US registrars. ICANN should push forward on efforts to ensure that registrars are sustainable by providing incentives for registering in underserved regions and help towards maintain critical mass of the registrants. The Business Constituency (BC)—the voice of commercial Internet users within ICANN, could play a role in this and ICANN should endeavour to either, expand the BC function or create a separate constituency for the representation of underserved regions.

[1] Internet Users and Population stats 2012. http://www.internetworldstats.com/stats2.htm

[2] Internet Users and Population stats 2012. http://www.internetworldstats.com/stats4.htm

[3] Times of India IAMAI Report. http://timesofindia.indiatimes.com/tech/tech-news/India-to-have-243-million-internet-users-by-June-2014-IAMAI/articleshow/29563698.cms

[4] Mar/07/2013 - Registrar Stakeholder Group Negotiating Team (Registrar NT) Statement Regarding ICANN RAA Negotiations.http://www.icannregistrars.org/calendar/announcements.php

[5] Kevin Murphy, Who runs the internet? An ICANN 49 primer. http://domainincite.com/16177-who-runs-the-internet-an-icann-49-primer

[6] Stephen Ryan, Governing Cyberspace: ICANN, a Controversial Internet Standards Body http://www.fed-soc.org/publications/detail/governing-cyberspace-icann-a-controversial-internet-standards-body

[7] Open Root-Financing LDCs in the WSIS process. See: http://www.open-root.eu/about-open-root/news/financing-ldcs-in-the-wsis-process

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-supporting-the-dns-industry-in-underserved-regions

Stay connected even when you go underground

praskrishna — 2014-07-04T15:15:11Z

CMRL may soon start making arrangements to ensure good mobile connectivity on the underground stretch.

The article by Sunita Sekhar was published in the Hindu on June 12, 2014. Nishant Shah gave his inputs.

A really erratic mobile network connection is something all of us have probably experienced, while on the move, every now and then.

If your mobile phone signal can fail you on the road, have you thought what it will be like when you ride underground?

Perhaps it is time to put that thought into your head. Not very many years from now, it is likely you will be riding the Chennai Metro underground.

Folks at Chennai Metro Rail Ltd. (CMRL) have, however, already thought of this, to their credit.

CMRL may soon start making arrangements to ensure good mobile connectivity on the underground stretch.

“We are considering various options to boost mobile network underground. It is important we provide such a service,” says a CMRL official. Chennai Metro, built at a cost of Rs. 14,600 crore, 45 km across the city, will have 24 km underground. Of the 32 stations, 19 will be underground.

CMRL has drawn the idea from Delhi Metro Rail Corporation (DMRC), a principal consultant. Sometime back, Delhi Metro Rail had installed additional cellular towers at its underground stations to improve mobile connectivity.

The value of such a facility will surface especially during a crisis, according to Nishant Shah of Centre for Internet and Society.

“Connectivity becomes crucial when something untoward — be it breakdown of infrastructure or even sexual harassment — occurs on the underground stretch. It needs to be recorded or documented immediately,” he says.

Janaki Pillai of Ability Foundation says connectivity is particularly critical for the hearing impaired, who often use the messaging and WhatsApp services.

“But the question of them using the underground stations and the need for mobile connectivity arises only when the stations are accessible. Whether I choose to use it or not is different, but the service should be available and the choice should be mine,” she says.

For more details visit https://cis-india.org/news/the-hindu-june-11-2014-sunita-sekhar-stay-connected-even-when-you-go-underground

CIS Comments: Enhancing ICANN Accountability

geetha — 2014-06-10T13:03:57Z

On May 6, 2014, ICANN published a call for public comments on "Enhancing ICANN Accountability". This comes in the wake of the IANA stewardship transition spearheaded by ICANN and related concerns of ICANN's external and internal accountability mechanisms. Centre for Internet and Society contributed to the call for comments.

Introduction:

On March 14, 2014, the US National Telecommunications and Information Administration announced its intent to transition key Internet domain name functions to the global multi-stakeholder Internet governance community. ICANN was tasked with the development of a proposal for transition of IANA stewardship, for which ICANN subsequently called for public comments. At NETmundial, ICANN President and CEO Fadi Chehadé acknowledged that the IANA stewardship transition and improved ICANN accountability were inter-related issues, and announced the impending launch of a process to strengthen and enhance ICANN accountability in the absence of US government oversight. The subsequent call for public comments on “Enhancing ICANN Accountability” may be found here.

Suggestions for improved accountability:

In the event, Centre for Internet and Society (“CIS”) wishes to limit its suggestions for improved ICANN accountability to matters of reactive or responsive transparency on the part of ICANN to the global multi-stakeholder community. We propose the creation and implementation of a robust “freedom or right to information” process from ICANN, accompanied by an independent review mechanism.

Article III of ICANN Bye-laws note that “ICANN and its constituent bodies shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”. As part of this, Article III(2) note that ICANN shall make publicly available information on, inter alia, ICANN’s budget, annual audit, financial contributors and the amount of their contributions, as well as information on accountability mechanisms and the outcome of specific requests and complaints regarding the same. Such accountability mechanisms include reconsideration (Article IV(2)), independent review of Board actions (Article IV(3)), periodic reviews (Article IV(4)) and the Ombudsman (Article V).

Further, ICANN’s Documentary Information Disclosure Policy (“DIDP”) sets forth a process by which members of the public may request information “not already publicly available”. ICANN may respond (either affirmatively or in denial) to such requests within 30 days. Appeals to denials under the DIDP are available under the reconsideration or independent review procedures, to the extent applicable.

While ICANN has historically been prompt in its response to DIDP Requests, CIS is of the view that absent the commitments in the AoC following IANA stewardship transition, it would be desirable to amend and strengthen Response and Appeal procedures for DIDP and other, broader disclosures. Our concerns stem from the fact that, first, the substantive scope of appeal under the DIDP, on the basis of documents requested, is unclear (say, contracts or financial documents regarding payments to Registries or Registrars, or a detailed, granular break-up of ICANN’s revenue and expenditures); and second, that grievances with decisions of the Board Governance Committee or the Independent Review Panel cannot be appealed.

Therefore, CIS proposes a mechanism based on “right to information” best practices, which results in transparent and accountable governance at governmental levels.

First, we propose that designated members of ICANN staff shoulder responsibility to respond to information requests. The identity of such members (information officers, say) ought to be made public, including in the response document.

Second, an independent, third party body should be constituted to sit in appeal over information officers’ decisions to provide or decline to provide information. Such body may be composed of nominated members from the global multi-stakeholder community, with adequate stakeholder-, regional- and gender-representation. However, such members should not have held prior positions in ICANN or its related organizations. During the appointed term of the body, the terms and conditions of service ought to remain beyond the purview of ICANN, similar to globally accepted principles of an independent judiciary. For instance, the Constitution of India forbids any disadvantageous alteration of privileges and allowances of judges of the Supreme Court and High Courts during tenure.

Third, and importantly, punitive measures ought to follow unreasonable, unexplained or illegitimate denials of requests by ICANN information officers. In order to ensure compliance, penalties should be made continuing (a certain prescribed fine for each day of information-denial) on concerned officers. Such punitive measures are accepted, for instance, in Section 20 of India’s Right to Information Act, 2005, where the review body may impose continuing penalties on any defaulting officer.

Finally, exceptions to disclosure should be finite and time-bound. Any and all information exempted from disclosure should be clearly set out (and not merely as categories of exempted information). Further, all exempted information should be made public after a prescribed period of time (say, 1 year), after which any member of the public may request for the same if it continues to be unavailable.

CIS hopes that ICANN shall deliver on its promise to ensure and enhance its accountability and transparency to the global multi-stakeholder community. To that end, we hope our suggestions may be positively considered.

Comment repository:

All comments received by ICANN during the comment period (May 6, 2014 to June 6, 2014) may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability

Right to be forgotten poses a legal dilemma in India

praskrishna — 2014-06-09T10:02:25Z

The “right to be forgotten” judgment has raised a controversy, while some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

The article by Leslie D' Monte was published in Livemint on June 5, 2014. Sunil Abraham gave his inputs.

Medianama.com has become perhaps the first Indian website to be asked by an individual to remove a link, failing which the user would approach Google Inc. to delete the link under the “right to be forgotten” provision granted by a European court. There’s one hitch: India doesn’t have any legal provision to entertain or process such request.

In his request to the media website, the individual cited a landmark 13 May judgment by the Court of Justice of the European Union (EU), which said users could ask search engines like Google or Bing to remove links to web pages that contain information about them.

According to the judgement, the user is also free to approach “the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results” if the search engines do not comply.

“...this individual told us of a plan to appeal to Google on the basis of the judgment of the European Court of Justice, and asked us to either convert the public post into a non-indexable post, such that it may not be surfaced by search engines, or to modify the individual’s name, place and any references to his/her employer in the post that we’ve written, so that it cannot be linked directly to the individual,” said Nikhil Pahwa, founder of medianama.com.

Pahwa did not reveal the identity of the individual, who made the request on 31 May. Medianama, according to Pahwa, had written about the individual “a few years ago, protesting against attacks on his/her freedom of speech.” It did not give details. The media website reported about the request on 2 June.

Under legal pressure, the individual eventually relented and retracted the request.

The individual, Pahwa said, requested medianama.com to retain only his last name on the web page, cautioning that if the website does not do so, he would submit the URL (uniform resource locator or address of that link) of that web page to Google in a “right to be forgotten” request.

This, Pahwa said, “might hurt our search ranking, or lead to a blanket removal of our website from Google’s search index.”

“This is a tricky one, and we’ve declined this request,” said Pahwa. He added that “the implications for media are immense, since digital data, which is a recording of online history, will be affected.”

The EU ruling came after a Spanish national complained in 2010 that searching his name in Google threw up links to two newspaper webpages which reported a property auction to recover social security debt he once owed, even though the information had become irrelevant since the proceedings had since been resolved.

Following the ruling, Google put up an online form (mintne.ws/1oYVP5Y), inviting users in Europe to submit their requests.

“...we will assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information,” the form reads.

“When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials...”

A Google spokesman said on Tuesday that the company had received over 41,000 requests to be forgotten so far.

On the first day itself, Google had received 12,000 requests.

“Almost a third of the requests were in relation to accusations of fraud, 20% were in relation to violent/serious crimes, and around 12% regarded child pornography arrests. More than 1,500 of these requests are believed to have come from people in the UK. An ex-politician seeking re-election, a paedophile and a GP (general practitioner) were among the British applicants”, according to a 2 June report inThe Telegraph of London.

The “right to be forgotten” judgment has raised a controversy. While some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

In an interview to Mint on 26 May, Anupam Chander, director of the California International Law Center, reasoned that if a person could simply scrub all the bad information about him from being searchable on the Internet, she/he could do so by claiming that such information was “no longer relevant”.

“Do we want search engines to then judge whether information remains “relevant” or is somehow “inadequate” under the threat of liability for leaving information accessible? An Internet sanitized of accessible negative information will only tell half the truth,” he argued.

The ruling is not binding on India and applies only to EU countries.

According to legal experts, the country has no provision for a right to be forgotten, either in the Information Technology (IT) Act 2000 (amended in 2008) or the IT Rules, 2011. India, for that matter, does not even have a privacy act as yet.

“In India, we do not have a concept of the right to be Forgotten. It’s a very Western concept,” said Pavan Duggal, a cyberlaw expert and Supreme Court advocate.

Still, intermediaries like search engines and Internet services providers, under the country’s IT Act and IT Rules, have the obligation to exercise due diligence if an aggrieved party sends them a written notice, he said.

According to Sunil Abraham, executive director of the Centre for Internet and Society, an Internet rights lobby group, “right to be forgotten” cases should pass the “public interest” test.

“Privacy protection should not have a chilling effect on transparency. The question is: Does the content (which a user wants to be removed) serve a public interest that outweighs the harm that it is doing to the individual concerned? If no public interest is being served, there is no point in knowing what the content is all about. The complication with the EU ruling is that it wants intermediaries and over-the-top providers to play the role of judges,” said Abraham.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-june-5-2014-right-to-be-forgotten-poses-legal-dilemma-in-india

CIS Cybersecurity Series (Part 14) – Menaka Guruswamy

purba — 2014-07-21T10:39:03Z

CIS interviews Menaka Guruswamy, lawyer at the Supreme Court of India, as part of the Cybersecurity Series.

"The courts have rarely used privacy to stop the Indian state from getting into someone's business. So jurisprudentially, it is a weak challenge when you mount a rights based or a privacy right challenge against surveillance by the state. Because the answer of the state to that has always been, and as has been Obama's answer in the United States, that there are national security concerns. And usually national security will trump individual privacy."

Centre for Internet and Society presents its fourteenth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Menaka Guruswamy practices law at the Supreme Court of India. She was a Rhodes Scholar at Oxford University, and a Gammon Fellow at Harvard Law School, and a gold medalist from the National Law School of India. She has law degrees from all three schools, with a focus on Constitutional Law and Public International Law. Guruswamy has worked at the Office of the Attorney General of India, the highest office that represents the federal government of India in the Supreme Court of India.

http://youtu.be/GCDD6Z-UrGI

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-14-2013-menaka-guruswamy

WSIS+10 High-Level Event: Open Consultation Process

praskrishna — 2014-06-04T10:14:01Z

Jyoti Panday represented the Centre for Internet and Society (CIS) at the WSIS+10 High-Level Event:Open Consultation Process held in Geneva from May 28 to 31, 2014.

The Fifth Physical Meeting marked Phase Six of the Open Consultation Process for the WSIS+10 High-Level Event (HLE) to be held in Geneva from June 10 to 13, 2014.

The meeting saw the culmination of the multistakeholder review process on the WSIS+10 Statement on the Implementation of the WSIS Outcomes and the WSIS+10 Vision for WSIS Beyond 2015.

CIS made interventions on text related to increasing women's participation, freedom of expression, media rights, data privacy, network security and human rights.

CIS also endorsed text on action line 'Media' which reaffirmed committment to freedom of expression, data privacy and media rights offline and online including protection of sources, publishers and journalists.

Download the final agreed draft of the WSIS+10 Statement on the Implementation of WSIS Outcomes that will be deliberated upon and agreed at the HLE, for your reference.

For more details visit https://cis-india.org/news/wsis-high-level-event-open-consultation-process

Search and Seizure and the Right to Privacy in the Digital Age: A Comparison of US and India

divij — 2014-06-02T06:45:14Z

The development of information technology has transformed the way in which individuals make everyday transactions and communicate with the world around us. These interactions and transactions are recorded and stored – constantly available for access by the individual and the company through which the service was used.

For example, the ubiquitous smartphone, above and beyond a communication device, is a device which can maintain a complete record of the communications data, photos, videos and documents, and a multitude of other deeply personal information, like application data which includes location tracking, or financial data of the user. As computers and phones increasingly allow us to keep massive amounts of personal information accessible at the touch of a button or screen (a standard smartphone can hold anything between 500 MB to 64 GB of data), the increasing reliance on computers as information-silos also exponentially increases the harms associated with the loss of control over such devices and the information they contain. This vulnerability is especially visceral in the backdrop of law enforcement and the use of coercive state power to maintain security, juxtaposed with the individual’s right to secure their privacy.

American Law - The Fourth Amendment Protection against Unreasonable Search and Seizure

The right to conduct a search and seizure of persons or places is an essential part of investigation and the criminal justice system. The societal interest in maintaining security is an overwhelming consideration which gives the state a restricted mandate to do all things necessary to keep law and order, which includes acquiring all possible information for investigation of criminal activities, a restriction which is based on recognizing the perils of state-endorsed coercion and its implication on individual liberty. Digitally stored information, which is increasingly becoming a major site of investigative information, is thus essential in modern day investigation techniques. Further, specific crimes which have emerged out of the changing scenario, namely, crimes related to the internet, require investigation almost exclusively at the level of digital evidence. The role of courts and policy makers, then, is to balance the state’s mandate to procure information with the citizens’ right to protect it.

The scope of this mandate is what is currently being considered before the Supreme Court of the United States, which begun hearing arguments in the cases Riley v. California,[1] and United States v Wurie,[2]on the 29^th of April, 2014. At issue is the question of whether the police should be allowed to search the cell phones of individuals upon arrest, without obtaining a specific warrant for such search. The cases concern instances where the accused was arrested on account of a minor infraction and a warrantless search was conducted, which included the search of cell phones in their possession. The information revealed in the phones ultimately led to the evidence of further crimes and the conviction of the accused of graver crimes. The appeal is for a suppression of the evidence so obtained, on grounds that the search violates the Fourth Amendment of the American Constitution. Although there have been a plethora of conflicting decisions by various lower courts (including the judgements in Wurie and Riley),[3] the Federal Supreme Court will be for the first time deciding upon the issue of whether cell phone searches should require a higher burden under the Fourth Amendment.

At the core of the issue are considerations of individual privacy and the right to limit the state’s interference in private matters. The fourth amendment in the Constitution of the United States expressly grants protection against unreasonable searches and seizure,[4]however, without a clear definition of what is unreasonable, it has been left to the courts to interpret situations in which the right to non-interference would trump the interests of obtaining information in every case, leading to vast and varied jurisprudence on the issue. The jurisprudence stems from the wide fourth amendment protection against unreasonable government interference, where the rule is generally that any warrantless search is unreasonable, unless covered by certain exceptions. The standard for the protection under the Fourth Amendment is a subjective standard, which is determined as per the state of the bind of the individual, rather than any objective qualifiers such as physical location; and extends to all situations where individuals have a reasonable expectation of privacy, i.e., situations where individuals can legitimately expect privacy, which is a subjective test, not purely dependent upon the physical space being searched.[5]

Therefore, the requirement of reasonableness is generally only fulfilled when a search is conducted subsequent to obtaining a warrant from a neutral magistrate, by demonstrating probable cause to believe that evidence of any unlawful activity would be found upon such search. A warrant is, therefore, an important limitation on the search powers of the police. Further, the protection excludes roving or general searches and requires particularity of the items to be searched. The restriction derives its power from the exclusionary rule, which bars evidence obtained through unreasonable search or seizure, obtained directly or through additional warrants based upon such evidence, from being used in subsequent prosecutions. However, there have evolved several exceptions to the general rule, which includes cases where the search takes place upon the lawful arrest of an accused, a practice which is justified by the possibility of hidden weapons upon the accused or of destruction of important evidence.[6]

The appeal, if successful, would provide an exception to the rule that any search upon lawful arrest is always reasonable, by creating a caveat for the search of computer devices like smartphones. If the court does so, it would be an important recognition of the fact that evolving technologies have transmuted the concept of privacy to beyond physical space, and legal rules and standards that applied to privacy even twenty years ago, are now anachronistic in an age where individuals can record their entire lives on an iPhone. Searching a person nowadays would not only lead to the recovery of calling cards or cigarettes, but phones and computers which can be the digital record of a person’s life, something which could not have been contemplated when the laws were drafted. Cell phone and computer searches are the equivalent of searches of thousands of documents, photos and personal records, and the expectation of privacy in such cases is much higher than in regular searches. Courts have already recognized that cell phones and laptop computers are objects in which the user may have a reasonable expectation of privacy by making them analogous to a “closed container” which the police cannot search and hence coming under the protection of the Fourth Amendment.[7]

On the other hand, cell phones and computers also hold data which could be instrumental in investigating criminal activity, and with technologies like remote wipes of computer data available, such data is always at the risk of destruction if delay is occurred upon the investigation. As per the oral arguments, being heard now, the Court seems to be carving out a specific principle applicable to new technologies. The Court is likely to introduce subtleties specific to the technology involved – for example, it may seek to develop different principles for smartphones (at issue in Riley) and the more basic kind of cell-phones (at issue in Wurie), or it may recognize that only certain kinds of information may be accessed,[8]or may even evolve a rule that would allow seizure, but not a search, of the cell phone before a search warrant can be obtained.[9] Recognizing that transformational technology needs to be reflected in technology-specific legal principles is an important step in maintaining a synchronisation between law and technology and the additional recognition of a higher threshold adopted for digital evidence and privacy would go a long way in securing digital privacy in the future.

Search and Seizure in India

Indian jurisprudence on privacy is a wide departure from that in the USA. Though it is difficult to strictly compartmentalize the many facets of the right to privacy, there is no express or implicit mention of such a right in the Indian Constitution. Although courts have also recognized the importance of procedural safeguards in protecting against unreasonable governmental interference, the recognition of the intrinsic right to privacy as non-interference, which may be different from the instrumental rights that criminal procedure seeks to protect (such as misuse of police power), is sorely lacking. The general law providing for the state’s power of search and seizure of evidence is found in the Code of Criminal Procedure, 1973.

Section 93 provides for the general procedure of search. Section 93 allows for a magistrate to issue a warrant for the search of any “document or thing”, including a warrant for general search of an area, where it believes it is required for the purpose of investigation. The particularity of the search warrant is not a requirement under S. 93(2), and hence a warrant may be for general or roving search of a place. Section 100, which further provides for the search of a closed place, includes certain safeguards such as the presence of witnesses and the requirement of a warrant before a police officer may be allowed ingress into the closed place. However, under S. 165 and S. 51 of the code, the requirements of a search warrant are exempted. S. 165 dispenses with the warrant requirement and provides for an officer in charge of a police station, or any other officer duly authorized by him, to conduct the search of any place as long as he has reasonable grounds to believe that such search would be for the purpose of an investigation and a belief that a search warrant cannot be obtained without undue delay. Further, the officer conducting such search must as far as possible note down the reasons for such belief in writing prior to conducting the search. Section 51 provides another express exception to the requirement of search warrants, by allowing the search of a person arrested lawfully provided that the arrested person may not or cannot be admitted to bail, and requires any such seized items to be written in a search memo. As long as these conditions are fulfilled, the police has an unqualified authority to search a person upon arrest. Therefore, where the arrestee can be admitted to bail as per the warrant, or, in cases of warrantless arrest, as per the law, the search and seizure of such person may not be regular, and the evidence so collected would be subject to greater scrutiny by the court. However, besides these minimal protections, there is no additional procedural protection of individual privacy, and the search powers of the police are extremely wide and discretionary. In fact, there is a specific absence of the exclusionary rule as a protection as well, which means that, unlike under the Fourth Amendment, the non-compliance with the procedural requirements of search would not by itself vitiate the proceedings or suppress the evidence so found, but would only amount to an irregularity which must be simply another factor considered in evaluating the evidence.[10]

The extent of the imputation of the Fourth Amendment protection against unreasonable governmental interference in the Indian constitution is also uncertain. A direct imputation of the Fourth Amendment into the Indian Constitution has been disregarded by the Supreme Court.[11]Though the allusions to the Fourth Amendment have mostly been invoked on facts where unreasonable intrusions into the homes of persons were challenged, the indirect imputation of the right to privacy into the right under Article 21 of the Constitution, invoking the right to privacy as a right to non-interference and a right to live with dignity, would suggest that the considerations for privacy under the Constitution are not merely objective, or physical, but depend on the subjective facts of the situation, i.e. its effect on the right to live with dignity (analogous to the reasonable expectation of privacy test laid down in Katz).[12] Further, the court has specifically struck down provisions for search and seizure which confer particularly wide and discretionary powers on the executive without judicial scrutiny, holding that searches must be subject to the doctrine of proportionality, and that a provision probable cause to effect any search.[13] The Fourth Amendment protection against unreasonable interference in private matters by the state is a useful standard to assess privacy, since it imputes a concept of privacy as an intrinsic right as well as an instrumental one, i.e. privacy as non-interference is a good in itself, notwithstanding the rights it helps achieve, like the freedom of movement or speech.

Regarding digital privacy in particular, Indian law and policy has failed to stand up to the challenges that new technologies pose to privacy and has in fact been regressive, by engaging in surveillance of communications and by allowing governmental access to digital records of online communications (including emails, website logs, etc.) without judicial scrutiny and accountability.[14] In an age of transformative technology and of privacy being placed at a much greater risk, laws which were once deemed reasonable are now completely inadequate in guaranteeing freedom and liberty as encapsulated by the right to privacy. The disparity is even more pronounced in cases of investigation of cyber-crimes which rely almost exclusively on digital evidence, such as those substantively enumerated under the Information Technology Act, but investigated under the general procedure laid down in the Code of Criminal Procedure, which is already mentioned. The procedures for investigation of cyber-crimes and the search and seizure of digital evidence require special consideration and must be brought in line with changing norms. Although S.69 and 69B lay down provisions for investigation of certain crimes,[15] which requires search upon an order by competent authority, i.e. the Secretary to the Department of IT in the Government of India, the powers of search and seizure are also present in several other rules, such as rule 3(9) of the Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 which allows access to information from intermediaries by a simple written order by any agency or person who are lawfully authorised for investigative, protective, cyber security or intelligence activity; or under rule 6 of the draft Reasonable Security Practices Rules, 2011 framed under Section 43A of the Information Technology Act, where any government agency may, for the prevention, detection, investigation, prosecution, and punishment of offences, obtain any personal data from an intermediate “body corporate” which stores such data. The rules framed for investigation of digital evidence, therefore, do not inspire much confidence where safeguarding privacy is concerned. In the absence of specific guidelines or amendments to the procedures of search and seizure of digital evidence, the inadequacies of applying archaic standards leads to unreasonable intrusions of individual privacy and liberties – an incongruity which requires remedy by the courts and legislature of the country.

[1]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-132_h315.pdf

[2]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-212_86qd.pdf

[3]. In Wurie, the motion to supress was allowed, while in Riley it was denied. Also see US v Jacob Finley, US v Abel Flores-Lopez where the motion to suppress was denied.

[4]. The Fourth Amendment to the Constitution of the United States of America: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

[5]. Katz v United States, 389 U.S. 347, 352 (1967).

[6]. Stephen Saltzer, American Criminal Procedure

[7]. United States v Chan, 830 F. Supp. 531,534 (N.D. Cal. 1993).

[8]. A factor considered in US v Abel Flores-Lopez, where the court held that the search of call history in a cell phone did not constitute a sufficient infringement of privacy to require the burden of a warrant.

[9]. The decision in Smallwood v. Florida, No. SC11-1130, before the Florida Supreme Court, made such a distinction.

[10]. State Of Maharashtra v. Natwarlal Damodardas Soni, AIR 1980 SC 593; Radhakrishnan v State of UP, 1963 Supp. 1 S.C.R. 408

[11]. M.P. Sharma v Satish Chandra, AIR 1954 SC 300

[12]. Kharak Singh v State of UP, (1964) 1 SCR 332; Gobind v State of Madhya Pradesh, 1975 AIR 1378

[13]. District Registrar and Collector v. Canara Bank, AIR 2005 SC 186, which related to S.73 of the Andhra Pradesh Stamps Act which allowed ‘any person’ to enter into ‘any premises’ for the purpose of conducting a search.

[14]. S. 69 and 69B of the Information Technology (Amendment) Act, 2008.

[15]. Procedures and Safeguards for Monitoring and collecting traffic data or information rules 2009, available at http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009

For more details visit https://cis-india.org/internet-governance/blog/search-and-seizure-and-right-to-privacy-in-digital-age

Digital death: Log off in peace

praskrishna — 2014-05-28T07:24:52Z

From email and e-banking to shopping and social media sites, Indians have expanded their online footprint. Now, a small but rising number are planning for their digital death.

The article by Purnima Sharma was published in the Times of India on May 25, 2014. Nishant Shah is quoted.

A few days after his son Yousmann's death in a road accident, Kongposh Bazaz began searching for the 19-year-old's Facebook password. "There was such an outpouring of grief on his wall that I felt the need to 'speak' to my son's friends on his behalf, telling them to be strong," he says. Facebook does not hand over access to a person's account even when they die but fortunately, Yousmann had shared his password with a close friend who gave it to Bazaz. "Like any teenager, he did not share it with his parents," says the 51-year-old publisher, revealing that while he has memorialized his son's Facebook page, he would prefer that his own online accounts were closed.

As we build our lives in a virtual world, there's a growing concern about what happens to our online presence after death. In the West, some people are writing out digital wills, spelling out how their virtual life should be handled post-mortem . In India, too, a small number is taking an interest in their digital afterlife. Sandeep Nerlekar, MD and CEO Terentia Consultants, an estate planning firm that handles both online (through a portal www.onlinewill .co.in) and digital wills, says, "Now, even social networking sites are becoming part of one's assets."

Nishant Shah, director, Research, at the Bangalore-based Centre for Internet and Society, says that though the trend is nascent, people have started including their digital accounts in their wills. "However, it is evident, that as more and more of our lives get mediated by digital devices, and as we live on the cloud, we are going to have to find legal and personal options of making sure that important data gets transmitted beyond our lives, and stored, archived and managed in responsible ways for those who find value in it."

But in a country where only a small percentage writes wills for physical assets, it's not something a lot of people are thinking about proactively. Sudha Sarin, Delhi-based communications specialist, says "It doesn't get priority, like your financial assets," she says. At some point, she intends to leave a list of all her online account-ids and passwords in a place where her sons can find them easily. "This will give them access to my friends list so that they can be informed. And, in turn, let people who knew me reach out to them at such a time," she says. But she will want her family to close her accounts a couple of months after. "I wouldn't want my accounts to just sit out there. It's a way of closure," she says.

Sarin faced these questions of mortality after she lost her sister Geeta to cancer three months ago. She has decided to memorialize Geeta's Facebook page. Facebook doesn't allow family members access to data/passowords etc but kin can either delete or "memorialize" the accounts of the deceased. Sarin believes she's taken a decision her sister would have supported. "Reading her posts and seeing her pictures act like a balm - it's a catharsis of sorts," she says.

American blogger Evan Caroll, who runs The Digital Beyond which talks about digital afterlife, writes that people need to start planning for what is to be done with their email, online banking and trading, social media , photo-sharing , online billpay and blogs after death. In an email interview with TOI, he suggests a simple conversation with one's heirs, using online services like SecureSafe that let users store passwords to pass along when they are gone or speaking to one's lawyer.

Companies have different policies on what to do with accounts of those deceased. Last year, Google introduced a stepby-step process allowing users to plan what they want done with their account, and in some cases they provide the contents of an email account which hasn't left specific instructions after a "careful review" . Yahoo and Facebook currently have no service akin to a virtual will, but offer the option of closing down a deceased person's email accounts and social media profiles , though only after receiving verification of death. Arunav Sinha, director, corporate communications , India, China & South East Asia of Yahoo, says that virtual legacy planning is a personal prerogative in India today. "We can't hand over any data to anyone, as per the terms of our service. Requests for access have to come through a legal process and with the relevant documentation," he says.

Caroll says there is no standard way in which online accounts are handled once you're gone. "People too have varied responses - while some look at it as a place to remember and grieve, others believe it's strange to continue the online profile."

Rekha Aggarwal, advocate, Supreme Court, has started suggesting to clients that they keep their online accounts in mind too. "Talking about myself, I've already passed on my password to my son in case of any eventuality. I've told him to close my accounts because I don't want to be left hanging in the virtual world."

But there are many for whom "the sense of digital life beyond death is exciting ," points out Nishant Shah. "I know of people who actually leave a last message to be posted on social media by their friends or family. There are some whose accounts are now transparently run by their partners or families." '

Accessing a deceased person's account is something Pooja Dager isn't comfortable with. The 37-year-old HR manager has "not even tried to venture into that territory" after her husband's passing. "Only his bank accounts were transferred to my son's name, that's it. The others I try not to think about. I just let them be," she adds.

But as internet users age, many more people will have to confront these issues.

Making a digial will

Take an inventory of your online accounts and plan a way for your heirs to access your 'memories' such as photos, movies and emails Give instructions whether you want your page(s) closed or if you'd like someone to answer your friends' posts on your behalf, maybe for a few months You might even like to incorporate details of your digital assets in your will. Consult your attorney for advice.
Evan Carroll, The Digital Beyond

For more details visit https://cis-india.org/news/the-times-of-india-may-25-2014-purnima-sharma-digital-death-log-off-in-peace

India needs better cyber police

praskrishna — 2014-06-04T07:56:33Z

On Wednesday, one of the largest online shopping and auction portals, eBay, revealed that earlier this year, cybercriminals accessed details of 145 million of its customers.

The article by Surabhi Agarwal was published in the Business Standard on May 23, 2014. Sunil Abraham is quoted.

Even though eBay's customers' financial details are said to be safe, the incident is being termed a "historic breach" given the enormity of the data compromised. Globally, eBay is being criticised not just for its laxity in securing the digital perimeter but also for reacting too late. The company has said that it first came to know of the breach "two weeks" ago. Records that have been accessed contain passwords as well as email addresses, birth dates, mailing addresses and other personal information.

The situation is worse when it comes to reporting such instances in India, say cyber security experts. The Indian Information Technology Act requires companies to adopt "reasonable security measures" to protect consumers' sensitive personal information such as passwords and financial details. It also makes companies duty bound to report breaches and also defines liabilities in case a firm is found not to be adhering to best data security practices. However, implementation is patchy and most such instances go unreported.

Pavan Duggal, an advocate specialising in cyber security, says most users do not come to know if there has been a breach. "Awareness is also low among consumers about the legal recourse available in case their data has been compromised," he adds. Unlike in the West, lack of a proper data protection and privacy law in India is to be blamed for this. "Companies, too, are inclined not to report such instances as they fear being negatively impacted in the market," he points out.

In case of a breach, a user can contact the adjudicating officer, which is the state infotech secretary, for legal recourse. However, the onus is on the user to prove the breach. In the US, a consumer can get a subpoena (court order) issued against a company that makes it duty bound to provide details of the breach. "In India, the regime is too lax. It is very difficult to notify the government," says Sunil Abraham, executive director of the Centre for Internet and Society.

"There are stringent compliance requirements in countries such as the US. The laws in India need to come tougher if we want companies to become more serious about this," adds Duggal.

eBay has advised consumers, many of whom could be Indians, to immediately change their passwords. While people tend to use the same password across many sites, emails and phones numbers act as verifying tools for several financial transactions and could be misused. Moreover, unlike India, the US does not require additional authentication apart from credit card and CVV number, which makes transactions slightly more vulnerable. "It may be a good idea to include a one-time password as a security layer," says Abraham.

Over 200 million Indians are online. The Indian e-commerce market is estimated at $2 billion (Rs 12,000 crore) and is expected to cross $20 billion over the next four years.

"There is no such thing as 100 per cent protection in the digital world. The choice is between transacting online or not," says Akhilesh Tuteja, executive director of consulting firm KPMG. "Technology is becoming so sophisticated that what was good yesterday is not good today." A bigger dialogue is needed on people treating theft of digital assets just as they would physical assets, he adds.

The last big breach was reported at software maker Adobe Systems in October 2013, when it was uncovered that hackers accessed about 152 million user accounts. Last December Target said some 40 million payment card numbers and another 70 million customer records were hacked into.

For more details visit https://cis-india.org/news/business-standard-may-23-2014-surabhi-agarwal-india-needs-better-cyber-police

Students lead the way with apps for ideas

praskrishna — 2014-05-28T09:24:30Z

At 1am, the lights are still on in 15-year-old Pratik's room at his house on 80 Feet Road, Indiranagar. The NPS-Koramangala student is busy typing code on his laptop for his latest app called Resolve.

The article published in the Times of India on May 21, 2014 quotes Nishant Shah.

Pratik epitomizes Gen X. Coding and decoding, these school children, barely into their teens, are developing apps drawing attention worldwide.

"I learnt coding by myself with the help of the internet. The world wants things simplified and that's why apps are a hit. The first app I made was a calculator because my dad was unhappy with the one on his phone. My work was initially rejected, but I knew that would happen. But I continued working. When I went to a Microsoft conference, they told me youngsters have ideas to change the world and we have the time," said Pratik.

He was felicitated with a Nokia Lumia 1520 at the Windows Azure Conference 2014 for his work in developing apps for Windows and Windows Phone store.

Rahul Yedida, a Class 12 student at the National Centre for Excellence, has around 18,000 downloads for the app he and his friend created. "I wasn't too happy with the amount of Maths homework. I started wondering whether an app could do it. At the same time, I had learnt a new language and wanted to test my skills. That's how I started working on it," said Rahul.

"Programming is fun. Seeing a computer work the way you want it to gives you special joy," said Vaisakh M, Rahul's co-developer. They sent a letter to Bill Gates about the app and got a reply lauding their achievement.

Quote hanger
* During my free time, I read about programming which helps me when I write programs. My friends in the colony join me when I watch videos about it. They do programs in other languages. I play games and used to wonder how they're made. My dad promised to get me a laptop if I start programming and that's how it started.

Thrisha Mohan| 12, Vidyashilp Academy, now working on a jewellery app

* Apps are the cool things to do now. With the kind of access possible thanks to smart phones, they have gone to the masses. I wouldn't be surprised at the number of apps being created. When an app is created in a college dormitory, 1,000 students in the college will download it. That's instant gratification. The ecosystem is such that with social networking sites, you become an instant hero. The question is: How many can be successful and have a long life?

S Sadagopan | director, IIIT-B

* Apps are more relevant for those growing up with interfaces which are mobile and wearable. We also need to realise there is a growing generation of people whose first point of access to the digital as well as to the connected worlds of the internet is through mobile devices. And apps are a natural way of interaction. It is a positive trend because it allows users to think of themselves not only as 'users' but as active producers of the digital world. They look beyond platforms made available by multi-national companies or private enterprises, and it allows them to build communities of interaction and learning between them. We need to make sure they are safe and not susceptible to invasive presence of others who might exploit their presence on the web.

Nishant Shah | director- research, The Centre for Internet and Society

For more details visit https://cis-india.org/news/times-of-india-may-21-2014-sruthy-susan-ullas-students-lead-the-way-with-apps-for-ideas

Legislating for Privacy - Part II

bhairav — 2014-05-28T09:59:56Z

Apart from the conflation of commercial data protection and privacy, the right to privacy bill has ill-informed and poorly drafted provisions to regulate surveillance.

The article was published in the Hoot on May 20, 2014.

In October 2010, the Department of Personnel and Training ("DOPT") of the Ministry of Personnel, Public Grievances and Pensions released an ‘Approach Paper’ towards drafting a privacy law for India. The Approach Paper claims to be prepared by a leading Indian corporate law firm that, to the best of my knowledge, has almost no experience of criminal procedure or constitutional law. The Approach Paper resulted in the drafting of a Right to Privacy Bill, 2011 ("DOPT Bill") which, although it has suffered several leaks, has neither been published for public feedback nor sent to the Cabinet for political clearance prior to introduction in Parliament.

Approach Paper and DOPT Bill

The first article in this two-part series broadly examined the many legal facets of privacy. Notions of privacy have long informed law in common law countries and have been statutorily codified to protect bodily privacy, territorial or spatial privacy, locational privacy, and so on. These fields continue to evolve and advance; for instance, the legal imperative to protect intimate body privacy from violation has now expanded to include biometric information, and the protection given to the content of personal communications that developed over the course of the twentieth century is now expanding to encompass metadata and other ‘information about information’.

The Approach Paper suffers from several serious flaws, the largest of which is its conflation of commercial data protection and privacy. It ignores the diversity of privacy law and jurisprudence in the common law, instead concerning itself wholly with commercial data protection. This creates a false equivalency, albeit not one that cannot be rectified by re-naming the endeavour to describe commercial data protection only.

However, there are other errors. The paper claims that no right of action exists for privacy breaches between citizens inter se. This is false, the civil wrongs of nuisance, interference with enjoyment, invasion of privacy, and other similar torts and actionable claims operate to redress privacy violations. In fact, in the case of Ratan Tata v. Union of India that is currently being heard by the Supreme Court of India, at least two parties are arguing that privacy is already adequately protected by civil law. Further, the criminal offences of nuisance and defamation, amongst others, and the recently introduced crimes of stalking and voyeurism, all create rights of action for privacy violations. These measures are incomplete, – this is not contested, the premise of these articles is the need for better privacy protection law – but denying their existence is not useful.

The shortcomings of the Approach Paper are reflected in the draft legislation it resulted in. A major concern with the DOPT Bill is its amateur treatment of surveillance and interception of communications. This is inevitable for the Approach Paper does not consider this area at all although there is sustained and critical global and national attention to the issues that attend surveillance and communications privacy. For an effort to propose privacy law, this lapse is quite astonishing. The Approach Paper does not even examine if Parliament is competent to regulate surveillance, although the DOPT Bill wades into this contested turf.

Constitutionality of Interceptions

In a federal country, laws are weighed by the competence of their legislatures and struck down for overstepping their bounds. In India, the powers to legislate arise from entries that are contained in three lists in Schedule VII of the Constitution. The power to legislate in respect of intercepting communications traditionally emanates from Entry 31 of the Union List, which vests the Union – that is, Parliament and the Central Government – with the power to regulate “Posts and telegraphs; telephones, wireless, broadcasting and other like forms of communication” to the exclusion of the States. Hence, the Indian Telegraph Act, 1885, and the Indian Post Office Act, 1898, both Union laws, contain interception provisions. However, after holding the field for more than a century, the Supreme Court overturned this scheme in Bharat Shah’s case in 2008.

The case challenged the telephone interception provisions of the Maharashtra Control of Organised Crime Act, 1999 ("MCOCA"), a State law that appeared to transgress into legislative territory reserved for the Union. The Supreme Court held that Maharashtra’s interception provisions were valid and arose from powers granted to the States – that is, State Assemblies and State Governments – by Entries 1 and 2 of the State List, which deal with “public order” and “police” respectively. This cleared the way for several States to frame their own communications interception regimes in addition to Parliament’s existing laws. The question of what happens when the two regimes clash has not been answered yet. India’s federal scheme anticipates competing inconsistencies between Union and State laws, but only when these laws derive from the Concurrent List which shares legislative power. In such an event, the ‘doctrine of repugnancy’ privileges the Union law and strikes down the State law to the extent of the inconsistency.

In competitions between Union and State laws that do not arise from the Concurrent List but instead from the mutually exclusive Union and State Lists, the ‘doctrine of pith and substance’ tests the core substance of the law and traces it to one the two Lists. Hence, in a conflict, a Union law the substance of which was traceable to an entry in the State List would be struck down, and vice versa.

However, the doctrine permits incidental interferences that are not substantive. For example, as in a landmark 1946 case, a State law validly regulating moneylenders may incidentally deal with promissory notes, a Union field, since the interference is not substantive. Since surveillance is a police activity, and since “police” is a State subject, care must be taken by a Union surveillance law to remain on the pale of constitutionality by only incidentally affecting police procedure. Conversely, State surveillance laws were required to stay clear of the Union’s exclusive interception power until Bharat Shah’s case dissolved this distinction without answering the many questions it threw up.

Since the creation of the Republic, India’s federal scheme was premised on the notion that the Union and State Lists were exclusive of each other. Conceptually, the Union and the States could not have competing laws on the same subject. But Bharat Shah did just that; it located the interception power in both the Lists and did not enunciate a new doctrine to resolve their (inevitable) future conflict. This both disturbs Indian constitutional law and goes to the heart of surveillance and privacy law.

Three Principles of Interception

Apart from the important questions regarding legislative competence and constitutionality, the DOPT Bill proposed weak, ill-informed, and poorly drafted provisions to regulate surveillance and interceptions. It serves no purpose to further scrutinise the 2011 DOPT Bill. Instead, at this point, it may be constructive to set out the broad contours of a good interceptions regulation regime. Some clarity on the concepts: intercepting communications means capturing the content and metadata of oral and written communications, including letters, couriers, telephone calls, facsimiles, SMSs, internet telephony, wireless broadcasts, emails, and so on. It does not include activities such visual capturing of images, location tracking or physical surveillance; these are separate aspects of surveillance, of which interception of communications is a part.

Firstly, all interceptions of communications must be properly sanctioned. In India, under Rule 419A of the Indian Telegraph Rules, 1951, the Home Secretary – an unelected career bureaucrat, or a junior officer deputised by the Home Secretary – with even lesser accountability, authorises interceptions. In certain circumstances, even senior police officers can authorise interceptions. Copies of the interception orders are supposed to be sent to a Review Committee, consisting of three more unelected bureaucrats, for bi-monthly review. No public information exists, despite exhaustive searching, regarding the authorisers and numbers of interception orders and the appropriateness of the interceptions.

The Indian system derives from outdated United Kingdom law that also enables executive authorities to order interceptions. But, the UK has constantly revisited and revised its interception regime; its present avatar is governed by the Regulation of Investigatory Powers Act, 2000 ("RIPA") which creates a significant oversight mechanism headed by an independent commissioner, who monitors interceptions and whose reports are tabled in Parliament, and quasi-judicially scrutinised by a tribunal comprised of judges and senior independent lawyers, which hears public complaints, cancels interceptions, and awards monetary compensation. Put together, even though the current UK interceptions system is executively sanctioned, it is balanced by independent and transparent quasi-judicial authorities.

In the United States, all interceptions are judicially sanctioned because American constitutional philosophy – the separation of powers doctrine – requires state action to be checked and balanced. Hence, ordinary interceptions of criminals’ communications as also extraordinary interceptions of perceived national security threats are authorised only by judges, who are ex hypothesi independent, although, as the PRISM affairs teaches us, independence can be subverted. In comparison, India’s interception regime is incompatible with its democracy and must be overhauled to establish independent and transparent authorities to properly sanction interceptions.

Secondly, no interceptions should be sanctioned but upon ‘probable cause’. Simply described, probable cause is the standard that convinces a reasonable person of the existence of criminality necessary to warrant interception. Probable case is an American doctrine that flows from the US Constitution’s Fourth Amendment that protects the rights of people to be secure in places in which they have a reasonable expectation of privacy. There is no equivalent standard in UK law, except perhaps the common law test of reasonability that attaches to all government action that abridges individual freedoms. If a coherent ‘reasonable suspicion’ test could be coalesced from the common law, I think it would fall short of the strictness that the probable cause doctrine imposes on the executive. Therefore, the probable cause requirement is stronger than ordinary constraint of reasonability but weaker than the standard of reasonable doubt beyond which courts may convict. In this spectrum of acceptable standards, India’s current law in section 5(2) of the Indian Telegraph Act, 1885 is the weakest for it permits interceptions merely “on the occurrence of any public emergency or in the interest of public safety”, which determination is left to the “satisfaction” of a bureaucrat. And, under Rule 419A(2) of the Telegraph Rules, the only imposition on the bureaucrat when exercising this satisfaction is that the order “contain reasons” for the interception.

Thirdly, all interceptions should be warranted. This point refers not to the necessity or otherwise of the interception, but to the framework within which it should be conducted. Warrants should clearly specify the name and clear identity of the person whose communications are sought to be intercepted. The target person’s identity should be linked to the specific means of communication upon which the suspected criminal conversations take place. Therefore, if the warrant lists one person’s name but another person’s telephone number – which, because of the general ineptness of many police forces, is not uncommon – the warrant should be rejected and the interception cancelled. And, by extension, the specific telephone number, or email account, should be specified. A warrant against a person called Rahul Kumar, for instance, cannot be executed against all Rahul Kumars in the vicinity, nor also against all the telephones that the one specific Rahul Kumar uses, but only against the one specific telephone number that is used by the one specific Rahul Kumar. Warrants should also specify the duration of the interception, the officer responsible for its conduct and thereby liable for its abuse, and other safeguards. Some of these concerns were addressed in 2007 when the Telegraph Rules were amended, but not all.

A law that fails to substantially meet the standards of these principles is liable, perhaps in the not too distant future, to be read down or struck down by India’s higher judiciary. But, besides the threat of judicial review, a democratic polity must protect the freedoms and diversity of its citizens by holding itself to the highest standards of the rule of law, where the law is just.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-may-20-2014-bhairav-acharya-legislating-for-privacy

National Elections 2014: How Technology Powered Campaigns

praskrishna — 2014-05-20T07:03:51Z

HasGeek and the Centre for Internet and Society (CIS) welcome you to a presentation on how technology powered politicial campaigns in the recently concluded 2014 national elections. Developers, advocacy organizations and the general public are invited to participate. The event will be held at CIS on May 23, 2014, 6.00 p.m. to 8.30 p.m.

During the 2014 Indian general elections, technology was widely used for candidate and party campaigns. The purpose of these technology-driven campaigns was to help voters make more informed decisions before casting their votes. Voter responses to these campaigns continuously helped individual candidates and political parties (via their technology teams and consultants) to rework messaging till the very end.

HasGeek and CIS are organizing three presentations followed by an interactive Q&A session to understand how technology spurred campaigns during the 2014 elections, and how voters will have to get smarter just as parties are becoming smart in reaching out to them.

Sessions

Campaigning in the pre-Internet and Internet Era (Talk)

Vijay Grover, founder of Bangalore Media Foundation and television journalist since 17 years, will compare the past and present to explain how internet technologies have changed campaigning stratgies. Grover will argue that voters need to get smart in sifting information and making choices as more and more parties use social media and information technologies in reaching out to them.

Technology-driven campaigns (Talk)

Viral Shah, part of Nandan Nilekani's campaign management team, will talk about how India is placed in the global scene with respect to technology-driven political campaigns. Viral will also discuss how to design a campaign with technology and how technology was used to power Nilekani's campaign.

Tools used for powering campaigns and attracting volunteers (Talk)

BG Mahesh, founder and managing director at Oneindia.in, will talk about the tools used during Narendra Modi's campaign. Apart from informing voters about the candidate, volunteers were also enlisted through the drives. BG Mahesh will throw light on how technology made this possible.

Schedule

Time	Sessions
18.00 18.15	Introductions: HasGeek, CIS, The Fifth Elephant
18.15 18.45	Vijay Grover: Campaigning in the pre-Internet and Internet Era
18.45 19.15	Viral Shah: Technology-driven campaigning
19.15 19.45	B.G.Mahesh: Tools used for powering campaigns and attracting volunteers
19.45 20.15	Q & A Session
20.15 20.30	Snacks

For more details visit https://cis-india.org/events/national-elections-2014-how-technology-powered-campaigns

Net Neutrality, Free Speech and the Indian Constitution – III: Conceptions of Free Speech and Democracy

gautam — 2014-05-27T10:21:24Z

In this 3 part series, Gautam Bhatia explores the concept of net neutrality in the context of Indian law and the Indian Constitution.

In the modern State, effective exercise of free speech rights is increasingly dependent upon an infrastructure that includes newspapers, television and the internet. Access to a significant part of this infrastructure is determined by money. Consequently, if what we value about free speech is the ability to communicate one’s message to a non-trivial audience, financial resources influence both who can speak and, consequently, what is spoken. The nature of the public discourse – what information and what ideas circulate in the public sphere – is contingent upon a distribution of resources that is arguably unjust and certainly unequal.

There are two opposing theories about how we should understand the right to free speech in this context. Call the first one of these the libertarian conception of free speech. The libertarian conception takes as given the existing distribution of income and resources, and consequently, the unequal speaking power that that engenders. It prohibits any intervention designed to remedy the situation. The most famous summary of this vision was provided by the American Supreme Court, when it first struck down campaign finance regulations, in Buckley v. Valeo: “the concept that government may restrict the speech of some [in] order to enhance the relative voice of others is wholly foreign to the First Amendment.” This theory is part of the broader libertarian worldview, which would restrict government’s role in a polity to enforcing property and criminal law, and views any government-imposed restriction on what people can do within the existing structure of these laws as presumptively wrong.

We can tentatively label the second theory as the social-democratic theory of free speech. This theory focuses not so much on the individual speaker’s right not to be restricted in using their resources to speak as much as they want, but upon the collective interest in maintaining a public discourse that is open, inclusive and home to a multiplicity of diverse and antagonistic ideas and viewpoints. Often, in order to achieve this goal, governments regulate access to the infrastructure of speech so as to ensure that participation is not entirely skewed by inequality in resources. When this is done, it is often justified in the name of democracy: a functioning democracy, it is argued, requires a thriving public sphere that is not closed off to some or most persons.

Surprisingly, one of the most powerful judicial statements for this vision also comes from the United States. In Red Lion v. FCC, while upholding the “fairness doctrine”, which required broadcasting stations to cover “both sides” of a political issue, and provide a right of reply in case of personal attacks, the Supreme Court noted:

“[Free speech requires] preserv[ing] an uninhibited marketplace of ideas in which truth will ultimately prevail, rather than to countenance monopolization of that market, whether it be by the Government itself or a private licensee… it is the right of the public to receive suitable access to social, political, esthetic, moral, and other ideas and experiences which is crucial here.”

What of India? In the early days of the Supreme Court, it adopted something akin to the libertarian theory of free speech. In Sakal Papers v. Union of India, for example, it struck down certain newspaper regulations that the government was defending on grounds of opening up the market and allowing smaller players to compete, holding that Article 19(1)(a) – in language similar to what Buckley v. Valeo would hold, more than fifteen years later – did not permit the government to infringe the free speech rights of some in order to allow others to speak. The Court continued with this approach in its next major newspaper regulation case, Bennett Coleman v. Union of India, but this time, it had to contend with a strong dissent from Justice Mathew. After noting that “it is no use having a right to express your idea, unless you have got a medium for expressing it”, Justice Mathew went on to hold:

“What is, therefore, required is an interpretation of Article 19(1)(a) which focuses on the idea that restraining the hand of the government is quite useless in assuring free speech, if a restraint on access is effectively secured by private groups. A Constitutional prohibition against governmental restriction on the expression is effective only if the Constitution ensures an adequate opportunity for discussion… Any scheme of distribution of newsprint which would make the freedom of speech a reality by making it possible the dissemination of ideas as news with as many different facets and colours as possible would not violate the fundamental right of the freedom of speech of the petitioners. In other words, a scheme for distribution of a commodity like newsprint which will subserve the purpose of free flow of ideas to the market from as many different sources as possible would be a step to advance and enrich that freedom. If the scheme of distribution is calculated to prevent even an oligopoly ruling the market and thus check the tendency to monopoly in the market, that will not be open to any objection on the ground that the scheme involves a regulation of the press which would amount to an abridgment of the freedom of speech.”

In Justice Mathew’s view, therefore, freedom of speech is not only the speaker’s right (the libertarian view), but a complex balancing act between the listeners’ right to be exposed to a wide range of material, as well as the collective, societal right to have an open and inclusive public discourse, which can only be achieved by preventing the monopolization of the instruments, infrastructure and access-points of speech.

Over the years, the Court has moved away from the majority opinions in Sakal Papers and Bennett Coleman, and steadily come around to Justice Mathew’s view. This is particularly evident from two cases in the 1990s: in Union of India v. The Motion Picture Association, the Court upheld various provisions of the Cinematograph Act that imposed certain forms of compelled speech on moviemakers while exhibiting their movies, on the ground that “to earmark a small portion of time of this entertainment medium for the purpose of showing scientific, educational or documentary films, or for showing news films has to be looked at in this context of promoting dissemination of ideas, information and knowledge to the masses so that there may be an informed debate and decision making on public issues. Clearly, the impugned provisions are designed to further free speech and expression and not to curtail it.”

LIC v. Manubhai D. Shah is even more on point. In that case, the Court upheld a right of reply in an in-house magazine, “because fairness demanded that both view points were placed before the readers, however limited be their number, to enable them to draw their own conclusions and unreasonable because there was no logic or proper justification for refusing publication… the respondent’s fundamental right of speech and expression clearly entitled him to insist that his views on the subject should reach those who read the magazine so that they have a complete picture before them and not a one sided or distorted one…” This goes even further than Justice Mathew’s dissent in Bennett Coleman, and the opinion of the Court in Motion Picture Association, in holding that not merely is it permitted to structure the public sphere in an equal and inclusive manner, but that it is a requirement of Article 19(1)(a).

We can now bring the threads of the separate arguments in the three posts together. In the first post, we found that public law and constitutional obligations can be imposed upon private parties when they discharge public functions. In the second post, it was argued that the internet has replaced the park, the street and the public square as the quintessential forum for the circulation of speech. ISPs, in their role as gatekeepers, now play the role that government once did in controlling and keeping open these avenues of expression. Consequently, they can be subjected to public law free speech obligations. And lastly, we discussed how the constitutional conception of free speech in India, that the Court has gradually evolved over many years, is a social-democratic one, that requires the keeping open of a free and inclusive public sphere. And if there is one thing that fast-lanes over the internet threaten, it is certainly a free and inclusive (digital) public sphere. A combination of these arguments provides us with an arguable case for imposing obligations of net neutrality upon ISPs, even in the absence of a statutory or regulatory obligations, grounded within the constitutional guarantee of the freedom of speech and expression.

For the previous post, please see: http://cis-india.org/internet-governance/blog/-neutrality-free-speech-and-the-indian-constitution-part-2.

_____________________________________________________________________________________________________

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-free-speech-and-the-indian-constitution-2013-iii-conceptions-of-free-speech-and-democracy

The Future of Cyber Governance

praskrishna — 2014-05-27T10:05:43Z

Hague Institute for Global Justice in association with the Observer Research Foundation, Ministry of Foreign Affairs of Netherlands, and the Netherlands Institute for International Relations - Clingendael organized a conference on the Future of Cyber Governance at the Hague from May 13 to 15, 2014. Sunil Abraham was a speaker at this event.

Global Governance Reform Initiative

The Global Governance Reform Initiative (GGRI) seeks to overcome the challenges of global governance in three important domains – cyberspace, oceans and migration – by improving the efficiency, effectiveness and legitimacy of collective actions undertaken by relevant stakeholders.

The current focus of the GGRI is the governance of cyberspace. How cyberspace is governed has significant implications for a range of critical issues, from national security to the protection of individuals’ rights and freedoms. Yet, the governance of cyberspace is highly contested. Tensions exist between those who favour private sector-led, decentralized forms of governance, and those who favour state-led, centralized forms of governance. There is, therefore, a pressing need for practicable policies which can help balance competing demands effectively.

The conference is a platform for 17 outstanding academics and professionals representing a range of countries and sectors to present papers addressing key issues related to the governance of cyberspace. The authors were selected through a competitive application process which sought to balance the candidates’ professional and geographic backgrounds in a manner that would maximize the quality and policy-relevance of the research.

During the conference, the participants will present their papers to a select group of seasoned experts on cyber governance. These experts will provide the participants with constructive feedback on their research findings and policy recommendations. The aim of the conference is to allow the participants to engage in a rigorous analysis of the selected governance challenges in order to craft practicable policy recommendations aimed at improving the governance of cyberspace. The authors of the best papers will be invited to present their work at the 2014 India Conference on Cyber Security and Cyber Governance, organized by the Observer Research Foundation, New Delhi.
The Hague Institute undertakes this project in collaboration with the Netherlands Ministry of Foreign Affairs, the Observer Research Foundation (New Delhi), and the Netherlands Institute of International Relations – Clingendael.

See the full details of the programme here.

Video

For more details visit https://cis-india.org/news/future-of-cyber-governance

Does Size Matter? A Tale of Performing Welfare, Producing Bodies and Faking Identity

praskrishna — 2014-06-04T09:45:49Z

Malavika Jayaram gave a talk.

This was published by the website of Berkman Center for Internet and Society

Big Data doesn’t get much bigger than India’s identity project. The world’s largest biometric database - currently consisting of almost 600 million enrolled - seduces with promises of inclusion, legitimacy and visibility. By locating this techno-utopian vision within the larger surveillance state that a unique identifier facilitates, Malavika will describe the ‘welfare industrial complex’ that imagines the poor as the next emerging market. She will highlight the risks of the body as password, of implementing e-governance in a legal vacuum, and of digitization reinforcing existing inequalities. The export of technologies of control - once they have been tested on a massive population that has little agency and limited ability to withhold consent - transforms this project from a site of local activism to one with global repercussions. By offering a perspective that is somewhat different from the traditional western focus of privacy, she hopes to generate a more inclusive discourse about what it means to be autonomous and empowered in the face of paternalistic development projects. She will highlight, in particular, the varied ways in which the project is already being subverted and re-purposed, in ways that are humorous and poignant.

About Malavika

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers - one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. She is working on a PhD about the development of a privacy jurisprudence and discourse in India, viewed partly through the lens of the Indian biometric ID project.

Podcast

Watch the podcast at this link.

For more details visit https://cis-india.org/news/harvard-university-may-13-2014-does-size-matter