We are anonymous, we are legion

The constitutionality of MHA surveillance order

nehaa — 2018-12-31T14:06:04Z

The rules require review committees to examine all surveillance orders issued under this section every couple of months.

The article by Nehaa Chaudhari was published in Asian Age on December 30, 2018.

The MHA notification authorising 10 agencies to intercept, monitor and decrypt “any information” generated, transmitted, received or stored in “any computer” has kicked up a row. One section calls it electronic surveillance at the behest of the Big Brother. This time the qualitative difference is data stored anywhere, not just data in motion, can be intercepted.

Privacy is a fundamental right in India. Nine Supreme Court judges agreed on this in late August, last year. It is “the constitutional core of human dignity” and flows primarily from the “guarantee of life and personal liberty” of our Constitution, they said, in the case of K.S.Puttaswamy vs Union of India. This meant two rules for the Indian state. Rule number 1.) Do not intrude upon a citizen’s right to life and personal liberty; and rule number 2.) Take all necessary steps to safeguard individual privacy.

However, because no fundamental right is absolute, the Indian state is allowed to deviate from rule number 1 in certain situations. It can restrict individual privacy provided that it first fulfills three conditions: The restriction must be backed by law; it must be for a legitimate state aim; and, it must be proportionate.

All laws (including existing ones) and government actions, with consequences for individual privacy, must meet the three conditions listed above to be valid.

Those that fail to do so are unconstitutional, and must be suitably amended, or will be struck down, as was the case with Section 377 of the Indian Penal Code, earlier this year. Section 69 of the Information Technology Act, under which the Ministry of Home Affairs has issued its recent surveillance order, warrants similar scrutiny.

Section 69 empowers the Centre and all state governments to authorise any of their officers to surveil citizens’ electronic communications and information. They may do so for any of the reasons laid down in the same section, including India’s sovereignty, integrity, defence, security and foreign relations, or public order, or to prevent the incitement of certain offences, or to investigate any offence. Government orders issued under this section must be reasoned, and in writing. These orders, and the resultant surveillance activity, must follow the procedure laid down in a set of rules framed under the Information Technology Act in 2009. The rules require review committees to examine all surveillance orders issued under this section every couple of months. The review committee at the Centre examines the Union government’s surveillance orders, while state governments’ orders are examined by committees at their respective states. But, review committees, whether at the Centre, or at any of the states, only have
three members each, tasked with reviewing hundreds of orders every day. Moreover, they consist only of government officials. Neither the Information Technology Act, nor the accompanying 2009 rules, require Parliamentary or judicial oversight of electronic surveillance by the executive.

In the past week, at least two petitions have been filed before the Supreme Court,which claim that the MHA’s surveillance order violates the fundamental right to privacy and is unconstitutional. This order for electronic surveillance is a clear deviation from rule number 1, and so the question before the court will be if it meets each of the conditions above to be valid.

Is the MHA order lawful? Yes, given as it was framed under the framework of the IT Act. There remains however, a larger question of the constitutionality of Section 69 itself. If the court finds Section 69 itself to be unconstitutional, any action taken pursuant to Section 69, including the recent MHA order, will also be unconstitutional.

Is the MHA order pursuant to a legitimate state aim? The order itself does not specify what in particular the government hopes to achieve. However, given as it was issued under Section 69, the government could well argue that it was only for the six purposes laid down in the statute.

Moreover, according to the Supreme Court in the right to privacy judgment, legitimate state aims are “matters of policy to be considered by the Union government.” The court even offered examples of possible legitimate state aims, which included the grounds listed under Section 69.

Is the MHA order proportionate? No; and neither is the IT Act’s framework dealing with electronic surveillance. The IT Act allows government surveillance of citizens, unchecked by either the legislature, or the judiciary. It creates a scenario where tiny government committees must review the government’s own decisions to curtail citizens’ fundamental rights. Moreover, it penalises individuals with up to seven years in jail, in addition to fines, for not complying with any interception, monitoring, or decryption request by an authorised government agency.

In light of the recent MHA order, this means that individuals must comply with surveillance requests by 10 government agencies including tax authorities, the police, and civil and military intelligence agencies, or be prepared to face jail time. This is unethical, undemocratic, and unconstitutional.

Unchecked government surveillance threatens not just an individual’s fundamental right to privacy, but also her fundamental freedoms of speech, movement, and assembly among others, also guaranteed fundamental rights under the Indian Constitution.

These rights and freedoms are the very essence of what it means to be a free citizen in a modern democracy. A democratic state must only exercise its police powers in the narrowest of circumstances, within bright lines, clearly defined.

In August, 2017, the Supreme Court laid down the framework to identify these narrow circumstances and bright lines in so far as the fundamental right to privacy was concerned. But, the promise of Puttaswamy is only as good as its implementation, and here lies its biggest challenge.

As Pranesh Prakash, Fellow at the Centre for Internet and Society, said on a television channel recently, perhaps it is about time that we stopped relying solely on the courts to step in to safeguard our fundamental rights, and started demanding that our elected law-markers did their jobs, or did them better. After all, a general election is but a few months away.

For more details visit https://cis-india.org/internet-governance/news/nehaa-chaudhari-asian-age-december-30-2018-constitutionality-of-mha-surveillance-order

December 2018 Newsletter

praskrishna — 2019-01-08T16:15:38Z

We at the Centre for Internet & Society (CIS) wish you all a great year ahead and welcome you to the twelfth issue of its newsletter (December) for the year 2018:

Highlights

CIS signed a MoU with Odia Virtual Academy to work on drafting an open content policy for the state, to promote use of Wikimedia projects by various user types and to ensure sustainability of Wikimedia projects, and to facilitate development of relevant free and open source software projects. This partnership between OVA and CIS will be carried out from December 2018 to November 2019.
Natalia Khaniejo, in a four-part report has attempted to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same. The literature review was edited by Amber Sinha.
Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah created an infographic which has mapped the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. The authors have stated that broadly policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem.
In April 2018 European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). Vipul Kharbanda has analysed how service providers based in India whose services are also available in Europe would be affected by these proposals.
Feminist research methodology is a vast body of knowledge, spanning across multiple disciplines including sociology, media studies, and critical legal studies. A literature review by Ambika Tandon aims to understand key aspects of feminist methodology across these disciplines, with a particular focus on research on technology and its interaction with society.
CIS and design collective Design Beku came together for a workshop on Illustrations and Visual Representations of Cybersecurity. The authors Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu have stated that images play a vital role in the public’s perception of cybercrime and cybersecurity.
A list of selected sessions and papers for the Internet Researchers' Conference 2019 (IRC19) has been published. IRC19 will be held in Lamakaan, Hyderabad, from Jan 30 to Feb 1, 2019.

Articles

Private-public partnership for cyber security (Arindrajit Basu; Hindu Businessline; December 24, 2018).
Is the new ‘interception’ order old wine in a new bottle? (Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare; Newslaundry.com; December 27, 2018).
Digital Native: System Needs a Reboot (Nishant Shah; Indian Express; December 30, 2018).

Media Coverage

Many sites bypass porn ban (Rajitha Menon; Deccan Herald; December 6, 2018).
How data privacy and governance issues have battered Facebook ahead of 2019 polls (Rahul Sachitanand; Economic Times; December 6, 2018).
Is Aadhaar Essential To Achieve Error-Free Electoral Rolls? (Bloomberg Quint; December 16, 2018).
Centre’s order on computer surveillance threatens right to privacy, experts say (Abhishek Dey; Scroll.in; December 22, 2018).
Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards (Nehaa Chaudhari and Tuhina Joshi; Scroll.in; December 23, 2018).
Ten Indian government agencies can now snoop on people’s internet data (David Spenser; VPN Compare; December 24, 2018).
Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete' (Keerthana Sankaran; New Indian Express; December 26, 2018).
MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content? (Fatima Khan; The Print December 28, 2018).
The dark side of future tech: Where are we headed on privacy, security, truth? (Dipanjan Sinha; Hindustan Times; December 29, 2018).
The constitutionality of MHA surveillance order (Nehaa Chaudhari; Asian Age; December 30, 2018).

Access to Knowledge

Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Punjabi Wikisource Training Workshop, Patiala (Jayanta Nath; December 6, 2018).
Indic Wikisource Community Consultation 2018 (Jayanta Nath; December 8, 2019).
CIS Signs MoU with Odia Virtual Academy (Sailesh Patnaik; December 19, 2018).

Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Guest Lecture

Lecture on Open Access and Open Content Licensing at ICAR (short course) (Organized by ICAR-Indian Institute of Horticultural Research (IIHR) a constituent establishment of Indian Council of Agricultural Research; November 13 - 22, 2018). Anubha Sinha delivered a lecture.

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Privacy

Guest Lecture

Teaching at Shristi Interlude (Organised by Shristi; Bangalore; December 7, 2018). Shweta Mohandas participated as a mentor.

Gender

Research Paper

Feminist Methodology in Technology Research: A Literature Review (Ambika Tandon with contributions from Mukta Joshi; research assistance by by Kumarjeet Ray and Navya Sharma; design by Saumyaa Naidu; December 23, 2018).

Blog Entry

Event Report on Intermediary Liability and Gender Based Violence (Akriti Bopanna; edited by Ambika Tandon; December 20, 2018).

Participation in Event

International Network on Feminist Approaches to Bioethics 2018 (Co-organized by Feminist Approaches to Bioethics and Sama; St. John's Medical College; Bangalore; December 3 - 5, 2018). Aayush Rathi and Ambika Tandon were speakers at the event.

Cyber Security

Research Papers

European E-Evidence Proposal and Indian Law (Vipul Kharbanda; December 23, 2018).
Economics of Cybersecurity: Literature Review Compendium (Natalia Khaniejo; edited by Amber Sinha; December 31, 2018).

Infographic

Mapping cybersecurity in India: An infographic (information contributed by Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah; designed by Saumyaa Naidu; December 23, 2018).

Blog Entry

A Critical Look at the Visual Representation of Cybersecurity (Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu; December 11, 2018).

Participation in Event

India-China Tech Forum 2018 (Organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies; Mumbai; December 11 - 12, 2018). Arindrajit Basu was a speaker.

Artificial Intelligence

Participation in Event

Future Tech and Future Law (Organised by Dept. of IT & BT, Government of Karnataka; Palace Grounds; Bangalore; November 29 - December 1, 2018). Arindrajit Basu was a speaker.
AI for Social Good Summit (Co-organised by Google AI and United Nations ESCAP; Bangkok; December 13, 2018).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Selected Papers

Internet Researchers' Conference 2019 (IRC19): #List - Selected Sessions and Papers (P.P. Sneha; January 2, 2019).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/december-2018-newsletter

Economics of Cybersecurity: Literature Review Compendium

Natallia Khaniejo — 2021-05-01T06:09:09Z

The twenty first century has witnessed an unprecedented conflation of everyday experiences and technosocial practices. The emergence of technologies like the Internet of Things, Cloud Computing, Digital Payment infrastructures are all emblematic of this conflation of technology with economic, social and political modes of existence.

Authored by Natallia Khaniejo and edited by Amber Sinha

Politics and economics are increasingly being amalgamated with Cybernetic frameworks and consequently Critical infrastructure has become intrinsically dependent on Information and Communication Technology (ICTs). The rapid evolution of technological platforms has been accompanied by a concomitant rise in the vulnerabilities that accompany them. Recurrent issues include concerns like network externalities, misaligned incentives and information asymmetries. Malignant actors use these vulnerabilities to breach secure systems, access and sell data, and essentially destabilize cyber and network infrastructures. Additionally, given the relative nascence of the realm, establishing regulatory policies without limiting innovation in the space becomes an additional challenge as well. The lack of uniform understanding regarding the definition and scope of what can be defined as Cybersecurity also serves as a barrier preventing the implementation of clear guidelines. Furthermore, the contrast between what is convenient and what is ‘sanitary’ in terms of best practices for cyber infrastructures is also a constant tussle with recommendations often being neglected in favor of efficiency. In order to demystify the security space itself and ascertain methods of effective policy implementation, it is essential to take stock of current initiatives being proposed for the development and implementation of cybersecurity best practices, and examine their adequacy in a rapidly evolving technological environment. This literature review attempts to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same.

Click on the below links to read the entire story:

Economics of Cybersecurity Part I

Economics of Cybersecurity Part II

Economics of Cybersecurity Part III

Economics of Cybersecurity Part IV

For more details visit https://cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity

MHA snoop order & bid to amend IT rules: China-like clampdown or tracking unlawful content?

Admin — 2018-12-30T10:08:31Z

An MHA order last week authorised 10 government agencies to scan data on computers. This was followed by the Modi government’s proposal to amend the Information Technology rules for social media platforms like WhatsApp, Facebook and Twitter to “proactively identify, remove or disable access to unlawful information or content” in order to curb fake news online.

The article by Fatima Khan was published in the Print on December 28, 2018. Amber Sinha was quoted.

No concrete steps taken by either NDA or UPA to enact laws for surveillance reform

The MHA order which gives 10 government agencies the power to intercept, monitor and decrypt ‘any information’ generated, transmitted, received, or stored in any computer, reaffirms the sorry state of communication surveillance law in India. This is reflected in the lack of judicial review, minimal legislative oversight and no regard for the principles of necessity, proportionality, user notification and transparency.

Despite detailed recommendations by the Committee of Experts led by Justice AP Shah back in 2013, there have been no concrete steps taken by either the current NDA government or the previous UPA government to enact laws for surveillance reform. The draft bill by the committee led by Justice Srikrishna does refer to the principles of necessity and proportionality, but stops short of recommending an overhaul of the surveillance regime. This notification is but merely the logical next step in the existing framework for communications surveillance.

On the other hand, the draft amendments to the IT Act regulations seek to address the problem of ‘unlawful content’ and seem to stem largely from concerns about the use of platforms like Facebook and WhatsApp to spread disinformation and impact electoral processes in India. To that extent, these steps are misguided and betray a failure to engage with the actual problem. Already, the powers of content moderation exercised by online platforms suffer from problems of transparency and accountability. The draft regulations will only serve to compound this problem while unreasonably expecting the platforms to exercise powers which should require judicial determination.

For more details visit https://cis-india.org/internet-governance/news/the-print-december-28-2018-mha-snoop-order-bid-to-amend-it-rules-china-like-clampdown-or-tracking-unlawful-content

The dark side of future tech: Where are we headed on privacy, security, truth?

Admin — 2018-12-30T09:24:40Z

#2018 Year-End Special: We now live in a time when devices listen, chips track your choices, and governments can watch from behind a barcode. How do we navigate this world?

The article by Dipanjan Sinha was published in the Hindustan Times on December 29, 2018. Pranesh Prakash was quoted.

“One of the definitions of sanity is the ability to tell real from unreal. Soon we’ll need a new definition,” Alvin Toffler, author of the 1970 bestseller Future Shock, once said.

Privacy. Security. Freedom. Democracy. History. News — the lines between the real and unreal are blurring in each of these fields.

Fake news is helping decide elections; history being rewritten as it happens; rumour has become identical in look, feel and distribution to the actual news.

Devices that listen, governments that watch you from behind a barcode, chips that track where you go, what you eat, how you feel — these used to be the stuff of dystopian novels.

In April, the world learnt of the Chinese government’s social credit system, a programme currently in the works that would employ private technology platforms and local councils to use personal data to assign a social score to every registered citizen.

Behave as the state wants you to, and you could get cheaper loans, easier access to education; it’s unclear what the consequences could be for those who do the opposite, but discredits are likely for bad behaviours that range from smoking in non-smoking zones to buying ‘too many’ video games, and being critical of the government.

We’ve seen this before — totalitarian governments where the individual is under constant surveillance by a state that pretends this is for the greater good. But the last time we came across it, it was fiction — George Orwell’s 1984, set in a superstate where thought police took their orders from a totalitarian leader with a friendly name, Big Brother.

CATCH-22

“Just because you’re paranoid doesn’t mean they aren’t out to get you,” Joseph Heller said, in Catch-22, a novel so layered that you’re never sure which bits are true. Who gets access to the data your phone collects? What is the government watching for, after they’ve assigned citizens unique IDs?

It feels good to be able to criticise China, still something of an anomaly in a global community that is largely democratic and free-market, but the UK had a National Identity Cards Act from 2006 to 2010; India has the Aadhar project; Brazil has had the National Civil Identification document since 2017; Germany, a national identity card since 2010, and Colombia has had one since 2013.

They’re collecting biometric data, assigning numbers to citizens and building national registers — with not much word on what’s in them, who has access, or how secure they are.

“To ask what the risk is with accumulating such big data is like asking what the risk is with computers. They are both embedded in our lives,” says Pranesh Prakash, a fellow at the thinktank Centre for Internet and Society.

Security is just the base layer in the pyramid if risks. There is also the risk of discrimination — whether in terms of benefits, employment, or something like marriage, Prakash says. There is the risk of bad data leading to worse discrimination; there is the risk of public profiling.

“The question here is about transparency,” Prakash says. “The questions of what the data contains, who it is accessed by or sold do, how much of it there is, and what the purpose is of collecting it — need to be clearly answered.”

OPERATION THEATRE

New questions are being asked in the field of medicine as well. Where do you draw the line on designer babies? Should parents get to edit the genes of their child-to-be? How much ought we to tinker — do you stop at mutations, or go on to decide hair colour and intellect?

As it becomes cheaper and easier to sequence DNA, the questions over the next steps — of interpreting and analysing the data — will become more complex, says K VijayRaghavan, principal scientific adviser to the government of India, and former director of the National Centre for Biological Sciences. “From here on, with the data deluge, deciding what and how to do it will become fiendishly complex. Especially as commercial interests become involved.”

We have rules and laws for the use of DNA information in research, but corresponding laws that regulate how one can use personal whole genome information in the public space are still being framed. “The data-privacy discussion will soon get to the genomic-data space,” VijayRaghavan says. “Data sharing is needed for patients to benefit. Yet data privacy is needed to prevent exploitative use. It’s a conundrum, and there are no easy answers.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-dipanjan-sinha-december-29-2018-the-dark-side-of-future-tech

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

India-China Tech Forum 2018

Admin — 2018-12-26T15:32:20Z

Arindrajit Basu spoke at the India-China Tech Forum 2018 organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies, Mumbai on December 11 - 12, 2018. The event functioned as a bi-annual dialogue that fosters co-operation in this space between the two countries.

Arindrajit spoke on the panel 'India, China and the future of cyber norms' along with Saravjit Singh,Liu Ke and Weng Wejia. This was a closed door discussion under Chatham House rules. Click here to read the agenda.

For more details visit https://cis-india.org/internet-governance/news/india-china-tech-forum

Big Brother is here: Amid snooping row, govt report says monitoring system 'practically complete'

Admin — 2018-12-26T15:22:27Z

The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that surveillance equipment is being rolled out in 21 service areas across the country.

The article by Keerthana Sankaran was published in New Indian Express on December 26, 2018.

While last week's government order on snooping caused an uproar, the Centre's plans for a far-reaching monitoring system have been in the making for almost a decade -- with the groundwork being done by the previous UPA regime. The recently released 2017-18 annual report of the Centre for Development of Telematics (C-DOT) says that India’s ‘Central Monitoring System’ (CMS) is “practically complete”, confirming that the Orwellian ‘Big Brother’ is here.

The report says that surveillance equipment is being rolled out in 21 service areas across the country and operations have commenced in 12 service areas. The system will monitor and intercept calls and messages.

The government claims the CMS is based on the Telegraph Act of 1885 which states that the central or state government may intercept messages if the government is “satisfied that it is necessary or expedient to do so in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence.”

Even though the surveillance system was publicly announced in 2009, C-DOT’s annual report of 2007-2008 had hinted at a testing phase for a “lawful interception, monitoring” system.

A post from the website of the Centre for Internet and Society describes how the CMS could work. Network providers are all required to give interconnected Regional Monitoring Centres access to their network servers. The article also points out that there is no law that describes the CMS.

The CMS was approved by the Cabinet Committee on Security during the UPA government in 2011, receiving flak from experts and the press for not safeguarding the citizen’s right to privacy. However, in a Lok Sabha session in May 2016, Telecom Minister Ravi Shankar Prasad said that the system is for the “process of lawful interception”, adding that regional monitoring centres in Delhi and Mumbai had been operationalised.

The latest C-DOT report also talks about a Centre of Excellence for Lawful Interception being set up, which would use high-end technologies - such as open source intelligence, image processing and search engine tools to scan Twitter and Facebook - for surveillance.

On Thursday, the Ministry of Home Affairs released a notification, authorising 10 central agencies to intercept, monitor and decrypt any "information generated, transmitted, received or stored in any computer." While the public and opposition parties expressed alarm over the new order, the C-DOT report clearly shows that state surveillance plans are already in an advanced stage.

These government moves are taking place despite the August 2017 landmark judgement by the Supreme Court, which declared the right to privacy as a fundamental right which will protect citizens from intrusive activities by the state.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-keerthana-sankaran-december-26-2018-big-brother-is-here-amid-snooping-row-govt-report-says-monitoring-system-practically-complete

Private-public partnership for cyber security

basu — 2018-12-26T15:02:21Z

Given the decentralised nature of cyberspace, the private sector will have to play a vital role in enforcing rules for security.

The article by Arindrajit Basu was published in Hindu Businessline on December 24, 2018.

On November 11, 2018, as 70 world leaders gathered in Paris to commemorate the countless lives lost in World War I, French President Emmanuel Macron inaugurated the Paris Peace Forum with a fiery speech denouncing nationalism and urging global leaders to pursue peace and stability through multilateral initiatives.

In many ways, it echoed US President Woodrow Wilson’s monumental speech delivered at the US Senate a century ago in which he outlined 14 points on the principles for peace post World War I. As history unkindly reminds us through the catastrophic realities of World War II, Wilson’s principles went on to be sacrificed at the altar of national self-interest and inadequate multilateral enforcement.

President Macron’s first initiative for global peace — the Paris Call for Trust and Security in Cyber Space was unveiled on November 12 — at the UNESCO Internet Governance Forum — also taking place in Paris. The call was endorsed by over 50 states, 200 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and over 100 organisations from civil society and academia from all over the globe. The text essentially comprises a set of high-level principles that seeks to prevent the weaponisation of cyberspace and promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace.

Need for private participation

Given the increasing exploitation of the internet for reaping offensive dividends by state and non-state actors alike and the prevailing roadblocks in the multilateral cyber norms formulation process, Macron’s efforts are perhaps of Wilsonian proportions.

A key difference, however, was that Macron’s efforts were devised hand-in-glove with Microsoft — one of the most powerful and influential private sector actors of our time. Microsoft’s involvement is unsurprising given that private entities have become a critical component of the global cybersecurity landscape and governments need to start thinking about how to optimise their participation in this process.

Indeed, one of the defining features of cyberspace is its incompatibility with state-centric ‘command and control’ formulae that lead to the ordering of other global security regimes — such as nuclear non-proliferation. The decentralised nature of cyberspace means that private sector actors play a vital role in implementing the rules designed to secure cyberspace.

Simultaneously, private actors such as Microsoft have recognised the utility of clearly defined ‘rules of the road’ which ensure certainty and stability in cyberspace and ensure its trustworthiness among global customers.

Normative deadlock

There have been multiple gambits to develop universal norms of responsible state behaviour to foster cyber stability. The United Nations-Group of Governmental Experts (UN-GGE) has been constituted five times now and will meet again in January 2019.

While the third and fourth GGEs in 2013 and 2015 respectively made some progress towards agreeing on some baseline principles, the fifth GGE broke down due to opposition from states including Russia, China and Cuba on the application of specific principles of international law to cyberspace.

This was an extension of a long-running ‘Cold War’ like divide among states at the United Nations. The US along with its NATO allies believe in creating voluntary non-binding norms for cybersecurity through the application of international law in its entirety while Russia, China and its allies in the Shanghai Co-operation Organization (SCO) reject the premise that international law applies in its entirety and call for the negotiation of an independent treaty for cyberspace that lays down binding obligations on states.

Critical role

The private sector has begun to play a critical role in breaking this deadlock. Recent history is testament to catalytic roles played by non-state actors in cementing global co-operative regimes.

For example, Dupont — the world’s leading ChloroFluoroCarbon (CFC) producer — played a leading role in the 1970s and 1980s towards the development of The Montreal Protocol on Substances that Deplete the Ozone Layer and gained positive recognition for its efforts.

Another example is the International Committee of the Red Cross (ICRC) — a non-governmental organisation that played a crucial role in the development of the Geneva Conventions and its Additional Protocols, which regulate the conduct of atrocities in warfare by preparing initial drafts of the treaties and circulating them to key government players.

Similarly, in cyberspace, Microsoft’s Digital Geneva Convention which devised a set of rules to protect civilian use of the internet was put forward by Chief Legal Officer, Brad Smith two months before the fifth GGE met in 2017.

Despite the breakdown at the UN-GGE, Microsoft pushed on with the Tech Accords — a public commitment made by (as of today) 69 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.”

Much like the ICRC, Microsoft leads commendable diplomatic efforts with the Paris Call as they reached out to states, civil society actors and corporations for their endorsement.

Looking Forward

Private sector-led normative efforts towards securing cyberspace are redundant in the absence of three key recommendations. First, is the implementation of best practices at the organisational level through the implementation of robust cyber defense mechanisms, the detection and mitigation of vulnerabilities and breach notifications — both to consumer and the government.

Second, is the development of mechanisms that enables direct co-operation between governments and private actors at the domestic level. In India, a Joint Working Group between the Data Security Council of India (DSCI) and the National Security Council Secretariat (NSCS) was set up in 2012 to explore a Private Public Partnership on cyber-security in India , which has great potential but is yet to report any tangible outcomes.

The third and final point is the recognition that their efforts need to result in a plurality of states coming to the negotiating table. The absence of the US, China and Russia in the Paris Call are eerily reminiscent of the lack of US participation in Woodrow Wilson’s League of Nations, which was one of the reasons for its ultimate failure.

Microsoft needs to keep on calling with Paris but Beijing, Washington and Alibaba need to pick up.

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security

How data privacy and governance issues have battered Facebook ahead of 2019 polls

Admin — 2018-12-25T01:43:59Z

Rohit S, an airline pilot, had enough of Facebook. With over 1,000 friends and part of at least a dozen groups on subjects ranging from planes to politics, the 34-year-old found himself constantly checking his phone for updates and plunging headlong into increasingly noisy debates, where he had little personal connect.

The article by Rahul Sachitanand was published in Economic Times on December 9, 2018. Elonnai Hickok was quoted.

While he had originally signed up with Facebook a decade ago to reconnect with school classmates, he found himself more and more disconnected from the sprawl the social network had become. “It was a mess of impersonal shares, unverified half-truths and barely any personal updates,” he says, a week after permanently logging out. “I’d rather reconnect the old-fashioned way.”

This kind of user disenchantment has become increasingly common among Facebook users. Many like Rohit, who signed up with more altruistic aims, find themselves distanced by how the social networking platform has evolved.

All through 2018, Facebook and its embattled cofounder, Mark Zuckerberg, have found themselves battling one fire after another. Starting with the mess involving Cambridge Analytica and ending with the document dump unearthed by UK’s Parliament this week (that showed the firm as a cut-throat corporation at best), this has been a year to forget. “Unfortunately, Facebook cannot be trusted with the privacy of its users’ data,” says Alessandro Acquisti, professor, Carnegie Mellon University. “Time and again, Facebook has shown a cavalier attitude towards the handling of users’ data as well as towards informing users clearly and without deception about the actual extent of Facebook’s data collection and handling policies.”

This perception has caused problems with Facebook, both around the world and at home, with privacy advocates pushing for stronger monitoring to counter the seeming free reign enjoyed by the platform.

Mishi Choudhary, legal director of Software Freedom Law Center in the US and Mishi Choudhary and Associates, a New Delhi-law firm, says the pay-for-data model necessitates a stronger data protection regime that doesn’t leave users at the mercy of self-governing corporate entities.

“The contrast between Facebook’s public statements and private strategies to monetise user data reveals the truth of surveillance capitalism carried out stealthily and steadily,” she says.

In an election year in India, this could cause problems for Facebook.

The company has already tried to clean up its act, implementing more transparent political advertising norms and looking to clean up fake news claims (on itself and WhatsApp, the messaging platform it owns) to try to win back user trust. Facebook has also launched video monetisation capabilities and Lasso, a short video offering similar to Tik Tok, the Chinese startup that has been massively popular here. The company, that has over 250 million users in India, plans to train five million people on digital technologies in three years, to try to increase awareness.

Facebook didn’t respond to an email seeking more specific comments for this piece.

In a country where privacy legislation is yet in the works, experts are worried about the overt and covert interest in users’ private data. Hundreds of millions of users here, many unwittingly, accepting user terms and giving apps too many permissions could easily give away confidential information, the experts argue. This is especially so in the case of Android users in the country, who access the web on cheap handsets and don’t have a full understanding of what they sign up for. “Very few people know about the origin or provenance of apps that they download or what data they track or phone features that they access,” says Shiv Putcha, founder and principal analyst, Mandala Insights, a telecom consultancy. “These are all potential security breaches of a massive order.”

Alessandro Acquisti, professor, Carnegie Mellon University. This situation has privacy advocates closely watching Facebook and pushing for more stringent rules to monitor the company. "The criticality of human rights impact assessment for all products and services by companies like Facebook is underscored," says Elonnai Hickok, from the Centre for Internet and Society, a think tank in Bengaluru. "To build user trust, these assessments should be made public."

As India finalises its privacy legislation, it is important to ensure that such assessments are undertaken according to law, citizens and their rights are upheld and companies are held accountable. "This also demonstrates that India needs a privacy legislation that allows the government to address a situation if data of Indian citizens is impacted."

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-december-9-2018-how-data-privacy-and-governance-issues-have-battered-facebook

Is Aadhaar Essential To Achieve Error-Free Electoral Rolls?

praskrishna — 2018-12-25T01:21:45Z

The Election Commission’s plans to link Aadhaar with electoral rolls may have stirred a hornet’s nest.

The article was published in Bloomberg's Quint on December 16, 2018. Pranesh Prakash was quoted.

The commission plans to undertake the exercise to clean up electoral rolls—which need to be updated frequently to avoid duplication and errors, The Economic Times newspaper reported citing people aware of the matter. But with privacy concerns raised against the Aadhaar, is this the best way to achieve error-free voter data?

Pranesh Prakash, policy director at the Centre for Internet and Society, doesn’t think so. Using Aadhaar data without the consent of the user poses legal problems, he told BloombergQuint in a conversation. “For the Election Commission to link Aadhaar with citizens’ voter ID would require amending the law.”

It is questionable whether this will fall within the bounds that the SC has set for usage of Aadhaar.

Pranesh Prakash, Policy Director, Centre for Internet and Society

The former legal advisor of the Election Commission SK Mendiratta, however, brushed aside privacy concerns relating to the process. The Election Commission, according to him, is a constitutional body and can use information with the government to ensure purity of the electoral roll.

Reetika Khera, associate professor at Indian Institute of Management-Ahmedabad, said this could be bad for voters. She cited the mass deletion of voters from electoral rolls in Telangana ahead of the recent elections, and urged that due process must be followed.

There are serious problems with the use of algorithmic approaches in various spheres. Aadhaar as a tool to clean up the electoral rolls is the problem.

Reetika Khera, Associate Professor, IIM Ahmedabad

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls

AI for Social Good Summit

Admin — 2018-12-25T01:02:01Z

Arindrajit Basu was a speaker at the event co-organized by Google AI and United Nations ESCAP on December 13, 2018 in Bangkok, Thailand.

Arindrajit spoke at the panel " How can governments use AI in Public Service Delivery" along with Malavika Jayaram, Jake Lucci,Punit Shukla,Simon Schmooly and Gal Oren. He presented CIS research on AI in agriculture in Karnataka-which will be published as part of a compendium documenting case studies worldwide soon.

Click to read more

For more details visit https://cis-india.org/internet-governance/news/unescap-and-google-ai-december-13-bangkok-ai-for-social-good-summit

Centre’s order on computer surveillance threatens right to privacy, experts say

Admin — 2018-12-25T00:50:48Z

The Constitutional validity of the notification allowing ten agencies to intercept information is uncertain.

The blog post by Abhishek Dey was published in Scroll.in on December 22, 2018.

A notification issued by the Union Ministry of Home Affairs on Thursday allowing ten agencies to intercept, monitor and decrypt any information generated from any computer poses a grave threat to the fundamental right to privacy, said lawyers and cyber security experts.

The notification led to a political storm on Friday and criticism from the Opposition forced Parliament to be adjourned. However, Union Finance Minister Arun Jaitley accused the Opposition of “making a mountain where a molehill does not exist”. The government on Friday issued a clarification stating that the directive does not confer any new powers on it and has the legal backing of the Information Technology Act.

Experts agreed that Thursday’s notification lists powers already available to the authorities in the Information Technology Act 2000. The legal provisions to allow interception were introduced in 2008 by the Congress-led United Progressive Alliance government. However, with the fresh directive, experts said that the Bharatiya Janata Party-led government seems to be trying to formalise surveillance through the interception of computer information, they said.

“It is true that such [interception] powers already existed,” said Pavan Duggal, a lawyer with expertise in cyber security. “But neither any such formal directives were issued which I know of, nor any agency were specifically notified to have those powers.”

Privacy test

The Information Technology Act 2000 was amended in 2008 to allow to the monitoring and interception of computer information, while the rules under which this would operate were promulgated in 2009. In 2017, the Supreme Court delivered a judgment establishing privacy as a fundamental right. The legal foundation of the computer interception directive could be still be challenged in court because it has not yet been considered in light of the privacy judgment, said Duggal. “It is now a matter of Constitutional validity,” he said

Thursday’s notification lists the agencies authorised to intercept, monitor and decrypt computer data: the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North East and Assam) and the Commissioner of Police, Delhi. The Act provides a jail term of seven years for anyone who refuses to cooperate with these agencies.

On Friday, experts questioned whether a notification listing the 10 agencies had actually been issued earlier, as the Centre claimed.

“It is a fresh notification,” said Apar Gupta, a lawyer who specialises in technology and media issues. “With this, interception of computers has received formal acceptance in the public domain and it can have serious implications on privacy.”

Senior officials of the Delhi Police also said this appeared to be a fresh order. Asked if this meant that the agencies would not need to ask for authorisation in every case since a blanket order has been issued, the officials said that this still needs to be clarified.

Lacking proportionality

The order has raised questions about the validity of the cases of interception of computer information conducted by the state police and other security agencies between 2009 (the year the interception rules were promulgated) and 2018 (the year the notification has been issued), Pranesh Prakash, co-founder of the Centre for Internet and Society.

One possibility, he said, may be that they were all unlawful.

But if they were indeed conducted with legal backing, Prakash said, then permission for this would been sanctioned in the form of an order by a competent authority. This is what Rule 3 of the interception rules mandate. But if so, Rule 4, which deals with the government authorising agencies to conduct such interceptions, is redundant. “How can it not be when any state police or other agency is capable of acquiring an order for interception under Rule 3?” he said

Besides, Prakash said, the new directive does not pass the test of proportionality.

In 2007, the Central government introduced rules to amend the Indian Telegraph Act 1951 to allow for information to be intercepted, Prakash said. However, the rules say that the competent authority should resort to interception only after considering all alternative means to acquire information. Thursday’s directive, though, is silent about the circumstances in which interception will be permitted, he said.

For more details visit https://cis-india.org/internet-governance/news/scroll-abhishek-dey-december-22-2018-centres-order-on-computer-surveillance-threatens-right-to-privacy

Ten Indian government agencies can now snoop on people’s internet data

Admin — 2018-12-25T00:33:47Z

In a significant attack on online privacy, India’s Home Affair’s Ministry has authorised no fewer than ten different central government agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer”.

The blog post by David Spencer was published by VPN Compare on December 24, 2018. Pranesh Prakash was quoted.

The move has angered many Indian internet users, with the number of Indians turning to VPNs like ExpressVPN to protect their online privacy is expected to rise significantly.

Extending powers under and old law

The authorisation has been made under Section 69 (1) of the Information Technology Act, 2000 and Rule 4 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules.

While these laws have been in place for almost a decade, it is only now that the Ministry has decided to use them toenable the decryption and access of online data.

The agencies that can now look at what every single Indian citizen is doing online include the Intelligence Bureau, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, and the Directorate of Revenue Intelligence.

Other which will also be permitted to hack into people’s devices are the Central Bureau of Investigation; National Investigation Agency, the Cabinet Secretariat (R&AW), the Directorate of Signal Intelligence (only for the service areas of Jammu & Kashmir and North-East and Assam) and the Delhi Commissioner of Police.

The laws do notionally limit the circumstances in which these agencies can access private internet data, but as is so often the case, the definition of these circumstances are so vague as to render the restrictions almost meaningless.

Permissible circumstances include cases thought to be “in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any recognizable offence relating to above or for investigation of any offence.”

Indian lawyers have said that all of the above agencies will still have to comply with Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

This requires permission from either the union home secretary or the secretary of the Home Affair’s Ministry before interception can take place.

The new powers could be illegal

The new permissions also raise the interesting prospect that all previous interception of data by these agencies could be both unconstitutional and illegal, according to one Indian technology policy analyst, Pranesh Prakash.

He also told The Wire that he believed “Section 69 and 69B of the IT Act are unconstitutional for being over-broad in what they allow interception and monitoring for, in demanding decryption from accused persons, and the punishments that they prescribe.”

The New Delhi based Internet Freedom Foundation echoed this opinion, releasing a statement which said, “the decision to authorise electronic snooping is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement.”

Opponents of the Indian President, Narendra Modi, have argued that this latest decision is further evidence that he is turning India into a surveillance state.

Congress Party chief, Rahul Gandhi, said this move showed Modi is “an insecure dictator”, while others have argued that that this increased surveillance will have a “chilling effect” on democratic debate and dissent in India.

Srinivas Kodali, an independent security researcher in Hyderabad, told Al Jazeera the new powers would “make data collection from critics and political opponents easier [and] facilitate targeted raids against the opposition and critics.”

For their part, the Indian Government have used the age-old argument about the new powers helping them to combat “terrorism”.

VPN use expected to rise in India

For innocent India internet users, the reality is that their rights to online privacy have been significantly undermined by the new powers. There are now multiple central government agencies with the power to intercept, decrypt, and access their private online data, with minimal safeguards in place to protect their rights.

For most Indians, the new powers are a step to far, as has been seen by the angry response on social media.

It seems highly likely that the move will see more and amore Indian’s turning to a VPN to protect their online privacy. By connecting to a VPN, such as ExpressVPN, they are able to ensure all of their online data is encrypted by state-of-the-art encryption and also effectively anonymised.

It means that no government agency will be able to see what they are doing online and it will be almost impossible for their online activity to be traced back to them.

Using a VPN should protect internet users from the erosion of online rights the Indian Government is trying to implement. But it seems unlikely that it will stop the Modi administration from trying.

For more details visit https://cis-india.org/internet-governance/news/vpn-compare-david-spencer-december-24-2018-ten-government-agencies-can-now-snoop-on-peoples-internet-data

Centre’s order on computer surveillance is backed by law – but the law lacks adequate safeguards

Admin — 2018-12-24T17:04:22Z

The Information Technology Act’s surveillance scheme furthers a colonial hangover.

The blog post by Nehaa Chaudhari and Tuhina Joshi was published by Scroll.in on December 23, 2018.

On Thursday, the Ministry of Home Affairs issued a statutory order authorising 10 “security and intelligence agencies” to intercept, monitor and decrypt electronic information and communication. A media frenzy soon ensued, with Opposition political parties seizing the notification as evidence that the government was running a surveillance state. The ministry responded with a press release, clarifying that the order was in keeping with Section 69(1) of the Information Technology Act, 2000, and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, proving that the order was sound in law.

Several government officials and Bharatiya Janata Party representatives have since defended this order as being in India’s sovereign and national security interest. They say it will bring transparency and accountability into surveillance, and that is is only an extension of the previous Congress-led government’s policy from 2009.

No doubt, Central and state governments have had the power to intercept, monitor and decrypt any information in any computer resource since 2008, when Section 69 of the Information Technology Act was amended to expand the government’s powers of interception. This amendment was one of many changes introduced to India’s surveillance framework to tackle crime and terrorism in the wake of the 2008 terrorist attacks in Mumbai.

However, the ministry’s December 20 directive is the first time such an order has been introduced under this section; and in this difference between a legislation being on the statute books versus it being implemented lies the reason for collective public outrage. That said, research by the Centre for Internet and Society and SFLC.in shows that the Indian state has long engaged in surveilling electronic communications, and other kinds of interception and monitoring.

While railing against the ministry’s order is very welcome, it is futile if it does not lead to a conversation around the root of the problem – Section 69(1) of the Information Technology Act and the accompanying Information Technology Rules. This section empowers the Central and state governments to authorise government agencies to intercept, monitor or decrypt “any information generated, transmitted, received or stored in any computer resource”. It lays down six grounds on the basis of which such authorisation may be granted. These are:

The preservation of India’s sovereignty or integrity.
The security of the state.
Public order.
Maintaining friendly relations with other countries.
Preventing offences relating to 1. to 4. from being incited or committed.
Criminal investigations.

All authorisation orders issued by the government under Section 69(1) must be reasoned and written, and must be subject to the procedure laid down in the Information Technology Rules. As per these rules, all such orders must be scrutinised by a review committee of the Centre, or the state in question, set up under Rule 419A of the Indian Telegraph Rules, 1951. All review committees set up under Rule 419A comprise only of government secretaries. This means that the executive sits in judgment over its own decisions. This goes against one of the most basic principles of justice and fairness – that no person shall be a judge in their own case.

Threat to privacy

State surveillance threatens individual privacy and must be subject to adequate safeguards. Privacy is a fundamental right guaranteed by the Constitution of India, as recognised by nine judges of the Supreme Court in August 2017. Like all other fundamental rights, the right to privacy is not absolute, and can be restricted. According to the Supreme Court, these restrictions must be: (1) backed by law, (2) for a legitimate state aim, and (3) proportionate.

Consequently, any government order under Section 69(1) of the Information Technology Act must fulfil this three-part test to be constitutional. The absence of judicial or legislative oversight over the executive’s decision-making under Section 69(1) is likely to make it a disproportionate restriction on an individual’s fundamental right to privacy and, therefore, unconstitutional.

Even the government-appointed Justice Srikrishna Committee of Experts, which has been given the task of framing India’s data protection law, was concerned about this lack of legislative or judicial review. This committee has cited Germany, the United Kingdom, South Africa and the United States as countries with adequate procedural safeguards over government surveillance actions. On page 125 of its final report, it has noted, “Executive review alone is not in tandem with comparative models in democratic nations which either provide for legislative oversight, judicial approval or both.”

The Information Technology Act and the Information Technology Rules are but one of many means of government surveillance in India. Similar provisions exist in the Indian Telegraph Act, 1885, the Telegraph Rules, 1951, and the Indian Post Office Act, 1898. These laws are the extension of a colonial legacy, used by a foreign power to keep tabs on an alien population. Disappointingly, the Information Technology Act’s surveillance scheme only furthers this colonial hangover. Indian privacy thought, especially in the past few years, has reflected the idea that we must evolve an Indian privacy framework, grounded in our constitutional values, and tailored to the Indian context. It is about time that our surveillance laws begin to reflect our constitutional values as well.

For more details visit https://cis-india.org/internet-governance/news/scroll-nehaa-chaudhari-and-tuhina-joshi-december-23-2018-centres-order-on-computer-surveillance-is-backed-by-law-but-the-law-lacks-adequate-safeguards