We are anonymous, we are legion

‘Mobile’ voters may sway polls

praskrishna — 2014-03-05T11:55:24Z

BABALAL Patel’s tiny tea stall in Mumbai is a long way from Silicon Valley. It is not even that close to Bangalore, the Indian equivalent.

The article by Avantika Chilkoti was published in BDlive on March 5, 2014. Sunil Abraham is quoted.

But one night this month, this ramshackle shop became the venue for a social media experiment that highlights the hi-tech face of electioneering in India, the world’s largest democracy. A crowd gathered outside to watch two television screens showing a live broadcast with politician Narendra Modi as he answered questions the audience submitted by text message.

Similar "tea parties" were held across India, designed to ram home Modi’s humble background as a tea seller and his technological credentials. The nationwide event, organised by using mobile technology more commonly seen in US presidential campaigns, signals a shift in Indian politics.

For decades, political campaigns in India have centred around colossal rallies and billboard advertising. But a growing population of young people, rising internet use and the ubiquity of cellphones mean this year’s battle is playing out equally fiercely online.

"We are moving far ahead of saying that we are building ‘likes’ on social media," says Arvind Gupta, head of information technology and social media for the Bharatiya Janata Party (BJP).

"Organisation is being done using digital. So if I’m going to tell everybody there’s an event tomorrow, it can be posted on Facebook, websites, on SMS, on WhatsApp, though the real meeting is happening on the ground."

These techniques, which became familiar during the Arab uprisings of North Africa, are an increasingly important part of communication strategy ahead of a national election that must be held in the next three months, and of which the outcome many believe will be close.

Gupta believes parties are fighting what he calls a "postmodern election" for up to 160 — largely urban — seats out of a total of 543. More than half the 50-strong team working on communications for the BJP are dedicated to digital campaigning.

India’s internet user base reached a point of inflection last year, exceeded 200-million. While that is a fraction of the 1.3-billion population, prompting many to question the power of social media, use is far greater among urban and young voters, millions of whom will be eligible to vote for the first time.

"Social media is suddenly becoming important, not for all constituencies, but for urban constituencies, because for the first time the urban youth and the educated class are very much glued into the election and showing interest," says Rajeeva Karandikar, a statistician and election analyst.

Modi, chief minister of Gujarat, has adapted particularly quickly to the changing environment. He captured the public imagination by using holograms to address rallies and Google Hangouts to interact with the diaspora. He has 3.4-million Twitter followers and more than 10.6-million "likes" on his Facebook page, thanks in part to a slick social media team led by high-profile technology entrepreneurs.

By contrast, Rahul Gandhi, the reticent, undeclared candidate for the incumbent Congress party, does not even have a verified Twitter account.

Some were disappointed by low attendance at the national "tea parties", but the events were lauded for being interactive and, perhaps most important in a country where newspaper readership remains high, grabbed column inches in the press. The audience could speak directly to Modi at venues with a two-way video link and the footage was immediately available on YouTube.

"While answering each question, Modi has a point of view," says Pratik Patel, 28, a chartered accountant who organised the event at his grandfather’s tea shop. "He doesn’t have two ways of looking at the same thing — this helps him to be more decisive and forward thinking."

Social media provide swathes of information to India’s political parties, as they copy the sophisticated data analysis used by US President Barack Obama’s campaigns.

From its offices in suburban Mumbai, digital marketing group Pinstorm tracks social media discussions at constituency level and identifies significant supporters or critics. It describes the service as an early warning system or "social radar", which allows parties to mobilise workers rapidly to oppose or support a point of view.

Sceptics argue, however, that social media have insufficient traction in India to affect results of the coming poll. But the size of the user base does not reflect its full power. Educated, influential Indians use these digital networks and the online debate shapes views in traditional media that reach a wider audience.

"The theory is that since the elites are connected and have more time to spare on social media, let us use social media and the internet more generally to influence discourse through these elites," says Sunil Abraham, executive director for the Bangalore-based Centre for Internet and Society. "It’s an indirect route to the vote."

However, an adviser to the Obama campaign warns that, given differences in funding and the environment, India’s politicians should be wary of using the US presidential race as a model. This year, a simpler technology may prove the best tool for campaigns in India: the cellphone.

"Folks look to the Obama campaign for this sort of stuff," says Ethan Roeder, who worked on data for the 2008 and 2012 US presidential campaigns. "But a lot of these international campaigns would do best looking elsewhere for a model.… No campaign in the history of the world has ever spent that much money to elect a single individual to a single office."

India’s version is markedly cheaper, thanks to the roadside chai wallahs and armies of volunteers, pulling in the new breed of voters.

"I have never attended a political rally in my entire life," says Patel, who helped to organise Modi’s nationwide "tea party". "If people want to connect with me they need to connect with me on social media or via e-mail."

For more details visit https://cis-india.org/news/bd-live-avantika-chilkoti-march-5-2014-mobile-voters-may-sway-polls

India’s ballot battle will also run through Facebook

praskrishna — 2014-03-05T11:49:29Z

Facebook on Tuesday launched its widely awaited “election tracker” for the upcoming general elections, a move that signals the growing importance of social media as a political tool in a rapidly urbanizing India.

The article by Zia Haq was published in the Hindustan Times on March 4, 2014. Sunil Abraham is quoted.

India’s 2014 ballot battle will run through the social-media world, which could likely influence electoral outcomes by swinging 3-4% votes, as more and more young Indians go online to make sense of politics, according to two new surveys.

In these mostly urbanising seats, social-media usage is now “sufficiently widespread” to influence politics, according to the Internet and Mobile Association of India (IAMAI). An offline study conducted by market research firm TNS and Google India suggested similar shifts.

The Facebook tracker (http://on.fb.me/1g6ZJ3k) will help India’s 93 million Facebook users to see which parties and candidates as well as issues are trending.

Social-media platforms are likely to be influential in 160 of India’s 543 Parliament constituencies, making Facebook and Twitter users the nation’s newest voting bloc, according to the IAMAI survey.

These are constituencies where 10% of the voting population uses social media sites such as Facebook, or where the number of social media users is higher than the winning candidate’s margin of victory at the last election.

Research shows that social media is more persuasive than television ads. Nearly 100 million Indians, or more than Germany’s population, use the Internet each day. Of this, 40 million have assured broadband, the ones most likely to have at least one social media account.

“Unlike Obama who used social media directly for votes, Indian politicians have tended to use it more to mould public discourse,” says Sunil Abraham, the CEO of The Centre for Internet and Society.

“I think these trends are over-hyped and the impact, if any, would only be marginal,” said Communist Party of India MP, Gurudas Dasgupta, who created a Facebook account only last month.

For more details visit https://cis-india.org/news/hindustan-times-zia-haq-march-4-2014-india-s-ballot-battle-will-also-run-through-facebook

India: Privacy Bill will likely reflect EU Directive

praskrishna — 2014-03-05T11:45:37Z

The Indian Centre for Internet and Society (CIS) called for comments - on 25 February 2014 - on a draft Privacy Protection Bill ('the Bill'). The draft Bill comes after a series of roundtable discussions in 2013. The last CIS roundtable on the Bill, on 19 October 2013, included Jacob Kohnstamm, Chairman of the EU Article 29 Working Party and the Dutch data protection authority, and Christopher Graham, the UK Information Commissioner.

The article was published in DataGuidance on March 3, 2014.

"In its eventual form, I expect [the Bill] will be modelled to a great extent on the European Data Protection Directive (95/46/EC)," Rodney Ryder, Partner at Scriboard, told DataGuidance. "The European Directive is an important model as India moves forward." Data protection in India is currently regulated by the Information Technology Act 2011, however, if enacted, the Bill would introduce the country's first comprehensive privacy regime. In 2013, the European Commission assessed India's data protection regime and decided not to award adequacy recognition at that time.

"If the Bill is introduced in the Winter Session, […] it is likely to […] come into effect either at the end of the year or early in the next year"

The draft Bill regulates collection, storage and processing of personal data, with both monetary and penal penalties yet to be determined for anyone who 'collects, receives, stores, processes or otherwise handles any personal data [except in conformity with the provisions of the Act].' It also establishes an Indian Data Protection Authority (DPA), with the power to investigate data processing and to 'give such directions or pass such orders as are necessary.'

"[Moving forward,] we expect more clarity on the role and functioning of the DPA," Ryder stated. "In the past, the Government of India has not been clear on the role of the DPA. Will this 'authority' have the independent powers and stature of the European Privacy Commissioners? [Additionally,] the complaint mechanism under the Bill requires greater clarity, precision and structure."

Divya Sharma, Legal Director at Bird and Bird LLP, commented, "Considering that India has parliamentary elections scheduled to take place in April 2014, this bill is unlikely to progress further until a new Government takes office in May 2014. […] Any legislation of this nature is unlikely to progress during this Government's tenure."

"If the Bill is introduced in the Winter Session, after due consideration, it is likely to be passed by the end of the Year and come into effect either at the end of the year or early in the next year," said Ryder.

For more details visit https://cis-india.org/news/data-guidance-march-3-2014-india-privacy-bill-will-likely-reflect-eu-directive

Internet Governance Round-table at British High Commission

praskrishna — 2014-04-01T10:32:04Z

A Internet Governance Round-table was hosted at the residence of the British High Commissioner in Delhi on March 4, 2014. Geeta Hariharan participated in the round-table.

The event aimed to bring together stakeholders from government, industry and the non-governmental sectors in India to discuss issues of Internet governance, and forms part of the UK’s commitment and interests in cyber-engagement with India.

The panel included the following members:

Julian Evans, the Acting British High Commissioner to India
Jonathan Cook, Second Secretary, Foreign Security Policy Team, British High Commission
Kamlesh Bajaj, CEO, Data Security Council of India
Rahul Jain, Principal Consultant, Data Security Council of India
Vikram Tiwathia, Associate Director General, Cellular Operators Association of India
Dr. Govind, Senior Director heading the E-Infrastructure & Internet Governance Division, Department of Electronics and Information Technology, Government of India
Narayanan, NIXI
Dr. Sundeep Oberoi, TCS
M.P. Gupta, Professor & Chair, Information Systems and Centre for Excellence in E-Gov, IIT Delhi
Somnath Mitra, Xchanging
Mahima Kaul, Observer Research Foundation

The British government’s views on cyber-engagement and Internet governance were touched upon, voicing their support for a free, open and secure Internet, upholding human rights. The UK supports a multi-stakeholder approach to Internet governance. However, their position on the Sao Paolo meeting is as yet not officially clear.

Five broad issues were raised for discussion:

Balancing the role of government and non-government stakeholders, and the limits of governmental regulation Internet for development
Free speech and privacy v. security
Practical model of Internet governance (multi-stakeholder or multilateral)
India’s contribution, presence or expectations of the Sao Paolo meeting

The speakers raised concerns about the effectiveness of the multi-stakeholder model in light of international law built on the Westphalian model, where governments are effectively the only real law-makers and regulators. In considering whether non-governmental stakeholders (such as NGOs and think-tanks, industry and corporations, individuals) should have an equal voice in IG, concerns were raised about the representativeness of such actors, and accountability that they would have. In this regard, the future and desirability of the ICANN (and the US’ stake in it), and fora like the IGF and the UN-WGEC as platforms for participation were discussed.

While civil society involvement is imperative, government initiatives are necessary to create access to the Internet, and to ensure that the Internet is made safe and utilized for development. This obviously creates tensions between privacy and liberty, and security concerns; one of the speakers spoke of Snowden as the “elephant in the room”. Not only was a common concept of privacy non-existent at the international level, it would also be difficult to achieve (except a namesake ‘lowest common denominator’ definition), as states must account for their experiences with terrorism as well as cultural differences. For instance, the way the UK deals with privacy/security concerns in comparison with India would be very different. Finally, the possibilities and potential outcomes of the Sao Paolo meeting were touched upon without elaborate discussion on the same.

For more details visit https://cis-india.org/news/ig-round-table-british-high-commission

RightsCon 2014

praskrishna — 2014-04-08T05:04:09Z

RightsCon Silicon Valley 2014 was an incredible mixture of more than 700 attendees from more than 65 countries and 375 institutions. Pranesh Prakash and Malavika Jayaram were speakers at this event organized by RightsCon at San Francisco on March 3 and 4, 2014.

This incredible union of expertise has led to real outcomes, many of which are viewable here or as a PDF report here. Missed a session? A special thanks to all our speakers and sponsors who made 2014 so smart and productive.

Missed a session in San Francisco? Many of the videos are available for viewing. To learn more about past RightsCon conferences, head here.

Even as we continue to work diligently on the the work generated from RightsCon Silicon Valley 2014, we are looking ahead to 2015 and Southeast Asia, where we will convene civil society and key decision-makers in this rapidly evolving region. Click here to learn more about the planning for RCSEA2015.

Pranesh was invited to be on five panels, and spoke in three.

He spoke in the following sessions:

March 3 from 14:00-15:15 - Nicolas Seidler's panel on "Localizing the Global Internet: Data Centers, Traffic Rerouting, and the Implications of Post-Surveillance Policy Proposals"

March 4 from 12:00-13:15 - Paul & Bertrand's panel on "Internet and Jurisdiction: How Can Heterogenous Laws Coexist in Cross-Border Online Spaces?"

March 4 from 14:30-15:45 - Amie Stepanovich's panel on "The NSA Strikes Back: Who Really Won the Crypto Wars?"

He was also invited to the following panels:

"Toward Accountability: Reflecting on ICT Industry Action To Protect User Rights"

"Policy Laundering: Hacking the International Innovation Policy Machine"

For more info on the conference, click here. For the full list of speakers, see here.

Video

For more details visit https://cis-india.org/news/rights-con-2014

Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada

elonnai — 2014-03-03T08:20:55Z

A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices.

In continuance of research around the Draft Human DNA Profiling Bill that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.

Indian Provision

35 (1) “On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely –

(a) As to whether the DNA profile received is already contained in the Data Bank; and

(b) Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.

(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”

Canadian Provision vs. Indian Provision

According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:

The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals.
The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank.
The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including:

(a) if the DNA profile is not already contained in the data bank, the fact that it is not;
(b) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;
(c) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and
(d) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (c) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.

While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.

Concerns with 35(1) and Best Practices

The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.”

Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:

“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability.
Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations.
The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made.
The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large.
Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”

Recommendations

Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:

Response to Law enforcement agency and DNA Laboratory: The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .
Response to Court and tribunal: When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:

The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random.
The frequency with which the matching DNA characteristics are likely to be found in the population at large.
The probability of contamination.

The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.

[]. http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

[2]. http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf

For more details visit https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions

Spreadsheet data on sample of 50 security companies

maria — 2014-02-28T16:13:39Z

For more details visit https://cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies

Big Democracy, Big Surveillance: India's Surveillance State

maria — 2014-02-28T10:35:09Z

In India, surveillance is on the rise by the state to tackle crime and terrorism, and private companies are eager to meet the demand.

This article by Maria Xynou was published by OpenDemocracy on 10 February 2014.

Worried about the secret, mass surveillance schemes being carried out by the NSA? While we should be, some of the surveillance schemes in the world's largest democracy, India, are arguably in the same league.

Surveillance is being globalised to the extent that even India, a country with huge poverty issues, is investing millions of dollars in creating an expansive surveillance regime. However, why would communications monitoring interest Indian authorities, when the majority of the population lives below the line of poverty and only 17% of the population has access to the Internet?

The official political motivation behind surveillance in India appears to be the government's determination to tackle terrorism in the country. The 2008 Mumbai terrorist attacks were arguably a similar landmark to the 9/11 terrorist attacks in the US, and both governments officially announced their intention to carry out surveillance as a counter-terrorism measure. However, unlike in the west, terrorist attacks in India are much more common, and the National Security Adviser reported in 2008 that 800 terrorist cells were operational in the country. With India’s history of major terror attacks in India over the last 25 years, it's easy for one to be persuaded that terrorism is actually a major threat to national security.

India's surveillance schemes

India’s surveillance programs mostly started following the 2008 Mumbai terror attacks. That was when the Ministry of Home Affairs first proposed the creation of a National Intelligence Grid (NATGRID), which will give 11 intelligence and investigative agencies real-time access to 21 citizen data sources to track terror activities. These citizen data sources will be provided by various ministries and departments, otherwise called “provider agencies”, and will include bank account details, telephone records, passport data and vehicle registration details, among other types of data.

The Ministry of Home Affairs has sought over Rs. 3,400 crore (around USD 540 million!) for the implementation of NATGRID, which aims to create comprehensive patterns of intelligence by collecting sensitive information from databases of departments like the police, banks, tax and telecoms to supposedly track any terror suspect and incident.

But NATGRID is far from India's only data sharing scheme. In 2009 the Cabinet Committee on Economic Affairs approved the creation and implementation of the Crime and Criminal Tracking Network & Systems (CCTNS), which would facilitate the sharing of databases among 14,000 police stations across all 35 states and Union Territories of India, excluding 6,000 police offices which are high in the police hierarchy. Rs. 2,000 crore (around USD 320 million) have been allocated for the CCTNS, which is being implemented by the National Crime Records Bureau under the national e-governance scheme. The CCTNS not only increases transparency by automating the function of police stations, but also provides the civil police with tools, technology and information to facilitate the investigation of crime and detection of criminals.

But apparently, sharing data and linking databases is not enough to track criminals and terrorists. As such, in the aftermath of the 2008 Mumbai terror attacks, the Indian government also implemented various interception systems. In September 2013 it was reported that the Indian government has been operating Lawful Intercept & Monitoring (LIM) systems, widely in secret. In particular, mobile operators in India have deployed their own LIM systems allowing for the so-called “lawful interception” of calls by the government. And possibly to enable this, mobile operators are required to provide subscriber verification to the Telecom Enforcement, Resource and Monitoring (TERM) cells of the Department of Telecommunications.

In the case of Internet traffic, the LIM systems are deployed at the international gateways of large Internet Service Providers (ISPs) and expand to a broad search across all Internet traffic using “keywords” and “key-phrases”. In other words, security agencies using LIM systems are capable of launching a search for suspicious words, resulting in the indiscriminate monitoring of all Internet traffic, possibly without court oversight and without the knowledge of ISPs.

India has also automated and centralized the interception of communications through the Central Monitoring System (CMS). This project was initially envisioned in 2009, following the 2008 Mumbai terror attacks and was approved in 2011. The CMS intercepts all telecommunications in India and centrally stores the data in national and regional databases. The CMS will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Intelligence Bureau (IB), the Central Bureau of Investigation (CBI), the Directorate of Revenue Intelligence (DRI), the Research and Analysis Wing (RAW) and the National Investigation Agency (NIA).

Unlike mainstream interception, where service providers are required to intercept communications and provision interception requests to law enforcement agencies, the Central Monitoring System will automate the entire process of interception. This means that the CMS authority will have centralized access to all intercepted data and that the authority can also bypass service providers in gaining such access. Once security agencies have access to this data, they are equipped with Direct Electronic Provisioning, filters and alerts on the target numbers, as well as with Call Details Records (CDR) analysis and data mining tools to identify the personal information of target numbers.

Given that roughly 73% of India's population uses mobile phones, this means that the Central Monitoring System can potentially affect about 893 million people, more than double the population of the United States! However, how is it even possible for Indian authorities to mine the data of literally millions of people? Who supplies Indian authorities with the technology to do this and what type of technology is actually being used?

India's surveillance industry

India has the world's second largest population, consisting of more than a billion people and an expanding middle class. Undoubtedly, India is a big market and many international companies aspire in investing in the country. Unfortunately though, along with everything else being imported into India, surveillance technologies are no exception.

Some of the biggest and most notorious surveillance technology companies in the world, such as ZTE, Utimaco and Verint, have offices in India. Even FinFisher command and control servers have been found in India. However, in addition to allowing foreign surveillance technology companies to create offices and to sell their products and solutions in the country, local companies selling controversial spyware appear to be on the rise too.

Kommlabs Dezign is an Indian company which loves to show off its Internet monitoring solutions at various ISS trade shows, otherwise known as “the Wiretapper's Ball”. In particular, Kommlabs Dezign sells VerbaNET, an Internet Interception Solution, as well as VerbaCENTRE, which is a Unified Monitoring Centre that can even detect cognitive and emotional stress in voice calls and flag them! In other words, Kommlabs Dezign makes a point that not only should we worry about what we text and say over our phones, but that we should also worry about what we sound like when on the phone.

Vehere is another Indian company which sells various surveillance solutions and notably sells vCRIMES, which is a Call Details Records (CDR) analysis system. VCRIMES is used to analyse and gather intelligence and to unveil hidden interconnections and relations through communications. This system also includes a tool for detecting sleeper cells through advanced statistical analysis and can analyse more than 40 billion records in less than 3 seconds.

Paladion Networks is headquartered in Bangalore, India and sells various Internet Monitoring Systems, Telecom Operator Interception Systems, SSL Interception and Decryption Systems and Cyber Cafe Monitoring Systems to law enforcement agencies in India and abroad. In fact, Paladion Networks even states in its website that its customers include India's Ministry of Information Technology and the U.S Department of Justice.

ClearTrail Technologies is yet another Indian company which not only sponsors global surveillance trade shows but also sells a wide range of monitoring solutions to law enforcement agencies in India and abroad. ComTrail is a solution for the centralised mass interception and monitoring of voice and data networks, including Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls. Furthermore, ComTrail is equipped to handle millions of communications per day, correlating identities across multiple networks, and can instantly analyse data across thousands of terabytes.

ClearTrail also sells xTrail, which is a solution for the targeted interception, decoding and analysis of data traffic over IP networks and which enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. Interestingly, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID.

Apparently, some the biggest challenges that law enforcement agencies face when monitoring communications include cases when targets operate from public Internet networks and/or use encryption. However, it turns out that ClearTrail's QuickTrail solution is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. This device can remotely deploy spyware into a target's computer and supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS.

Additionally, QuickTrail can identify a target machine on the basis of metadata, such as an IP address, and can monitor Ethernet LANs in real time, as well as monitor Gmail, Yahoo and all other HTTPS-based communications. ClearTrail's mTrail is designed for the passive 'off-the-air' interception of GSM communications, including the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information. MTrail also identifies a target's location by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation of so-called “lawfully intercepted” calls in near real-time.

In short, it looks like India is reaching the top league when it comes to surveillance technologies, especially since many of its companies and their products appear to be just as scary as some of the most sophisticated spying gear sold by the West. India may be the world's largest (by population) democracy, but that means that it has a huge population with way too many opinions...and apparently, the private and public sectors in India appear to be joining forces to do something about it.

So do Indians have nothing to hide?

A very popular rhetoric in both India and the west is that citizens should not be concerned about surveillance because, after all, if they are not terrorists, they should have nothing to hide. However, privacy advocate Caspar Bowden has rightfully stated that this rhetoric is fundamentally flawed and that we should all indeed “have something to hide”. But is privacy just about “having something to hide”? Jacob Appelbaum has stated that this rhetoric is merely a psychological copying mechanism when dealing with security.

It's probably rather comforting and reassuring to think that we are not special or important enough for surveillance to affect us personally. But is that really up to us to decide? Unfortunately not. The very point of data mining is to match patterns, create profiles of individuals and to unveil hidden interconnections and relations. A data analyst can uncover more information about us than what we are even aware of and it is they who decide if our data is “incriminating” or not. Or even worse: in many cases it's up to data mining software to decide how “special” or “important” we are. And unfortunately, technology is not infallible.

The world's largest democracy, which is also one of the most corrupt countries in the world, is implementing many controversial surveillance schemes which lack transparency, accountability and adequate legal backing, and which are largely being carried out in secret. And to make matters worse, India lacks privacy legislation. Over a billion people in a democratic regime are exposed to inadequately regulated surveillance schemes, while a local surveillance industry is thriving without any checks or balances whatsoever. What will this mean for the global future of democracy?

For more details visit https://cis-india.org/internet-governance/blog/big-democracy-big-surveillance-indias-surveillance-state

February 2014 Bulletin

praskrishna — 2014-04-07T07:27:46Z

The Centre for Internet and Society (CIS) welcomes you to the second issue of its newsletter (February) for the year 2014:

-------------------------------
Highlights
-------------------------------

We published revised chapters for the states of Mizoram, Dadra and Nagar Haveli, Himachal Pradesh and Haryana, as part of our National Resource Kit project.
In the concluding blog post of a three-part study Ananth Padmanabhan looks at the Indian law in the Copyright Act and the Information Technology Act, and concludes that both those laws restrain courts and private companies from ordering an ISP to block a website for copyright infringement.
Telugu Wikipedia celebrated its 10^th anniversary. An event was co-organized in Vijaywada to celebrate the same.
The second Institute on Internet and Society was held in Pune from February 11 to 17. The proceedings from the workshop are captured in a blog post.
CIS announced an Open Call for Comments for the latest draft of the Privacy Bill, 2013 prepared by Bhairav Acharya.
Forbes India published its “30 Under 30 List”. Pranesh Prakash is featured in the list.
As part of the Making Change Project, Denisse Albornoz wrote a blog post that compares the production behind a performance with the process of storytelling.
Beli gives an introduction to spectrum sharing. The post looks at GSM and CDMA, and touches upon LTE, and how they might share spectrum.

-----------------------------------------------
Jobs
-----------------------------------------------
CIS is seeking applications for the post of Program Officer (Access to Knowledge): http://bit.ly/1fnydB0. There are two vacancies for this post and it is full-time based in Delhi. To apply, please send your resume to Sunil Abraham (sunil@cis-india.org), Nirmita Narasimhan (nirmita@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org) with three writing samples of which at least one demonstrates your analytic skills, and one that shows your ability to simplify complex policy issues.

----------------------------------------------
Accessibility and Inclusion
----------------------------------------------
As part of our project (under a grant from the Hans Foundation) on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India, we bring you draft chapters for the states of Mizoram, Dadra and Nagar Haveli, Himachal Pradesh and Haryana. With this we have completed compilation of draft chapters for 35 states.

Based upon discussion with the office of the Chief Commissioner for Persons with Disabilities (CCPD) the following chapters were revised:

► National Resource Kit Chapter

The Mizoram Chapter (by CLPR, February 5, 2014): http://bit.ly/1eUSvxW
The Dadra & Nagar Haveli Chapter (by CLPR, February 6, 2014): http://bit.ly/1mv3YhJ
The Haryana Chapter (by Anandhi Viswanathan, February 10, 2014): http://bit.ly/1dVOiKI
The Himachal Pradesh Chapter (by Anandhi Viswanathan, February 12, 2014): http://bit.ly/1jSk03x

► Other

# Participation in Events

National Consultation on Inclusion of Persons with Disabilities in Development Process (organized by CBM India in collaboration with United Nations Solution Exchange for Gender Community, WHO Regional office for South-East Asia, New Delhi, February 12, 2014). Anandhi Viswanathan participated in a panel discussion. She made a presentation on the National Resource Kit project: http://bit.ly/OlkHVq.
Zero Project Conference on Accessibility: Innovative Policies and Practices for Persons with Disabilities (organized by Essl Foundation, the World Future Council and the European Foundation Centre, United Nations Office, Vienna, February 27 and 28, 2014). Pranesh Prakash spoke on Affordable Text-to-Speech Software from India: http://bit.ly/1czo32s. Nominations on e-speak were recognised as examples of innovative practices and policies from India. Pranesh Prakash was also a speaker on Copyright Exception for Accessible Formats: http://bit.ly/1l8HRth.

-----------------------------------------------------------
Access to Knowledge
-----------------------------------------------------------
The Access to Knowledge programme addresses the harms caused to consumers and human rights, and critically examines Open Government Data, Open Access to Scholarly Literature, and Open Access to Law, Open Content, Open Standards, and Free/Libre/Open Source Software.

# Analyses

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 2) (by Ananth Padmanabhan, February 5, 2014): http://bit.ly/1cddoKm. Analyses the law laid down by the U.S. Supreme Court and the Delhi High Court on secondary and contributory copyright infringement.
Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 3) (by Ananth Padmanabhan, February 5, 2014): http://bit.ly/1g35mDg. Analyses the Indian law in the Copyright Act and the Information Technology Act.

# Participation in Events

2nd International Conference on Managing Intellectual Property Rights and Strategy (MIPS 2014) (organized by Shailesh J. Mehta School of Management, IIT Bombay with support from the Ministry of Human Resources Development IPR Chair Project, Government of India): http://bit.ly/PsPEbq.
Consultation on Institutional Arrangements for IP management under MHRD (organized by the Planning Commission and Ministry of Human Resource Development, New Delhi, February 21, 2014). Nehaa Chaudhari participated in this consultation: http://bit.ly/1fTCoar.
National Conference on Use of Technology in Higher Education (organized by the Ministry of Human Resource and Development and Planning Commission in partnership with Microsoft Research and British Council, Indian Institute of Technology, Bombay, February 25, 2014): http://bit.ly/P6u78i. Nehaa Chaudhari participated in the event as a panelist in the session on "Future of Content Creation".

# Media Coverage

Pranesh Prakash: Influencing India's IP Laws (by Samar Srivastava, Forbes India, February 15, 2014): http://bit.ly/1kBzLMq.

The following has been done under grant from the Wikimedia Foundation (http://bit.ly/SPqFOl). As part this project (http://bit.ly/X80ELd), we organised 4 workshops in the month of January, published an article in DNA, and signed a memorandum of understanding with KIIT University and Kalinga Institute of Social Sciences to further the development of Odia Wikipedia:

►Wikipedia

# Articles / Blog Entries

Odia Language's Presence in Digital Media and Wikipedia's Role (by Subhashish Panigrahi, The Samaja, March 2, 2014): http://bit.ly/1ieF3sC.
Indian Wikimedia community coordinates Women’s History Month (by Netha Hussain and Jeph Paul, Wikimedia Foundation, March 6, 2014): http://bit.ly/1cyRfqf,

# Events Co-organized

Cinemathon2014 Bangalore (organized by Pad.ma and CIS-A2K, CIS, Bangalore, February 8-9, 2014): http://bit.ly/MRRkZz.
Tewiki 10th Anniversary (organized by CIS-A2K and Telugu Wikipedia community, February 15, 2014): http://bit.ly/1iI2Pxs. T. Vishnu Vardhan and Rahmanuddin Shaikh were speakers at the event.
Cinemathon2014 Mumbai (organized by Pad.ma and CIS-A2K, CAMP Studio, Mumbai, February 15-16, 2014): http://bit.ly/P5YGL8.
Wikipedia Mangalore Workshop (organized by Roshini Nilaya and CIS-A2K, Mangalore, February 26, 2014). Dr. U.B.Pavanaja gave a presentation on Wikipedia with a special focus on students and women.

CIS gave its inputs to the following media coverage:

# Media Coverage

Father-son duo promote Punjabi online (by Jatinder Preet, Sunday Guardian, February 1, 2014): http://bit.ly/1l87b2h.
୧୦ ବର୍ଷରେ ଓଡ଼ିଆ ୱିକିପିଡିଆ (Rabibara Sambad (Sunday supplement of Odia newspaper The Sambad), February 9, 2014): http://bit.ly/1igMynn. This is a feature about Odia Wikipedia's 10th anniversary and the story of a dead volunteer community reviving after 8 years.
Wikipedia Mangalore Workshop (Prajavani, February 27, 2014): http://bit.ly/1gVMG6f.

# Participation in Event

The Dynamics of Education to Employment Journey: Opportunities and Challenges (organized by KIIT School of Management, KIIT University, Bhubaneswar, February 21-22, 2014). T. Vishnu Vardhan gave a talk: http://bit.ly/1ePwqHc.

Event Organized

Wiki Women's Workshop (ICG – Dona Paula, Goa, March 9, 2014): http://bit.ly/MRRJLy. The event is being organized as part of the commemoration of the International Women's Day.

Openness

# Event Organised

Bitcoin & Open Source with Aaron Koenig (CIS, Bangalore, February 7, 2014): http://bit.ly/1fbN6mP.

-----------------------------------------------
Internet Governance
-----------------------------------------------
CIS is doing a project (under a grant from Privacy International and International Development Research Centre (IDRC)) on conducting research on surveillance and freedom of expression (SAFEGUARDS). So far we have organised seven privacy round-tables and drafted the Privacy (Protection) Bill. Gautam Bhatia gives an analysis of the right to privacy from a constitutional perspective. Bhairav Acharya prepared an updated version of the Privacy Protection Bill which was published for comments.

# Call for Comments

The Privacy Protection Bill, 2013 (by Bhairav Acharya, February 25, 2014): http://bit.ly/1g3TwIX. CIS announced an Open Call for Comments to the latest version of the bill.

# Articles

The Internet Way (by Nishant Shah, Biblio Vol. 19 No.8 (1&2), January – February 2014): http://bit.ly/1kBp9gJ. Dr. Nishant Shah's review of the book “The Everything Store: Jeff Bezos and the Age of Amazon” by Bantam Press/Random House Group, London can be found on page 16.
Surveillance and the Indian Constitution - Part 3: The Public/Private Distinction and the Supreme Court’s Wrong Turn (by Gautam Bhatia, Indian Constitutional Law and Philosophy Blog, February 25, 2014): http://bit.ly/1kBosnw. This was originally published on Indian Constitutional Law and Philosophy Blog.
Big Democracy, Big Surveillance: India's Surveillance State (by Maria Xynou, Open Democracy, February 28, 2014): http://bit.ly/1nkg8Ho.
Will You be Paid to Post a Picture? (by Nishant Shah, Indian Express, February 18, 2014): http://bit.ly/P65d8L.

# Blog Entries

February 11: The Day We Fight Back Against Mass Surveillance (by Divij Joshi, February 14, 2014): http://bit.ly/1e7drCV.
Calcutta High Court Strengthens Whistle Blower Protection (by Divij Joshi, February 24, 2014): http://bit.ly/1cG8v7t.
CIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy (by Elonnai Hickok, February 24, 2014): http://bit.ly/1oviMJ4.
UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules (by Elonnai Hickok, February 25, 2014): http://bit.ly/1fbSfep.

# Events Organized

Nullcon Goa Feb 2014 — International Security Conference (organised by Nullcon, Bogmallo Beach Resort, Goa, February 12 – 15, 2014). CIS is one of the sponsors for this event: http://bit.ly/1lrBu5I.
Counter Surveillance Panel: DiscoTech & Hackathon (co-organized by CIS, MIT Centre for Civic Media Co-Design Lab, Tactical Technology Collective, Hackteria.org, and Shristi School of Art, Design and Technology, Bangalore, March 1, 2014): http://bit.ly/NCGMyH

# Participation in Events

First Meeting of the Multistakeholder Advisory Group for India Internet Governance Forum (organized by the Department of Electronics and Information Technology, New Delhi, February 10, 2014). Sunil Abraham participated in this meeting: http://bit.ly/1fKu5xz.
Internet Intermediary Liability: Towards Evidence-based Policy and Regulatory Reform to Secure Human Rights on the internet (organized by Association for Progressive Communications, The Wedgewood, Melville, Johannesburg, February 10-11, 2014): http://bit.ly/1fMAEK2. Elonnai Hickok was a speaker.
Towards an Equitable and Just Internet (organized by IT for Change, New Delhi, February 14-15, 2014). Bhairav Acharya was a speaker: http://bit.ly/1cz9EDt.
Workshop on Media Law & Policy Curriculum Development (organized by the Centre for Communication Governance, National Law University, Delhi and University of Oxford in support with the International Higher Education-Knowledge Economy Partnerships Programme of the British Council, February 16, 2014, National Law University, Delhi): http://bit.ly/1ovoT00. Bhairav Acharya was a speaker.
The Changing Role of the Media in India: Constitutional Perspectives (organized by School of Law, Christ University, February 28, 2014): http://bit.ly/1lB2nTO. Snehashish Ghosh moderated a session at this conference.

--------------------------------
News & Media Coverage
--------------------------------
CIS gave its inputs to the following recent media coverage:

The Dangers of Birdsong (by Namrata Joshi, Outlook, January 25, 2014): http://bit.ly/1kB8J7L.
A Tale of Two Internet Campaigns (by Deepa Kurup, The Hindu, February 11, 2014): http://bit.ly/1lDdRZy.
Dark days for the creative class in India: Siddiqui (by Haroon Siddiqui, thestar.com, February 16, 2014): http://bit.ly/1gdtgbC.
The Forbes India 30 Under 30 List (by Abhilasha Khaitan, Forbes India, February 21, 2014): http://bit.ly/1ovnvKM. Pranesh Prakash features in the list.
India ‘tea parties’ enable politicians to woo urban youth with technology (by Avantika Chilkoti, Financial Times, February 26, 2014): http://bit.ly/1cGfOMm.

--------------------------------
Digital Humanities
--------------------------------
CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

# Blog Entries

Defending the Humanities in the Digital Age (by Nishant Shah, DML Central, February 24, 2014): http://bit.ly/1czdZqg.
Digital Humanities in India- Mapping Changes at the Intersection of Youth, Technology and Higher Education (by Sneha PP, February 21, 2014): http://bit.ly/1qd6xo4.

--------------------------------
Digital Natives
--------------------------------
CIS is doing a research project titled “Making Change”. The project will explore new ways of defining, locating, and understanding change in network societies. Having the thought piece 'Whose Change is it Anyway' as an entry point for discussion and reflection, the project will feature profiles, interviews and responses of change-makers to questions around current mechanisms and practices of change in South Asia and South East Asia:

►Making Change Project

# Blog Entries

Storytelling as Performance: The Ugly Indian and Blank Noise 1 (by Denisse Albornoz, February 24, 2014): http://bit.ly/1jX4qBb.
Storytelling as Performance: The Ugly Indian and Blank Noise 2 (by Denisse Albornoz, February 27, 2014): http://bit.ly/1fKwQil.

--------------------------------
Telecom
--------------------------------
Shyam Ponappa, a Distinguished Fellow at CIS is a regular columnist with the Business Standard. The articles published on his blog Organizing India Blogspot is mirrored on our website:

# Newspaper Column

Centre- or State-Driven Development? (by Shyam Ponappa, Business Standard, February 5, 2014, Observer India Blogspot, February 7, 2014): http://bit.ly/1ceuWFS.

# Blog Entry

An Introduction to Spectrum Sharing (by Beli, February 24, 2014): http://bit.ly/NZlknd.

----------------------------------------------------------
Knowledge Repository on Internet Access
----------------------------------------------------------
CIS in partnership with the Ford Foundation is executing a project to create a knowledge repository on Internet and society. This repository will comprise content targeted primarily at civil society with a view to enabling their informed participation in the Indian Internet and ICT policy space. The repository is available at the Internet Institute website: http://bit.ly/1iQT2UB.

►Event Organized

Institute on Internet and Society (organised by Ford Foundation and CIS, Yashada, Pune, February 11-17, 2014): http://bit.ly/1fpTdDS. Bishakha Datta, Ravikiran Annaswamy, Kingsley John, Prof. G. Nagarjuna, Nisha Thompson, Prashant Naik, Nehaa Chaudhari, Bhairav Acharya, Manu Srivastav, Dr. Abhijeet Safai, Payal Malik, Nishant Shah, Laura Stein, Sunil Abraham, Madan Muthu and Chinmayi Arun taught at the institute.

-----------------------------------------------------
About CIS
-----------------------------------------------------
The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

► Follow us elsewhere

Twitter: https://twitter.com/CISA2K
Facebook group: https://www.facebook.com/cisa2k
Visit us at: https://meta.wikimedia.org/wiki/India_Access_To_Knowledge
E-mail: a2k@cis-india.org

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org. To discuss collaborations on Indic language Wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org.

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, IDRC and the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/february-2014-bulletin

India ‘tea parties’ enable politicians to woo urban youth with technology

praskrishna — 2014-03-06T12:13:36Z

Babalal Patel’s tiny tea stall in southern Mumbai is a long way from Silicon Valley. It is not even that close to Bangalore, the Indian equivalent.

The article by Avantika Chilkoti was published in the Financial Times on February 26, 2014. Sunil Abraham is quoted.

But one night this month this ramshackle shop became the venue for a social media experiment that highlights the high-tech face of electioneering in India, the world’s largest democracy. A crowd gathered outside to watch two television screens showing a live broadcast with Narendra Modi, prime ministerial candidate for the opposition Bharatiya Janata party, as he answered questions the audience submitted by text message.

Similar “tea parties” were held across the country, designed to ram home Mr Modi’s humble background as a tea seller and his technological credentials. But the nationwide event, organised using mobile technology more commonly seen in US presidential campaigns, also signals a shift in Indian politics.

For decades, political campaigns in India have centred around colossal rallies and billboard advertising. But a growing population of young people, rising internet use and the ubiquity of mobile phones mean the 2014 battle is playing out equally fiercely online.

“We are moving far ahead of saying that we are building ‘likes’ on social media,” says Arvind Gupta, head of IT and social media for the BJP. “Organisation is being done using digital. So if I’m going to tell everybody there’s an event tomorrow, it can be posted on Facebook, websites, on SMS, on WhatsApp, though the real meeting is happening on the ground.”

These techniques, which became familiar during the Arab uprisings of northern Africa, are an increasingly important part of communication strategy ahead of a national election, which must be held in the next three months, and which many believe will be close.

Mr Gupta believes parties are fighting what he calls a “postmodern election” for up to 160 - largely urban - seats of the total 543. More than half the 50-strong team working on communication for the BJP are dedicated to digital campaigning.

India’s internet user base reached a point of inflection last year, passing 200m. While that is a fraction of the 1.3bn population, prompting many to question the power of social media, use is far greater among urban and young voters, millions of whom will be eligible to vote for the first time this year.

“Social media is suddenly becoming important, not for all constituencies but for urban constituencies because for the first time the urban youth and the educated class is very much glued into the election and showing interest,” says Rajeeva Karandikar, a statistician and election analyst.

Mr Modi, chief minister of Gujarat, has adapted particularly quickly to the changing environment. He captured the public imagination by using holograms to address rallies and Google Hangouts to interact with the diaspora. He has 3.4m Twitter followers and more than 10.6m “likes” on his Facebook page, thanks in part to a slick social media team led by high-profile technology entrepreneurs. Meanwhile Rahul Gandhi, the reticent, undeclared candidate for the incumbent Congress party, does not even have a verified Twitter account.

Some were disappointed by low attendance at the national “tea parties”, but the events were lauded for being interactive and, perhaps most importantly in a country where newspaper readership remains high, grabbed column inches in local media. The audience could speak directly to Mr Modi at venues with a two-way video link and the footage was immediately available on YouTube.

“While answering each question Mr Modi has a point of view,” says Pratik Patel, 28, a chartered accountant who organised the event at his grand- father’s tea shop. “He doesn’t have two ways of looking at the same thing - this helps him to be more decisive and forward thinking.”

Social media also provides swaths of information to India’s political parties, as they copy the sophisticated data analytics used by US president Barack Obama’s campaigns.

From its offices in suburban Mumbai, the digital marketing group Pinstorm tracks what social media users are discussing at the constituency level and identifies significant supporters or critics. It describes the service as an early warning system or “social radar”, which allows parties to mobilise workers rapidly to oppose or support a point of view.
Sceptics argue, however, that social media has insufficient traction in India to affect results of the forthcoming poll. But the size of the user base does not reflect its full power. It is educated influential Indians who use these digital networks and the online debate shapes views in traditional media that reach a wider audience.

“The theory is that since the elites are connected and have more time to spare on social media, let us use social media and the internet more generally to influence discourse through these elites,” says Sunil Abraham, executive director for the Bangalore-based Centre for Internet and Society. “It’s an indirect route to the vote.”

An adviser to the Obama campaign warns, however, that, given differences in funding and the local environment, India’s politicians should be wary of using the US presidential race as a model. This year a simpler technology may prove the best tool for campaigns in India: the mobile phone.

“Folks look to the Obama campaign for this sort of stuff,” says Ethan Roeder, who worked on data for the 2008 and 2012 US presidential campaigns. “But a lot of these international campaigns would do best looking elsewhere for a model . . . No campaign in the history of the world has ever spent that much money to elect a single individual to a single office.”

India’s version is, of course, markedly cheaper, thanks to the roadside chai-wallahs and armies of volunteers, pulling in the new breed of voters.

“I have never attended a political rally in my entire life,” says Mr Patel, who helped organise Mr Modi’s nationwide “tea party”.

“If people want to connect with me they need to connect with me on social media or via email.”

Modi’s digital army

The team building the digital campaign for India’s opposition Bharatiya Janata party mixes entrepreneurs and veterans from the technology industry, rather than individuals with experience of electioneering alone.

Rajesh Jain, working on electoral technology, is well known in the industry since setting up successful businesses in online news and digital marketing. These include IndiaWorld Communications, a collection of websites which was bought in 1999 by Satyam Infoway, then India’s largest internet service provider.

He has the archetypal curriculum vitae, with a degree from one of the eminent Indian institutes of technology followed by a master’s degree from Columbia University in New York.

Arvind Gupta, who heads the BJP’s IT and social media cell, has a remarkably similar educational background - with an added stint in Silicon Valley to his name.

At the last count, the party had recruited more than 2m volunteers, who are organised online and will provide support in different ways. But there is also a younger generation of advocates who have given up good jobs to join the digital effort. Citizens for Accountable Governance is a non-profit youth organisation co-ordinating nationwide “tea parties” ahead of this year’s national election, where Narendra Modi, the party’s prime ministerial candidate, interacts with audiences at tea stalls via video link.

About 100 young professionals lead the operation and all come with impressive credentials, including jobs at prominent global consulting groups such as McKinsey, and banks such as JPMorgan.

Beyond that, Mr Modi has had a team working for him personally since he took over as chief minister of Gujarat more than a decade ago.

It is a discreet IT set-up that still functions independently of the party’s operations.

For more details visit https://cis-india.org/news/financial-times-february-26-2014-india-tea-parties-enable-politicians-to-woo-urban-youth-with-technology

Surveillance and the Indian Constitution - Part 3: The Public/Private Distinction and the Supreme Court’s Wrong Turn

pranesh — 2014-03-06T23:02:45Z

After its decision in Gobind, the Supreme Court's privacy floodgates opened; a series of claims involving private parties came before its docket, and the resulting jurisprudence ended up creating confusion between state-individual surveillance, and individual-individual surveillance.

Gautam Bhatia's blog post was originally published on Indian Constitutional Law and Philosophy Blog

We have seen that Gobind essentially crystallized a constitutional right to privacy as an aspect of personal liberty, to be infringed only by a narrowly-tailored law that served a compelling state interest. After the landmark decision in Gobind, Malak Singh v State of P&H was the next targeted-surveillance history-sheeter case to come before the Supreme Court. In that case, Rule 23 of the Punjab Police Rules was at issue. Its vires was not disputed, so the question was a direct matter of constitutionality. An order of surveillance was challenged by two individuals, on the ground that there were no reasonable bases for suspecting them of being repeat criminals, and that their inclusion in the surveillance register was politically motivated. After holding that entry into a surveillance sheet was a purely administrative measure, and thus required no prior hearing (audi alteram partem), the Court then embarked upon a lengthy disquisition about the scope and limitations of surveillance, which deserves to be reproduced in full:

“But all this does not mean that the police have a licence to enter the names of whoever they like (dislike?) in the surveillance register; nor can the surveillance be such as to squeeze the fundamental freedoms guaranteed to all citizens or to obstruct the free exercise and enjoyment of those freedoms; nor can the surveillance so intrude as to offend the dignity of the individual. Surveillance of persons who do not fall within the categories mentioned in Rule 23.4 or for reasons unconnected with the prevention of crime, or excessive surveillance falling beyond the limits prescribed by the rules, will entitle a citizen to the Court’s protection which the court will not hesitate to give. The very rules which prescribe the conditions for making entries in the surveillance register and the mode of surveillance appear to recognise the caution and care with which the police officers are required to proceed. The note following R. 23.4 is instructive. It enjoins a duty upon the police officer to construe the rule strictly and confine the entries in the surveillance register to the class of persons mentioned in the rule. Similarly R.23.7 demands that there should be no illegal interference in the guise of surveillance. Surveillance, therefore, has to be unobstrusive and within bounds. Ordinarily the names of persons with previous criminal record alone are entered in the surveillance register. They must be proclaimed offenders, previous convicts, or persons who have already been placed on security for good behaviour. In addition, names of persons who are reasonably believed to be habitual offenders or receivers of stolen property whether they have been convicted or not may be entered. It is only in the case of this category of persons that there may be occasion for abuse of the power of the police officer to make entries in the surveillance register. But, here, the entry can only be made by the order of the Superintendent of Police who is prohibited from delegating his authority under Rule 23.5. Further it is necessary that the Superintendent of Police must entertain a reasonable belief that persons whose names are to be entered in Part II are habitual offenders or receivers of stolen property. While it may not be necessary to supply the grounds of belief to the persons whose names are entered in the surveillance register it may become necessary in some cases to satisfy the Court when an entry is challenged that there are grounds to entertain such reasonable belief. In fact in the present case we sent for the relevant records and we have satisfied ourselves that there were sufficient grounds for the Superintendent of Police to entertain a reasonable belief. In the result we reject both the appeals subject to our observations regarding the mode of surveillance. There is no order as to costs.”

Three things emerge from this holding: first, the Court follows Gobind in locating the right to privacy within the philosophical concept of individual dignity, found in Article 21’s guarantee of personal liberty. Secondly, it follows Kharak Singh, Malkani and Gobind in insisting that the surveillance be targeted, limited to fulfilling the government’s crime-prevention objectives, and be limited – not even to suspected criminals, but – repeat offenders or serious criminals. And thirdly, it leaves open a role for the Court – that is, judicial review – in examining the grounds of surveillance, if challenged in a particular case.

After Malak Singh, there is another period of quiet. LIC v Manubhai D Shah, in 1993, attributed – wrongly – to Indian Express Newspapers the proposition that Article 19(1)(a)’s free expression right included privacy of communications (Indian Express itself had cited a UN Report without incorporating it into its holding).

Soon afterwards, R. Rajagopal v State of TN involved the question of the publication of a convicted criminal’s autobiography by a publishing house; Auto Shankar, the convict in question, had supposedly withdrawn his consent after agreeing to the book’s publication, but the publishing house was determined to go ahead with it. Technically, this wasn’t an Article 21 case: so much is made clear by the very manner in which the Court frames its issues: the question is whether a citizen of the country can prevent another person from writing his biography, or life story. (Paragraph 8) The Court itself made things clear when it held that the right of privacy has two aspects: the tortious aspect, which provides damages for a breach of individual privacy; and the constitutional aspect, which protects privacy against unlawful governmental intrusion. (Paragraph 9) Having made this distinction, the Court went on to cite a number of American cases that were precisely about the right to privacy against governmental intrusion, and therefore – ideally – irrelevant to the present case (Paras 13 – 16); and then, without quite explaining how it was using these cases – or whether they were relevant at all, it switched to examining the law of defamation (Para 17 onwards). It would be safe to conclude, therefore, in light of the clear distinctions that it made, the Court was concerned in R. Rajagopal about an action between private parties, and therefore, privacy in the context of tort law. It’s confusing observations, however, were to have rather unfortunate effects, as we shall see.

We now come to a series of curious cases involving privacy and medical law. In Mr X v Hospital Z, the question arose whether a Hospital that – in the context of a planned marriage – had disclosed the appellant’s HIV+ status, leading to his social ostracism – was in breach of his right to privacy. The Court cited Rajagopal, but unfortunately failed to understand it, and turned the question into one of the constitutional right to privacy, and not the private right. Why the Court turned an issue between two private parties – adequately covered by the tort of breach of confidentiality – into an Article 21 issue is anybody’s guess. Surely Article 21 – the right to life and personal liberty – is not horizontally applicable, because if it was, we might as well scrap the entire Indian Penal Code, which deals with exactly these kinds of issues – individuals violating each others’ rights to life and personal liberty. Nonetheless, the Court cited Kharak Singh, Gobind and Article 8 of the European Convention of Human Rights, further muddying the waters, because Article 8 – in contrast to American law – embodies a proportionality test for determining whether there has been an impermissible infringement of privacy. The Court then came up with the following observation:

“Where there is a clash of two Fundamental Rights, as in the instant case, namely, the appellant’s right to privacy as part of right to life and Ms. Akali’s right to lead a healthy life which is her Fundamental Right under Article 21, the RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court, for the reason that moral considerations cannot be kept at bay.”

With respect, this is utterly bizarre. If there is a clash of two rights, then that clash must be resolved by referring to the Constitution, and not to the Court’s opinion of what an amorphous, elastic, malleable, many-sizes-fit “public morality” says. The mischief caused by this decision, however, was replicated in Sharda v Dharmpal, decided by the Court in 2003. In that case, the question was whether the Court could require a party who had been accused of unsoundness of mind (as a ground for divorce under the wonderfully progressive Hindu Marriage Act) to undergo a medical examination – and draw an adverse inference if she refused. Again, whether this was a case in which Article 21 ought to be invoked is doubtful; at least, it is arguable, since it was the Court making the order. Predictably, the Court cited from Mr X v Hospital Z extensively. It cited Gobind (compelling State interest) and the ECHR (proportionality). It cited a series of cases involving custody of children, where various Courts had used a “balancing test” to determine whether the best interests of the child overrode the privacy interest exemplified by the client-patient privilege. It applied this balancing test to the case at hand by balancing the “right” of the petitioner to obtain a divorce for the spouse’s unsoundness of mind under the HMA, vis-à-vis the Respondent’s right to privacy.

In light of the above analysis, it is submitted that although the outcome in Mr X v Hospital Z and Sharda v Dharmpal might well be correct, the Supreme Court has misread what R. Rajagopal actually held, and its reasoning is deeply flawed. Neither of these cases are Article 21 cases: they are private tort cases between private parties, and ought to be analysed under private law, as Rajagopal itself was careful to point out. In private law, also, the balancing test makes perfect sense: there are a series of interests at stake, as the Court rightly understood, such as certain rights arising out of marriage, all of a private nature. In any event, whatever one might make of these judgments, one thing is clear: they are both logically and legally irrelevant to the Kharak Singh line of cases that we have been discussing, which are to do with the Article 21 right to privacy against the State.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-3

UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules

elonnai — 2014-03-06T07:00:21Z

UIDAI practices and section 43A of the IT Act are analyzed in this post.

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

UIDAI practices are in line with section 43A and the Rules,
UIDAI practices are not in line with section 43A and the Rules,
UIDAI practices are partially in with section 43A and the Rules
Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

Clear and easily accessible statements of its practices and policies
Type of personal or sensitive personal data or information collected
Purpose of collection and usage of such information
Disclosure of information including sensitive personal information
Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”

Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]

The privacy policy goes on to state: “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

The fact that the information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

The intended recipients of the information
The name and address of the agency collecting the information
The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

For more details visit https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules

Open Call for Comments: The Privacy Protection Bill 2013 drafted by the Centre for Internet and Society

bhairav — 2014-02-25T05:38:27Z

The Centre for Internet and Society is announcing an Open Call for Comments to the CIS Privacy Protection Bill 2013.

In early 2013 the Centre for Internet and Society drafted the Privacy (Protection) Bill 2013 as a citizen’s version of privacy legislation for India. The Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

The Centre for Internet and Society has been collecting comments to the Privacy Protection Bill since April 2013 with the intention of submitting the Bill to the Department of Personnel and Training as a citizen’s version of a privacy legislation for India. If you would like to submit comments on the Privacy Protection Bill to be included as part of the Centre for Internet and Society’s submission to the Department of Personnel and Training, please email comments to bhairav@cis-india.org.

Download the latest version of the Privacy Protection Bill (February 2014)

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-open-call-for-comments

CIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy

elonnai — 2014-02-24T10:49:46Z

The “Fifty Second Report on Cyber Crime, Cyber Security, and Right to Privacy” issued by the 2013 -2014 Standing Committee on Information Technology on February 12th 2014, highlights the urgent need for reform in India’s cyber security framework and the need for the much awaited privacy legislation to be finalized and made into a law.

Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology

The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward.

The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.

Broadly, the Standing Committee sought input from DEITY on eight different aspects of cyber crime, cyber security, and privacy in India - namely: the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime, the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.

The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:

Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act: When asked by the Standing Committee about the right to privacy and cyber security, DEITY highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY should coordinate with the DoPT and become involved in the process.

As recognized by the Standing Committee, the Centre for Internet and Society would like to further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India. Inadequate aspects of the provisions have been pointed out by a number of sources. For example:

The Report of the Group of Experts on Privacy: Prepared by the committee chaired by Justice AP Shah
First Analysis of the Personal Data Protection Law in India: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha
India’s U-Turns on Data Privacy: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011

Unclear Enforcement of 43A and associated rules: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24). The Standing Committee did not directly respond to this comment.

The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies that have been found to be compliant. The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.

UIDAI not in compliance with 43A and associated Rules: In evidence provided, DEITY noted that “..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.

The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.

The potential harms of metadata: In evidence provided, the Department noted “...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.” (pg.47) The Standing Committee did not respond directly to this comment.

The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.

Inadequacy of the Information Technology Act: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner. DEITY also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.

The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:

Breaking Down Section 66A of the IT Act
Short note on IT Amendment Act, 2008

Implications of domestic servers: In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.

The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.

Incorporation of safeguards into MOU’s for international cooperation: When asked about MOU’s for international cooperation that DEITY has engaged in with other countries, DEITY reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported India entering into MOU’s for purposes of international cooperation, and encouraged DEITY to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.

The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY to ensure that all MOU’s and/or Mutual Legal Assistance Agreements:

Uphold the principle of dual criminality
Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance
Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.
Are clearly documented and publicly available
Contain provisions guaranteeing procedural fairness.[1]

Hactivism as a benefit to society: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.

The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism can benefit society and strengthen cyber security by finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.

This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.[2]

Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.

While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.

Conclusion

Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID, the Centre for Internet and Society welcomes the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.

[1]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance” https://en.necessaryandproportionate.org/text

[2]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: http://www.iwar.org.uk/cyberterror/resources/denning.htm

For more details visit https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy

Calcutta High Court Strengthens Whistle Blower Protection

divij — 2014-02-24T06:38:44Z

Calcutta High Court has ordered for protection of whistle blower's privacy in its November 20, 2013 order. The court has directed the government to accept RTI applications without the applicant's personal details.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

For more details visit https://cis-india.org/internet-governance/blog/calcutta-hc-strengthens-whistle-blower-protection