We are anonymous, we are legion

Why Aadhaar leaks should worry you, and is biometrics really safe?

praskrishna — 2017-05-12T15:48:48Z

What’s worrying is that the UIDAI seems to always be in denial mode over security concerns.

The blog post was published by the News Minute on May 4, 2017. Amber Sinha was quoted.

If you’ve paid the slightest bit of attention to news about Aadhaar, you’ll have heard about a series of leaks of Aadhaar data from multiple government websites. Some of the latest government websites to leak Aadhaar and demographic data, were the Jharkhand Directorate of Social Security and the Kerala government’s pension department.

Shockingly, a report by The Centre for Internet and Society (CIS) revealed that the Aadhaar details along with demographic details and financial information of around 135 million people in the country has been leaked by four government portals. And this could just be the tip of the iceberg.

However, the public response to these revelations has been muted. The government and the UIDAI, the authority behind Aadhaar, have retreated behind the defence that only Aadhaar numbers have been leaked, and not biometric details, and hence there is no major problem.

However, experts warn that Aadhaar numbers by themselves pose a sufficient risk when leaked, and that the UIDAI has been consistently underplaying the risks of such leaks and overplaying the security of biometric identification.

Amber Sinha, who co-authored the CIS report, points out that it’s not just Aadhaar numbers that have been leaked on government websites, but also demographic information as well as financial details. Various such bits of data can be aggregated by fraudsters and used to steal identities and commit financial fraud online or through phones.

“We see a lot of examples of social engineering techniques where fraudsters collect data from various sources and impersonate people,” he says. The report points out that one of the most common techniques is to call persons impersonating bank officials requiring sensitive information, and provide Aadhaar and demographic details to make the bid for this information convincing.

Amber also points out that in online and phone verifications, it is possible to impersonate other persons with such information.

“Somebody can call the bank pretending to be me, and he could also authenticate himself as me if he has all the data about me. The bank will ask him some four questions and if he has all that information, then the bank has no reason to believe that he is not me,” he explains.

Co-Founder of HasGeek, Kiran Jonnalagadda, an active voice on net neutrality, freedom of speech and privacy, points out that one of the main problems is that the Aadhaar system assumes biometric verification in every transaction, but Aadhaar cards are often used as identity documents without biometrics particularly for many non-financial transactions.

“Somebody can apply for a SIM card with your Aadhaar number, and if the place that is issuing the SIM card didn't do a biometric verification then your card is good enough, because now they can do anything they want in your name,” Kiran said. In such cases, he points out, impersonation is almost ridiculously easy because the Aadhaar card, just a colour printout with no security features, can be faked by almost anyone.

He points out that, particularly in cases of online verifications, the problem of fraud is acutely heightened. “The thing is that if they have your number and your demographic details, if the government does a verification online, the details will match. Which means that the ID is not fake. It's just that you didn't actually authorise any of this. In a perfect world, everybody would do biometrics. The problem is that that does not exist right now.”

One of the major flaws of the current security practices of Aadhaar is that the UIDAI only takes responsibility for the security of data stored within its Central Identities Data Repository. However, explains Amber, over the last five years, the UIDAI has proactively seeded Aadhaar data across multiple government databases. However, the UIDAI has not exercised strict disclosure controls on these government databases, and there are no clear standards for publicity of information.

The CIS report points to the example of the Andhra Pradesh portal of the NREGA, which carries information on Aadhaar numbers and disbursal amounts on a simple text file, with no encryption or other security measures. The report argues that this system could easily be exploited to transfer illegal sums of money into these accounts, making beneficiaries liable for them.

Importantly, Amber points out that the recent publications of Aadhaar details cannot properly be called leaks. A leakage occurs, he points out, when information is treated as secret and stored accordingly and then breached from the outside or leaked by abusing access.

“Here the websites that we looked at are designed in such a way that anybody without any technical knowledge can access information. They are available for download as spreadsheets, how much simpler could it get?” he asks.

Even with the much-vaunted infallibility of biometric verification, experts warn, there are some scarily large loopholes present. While the UIDAI regularly goes to town with the claim that the biometric data stored in the CIDR is well protected behind multiple firewalls, detractors point out that biometric data collected at each transaction point is not similarly secure.

Other kinds of financial transactions such as card transactions , explains Amber, use two-factor authentication (a physical card and a pin number or card details and an OTP, for instance). With Aadhaar, however, authentication is possible with just biometrics.

This is risky because biometric data is not duplication-proof. When biometric data is collected for authentication, he says, there are ways in which this data can be stored for re-use. “At the end of the day, the way the biometric authentication works is by comparing two images. There is a copy of an image which is collected at the time of enrolment which is stored by the UIDAI, and every time you authenticate yourself you give a fresh image. As far as the CIDR is concerned, it has nothing to do with how that image is being created at that stage,” says Amber.

This can and has led to what is called a “replay attack”, where stored biometric images are used to complete transactions without the presence of the actual owner of the biometric data. This is what happened in the case involving Axis Bank, Suvidha Infoserve and eMudhra in February.

Such situations arise, says Kiran, because Aadhaar confuses two very separate functions–authentication (establishing that I am who I am) and authorisation (certifying that I want an action done in my name). “It’s the difference between signing a cheque and showing a photo ID to prove that you are who you are,” explains Kiran. The problem with biometrics is that both processes are combined in one, and there is nothing to verify that the person to whom the biometrics belongs to is actually present for each transaction.

While the UIDAI has now proposed registered and encrypted biometric devices to overcome this problem, some detractors argue that a way around this is not impossible to find either.

“The larger problem is that the UIDAI constantly plays a game of denial and catch up. They keep pretending like other people are stupid and their system will never be broken. And other people keep pointing out that they've forgotten the most obvious things about security in any information system. They are currently in denial mode, where they insist such things are not possible until after it happens, and then they say oh it's happening, let's go do something to fix it,” Kiran says.

What’s more, Kiran and Amber point out that biometrics can even be physically duplicated. On iris scans, Amber argues, “Now, with a lot of CCTV cameras, if their resolution is high enough it is possible to capture things like an iris scan. So the means for biometric authentication can be used covertly, and that is a technological truth,” he asserts.

Duplicating fingerprints, says Kiran is even easier, pointing out to attendance fraud carried out by students of the Institute of Chemical Technology in Mumbai. These students used a resin adhesive to make copies of their fingerprints, which their friends used to give them proxy attendance in the biometric attendance system.

“Lifting fingerprints is ridiculously easy. Anything you touch will leave fingerprints on it. All it requires is some cello-tape to make a copy of your fingerprints. And then you can apply some wax to it and you get an actual impression of your finger. You can go place that on any fingerprint reader and it'll be fooled,” says Kiran.

It’s not as if such duplication is not possible with devices like credit cards. However, says Kiran, there are two key differences. Firstly, credit card companies have built up elaborate checks and balances over years to tackle fraud. Secondly, and far more importantly, credit cards that have been compromised can be cancelled. “Revocability is a feature in the credit card system. In Aadhaar you can't revoke anything. If fraud happens, you are stuck with fraud for the rest of your life,” explains Kiran.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-rakesh-mehar-may-4-2017-why-aadhaar-leaks-should-worry-you-and-is-biometrics-really-safe

Why 'Facebook' is More Dangerous than the Government Spying on You

maria — 2013-11-23T08:38:30Z

In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden ’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS ), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment ) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc ) and the Information Technology (Amendment ) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment ) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS ) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India ’s Computer Emergency Response Team (CERT ) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS ) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID ) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS ’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO ’s “Netra ” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon ’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free , you are the product ”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden ’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays ” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

For more details visit https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

Whose Data is it Anyway?

praskrishna — 2012-04-28T04:12:15Z

Tactical Technology Collective and the Centre for Internet & Society invite you to the second round of discussions of the Exposing Data Series at the CIS office in Bangalore on 24 January 2012. Siddharth Hande and Hapee de Groot will be speaking on this occasion.

Like countless others, this title is a convenient adaptation of a 1972 play by Brian Clark, Whose Life is it Anyway?, a meditation on 'euthanasia' and the extent to which governments or the law can determine the private life of an individual. In a similar sense we use the title to help frame the second set of conversations in the Exposing Data Series, to zero in on the idea of data and who has the right to decide what happens with it. Philosophically, and also at the level of code, computing and the law, the ownership of data can be a somewhat odd and a contentious thing to grapple with. The only other understandings of 'ownership' we really have are those of property and identity and these get imputed onto the intangibility of data. And, in some senses now, many aspects of one's identity exist as data.

There are a range of experiences of data ownership that we talk about and experience daily. On the one hand you can hoard hard disks with favourite content to retrieve memories and experiences. On the other end of things, you can aggregate your experiences and memories with that of thousands of others, that then gets treated almost like a private hard disk belonging to some mysterious X. Who is this Mysterious X? Is there a Y? Or an XY? What is the trajectory of data in its movement from the individual to a larger, shadowy infrastructure that harvests it? What happens to our idea of data in its reconfiguration from intangible code to an idea of politics and rights? To introduce another provocation, do our existing ideas of data ownership objectify individuals? What does this objectification imply for the notion of personal privacy? For example, does the fetishization of 'things' called data obfuscate the idea of personal privacy?

One of the ways in which we may consider looking at open data initiatives for transparency and accountability is to assess it as discourse, and in relation to what happens when communities aggregate data. Open Government Data usually involves a top-down approach in terms of how it is aggregated, collated, shared, whilst community based approaches are more particular, contextual and local. What do these different approaches give us when we bring them to the same table?

The second event in the Exposing Data Series will focus on data ownership, looking into open government data and community-based data aggregation, to explore the various levels of data collection, the movement of data and its exchange, its representation, and dissemination in different contexts.

Speakers

Siddharth Hande, Transparent Chennai
Hapee de Groot, Hivos, Netherlands

This event is free and open to everyone. However, we would appreciate a confirmation of attendance ahead of time so as to ensure that your space is reserved. To confirm your attendance please write to: yelena.gyulkhandanyan@gmail.com

Photo Source: http://www.freedigitalphotos.net/images/view_photog.php?photogid=2000

VIDEOS

For more details visit https://cis-india.org/internet-governance/whose-data-is-it

Whole Body Imaging and Privacy Concerns that Follow

Srishti Goyal — 2011-09-29T05:38:00Z

Law student at the National University of Juridical Sciences, and intern for Privacy India, Srishti Goyal compares, contrasts, and critiques the Whole Body Imaging practices found in the US, the UK, and Australia, and makes recommendations for an Indian regime.

Introduction

Whole Body Imaging has been introduced in many countries in light of growing security concerns, two examples in particular being the attack on the twin towers in USA, and what is commonly known as the Christmas Bomb (A man by the name of Umar Farouk Abdulmutallab tried to detonate a bomb on a flight from Amsterdam as it was about to land in Detroit.) Despite the security concerns that have motivated the implementation of Whole Body Imaging, there are also many concerns that have prevented the full fledged application of this technology. Opponents to the technology have stated that the full body scanner would expose travelers to harmful radiation and is thus a health hazard. Others have stated that these digital strip searches (as they are popularly known) will violate child pornography laws. Some, who are trying to encourage the use of full body scanners, are of the opinion that it is better to opt for a whole body scan as the “pat down” searches are more invasive in nature. There are also the concerns that persons may be singled out on the basis of their color and ethnicity. The scope of research for this particular paper is limited to the extent of the privacy concerns that have arisen in light of the use of the technology in order to achieve better security. The question that forms the crux of the debate is: should ones personal privacy be compromised in order to ensure security for one and all? The primary reason why whole body scanners are said to breach privacy is because of the invasive nature of the images produced, which can be detailed enough to show genitalia of the person being scanned.
Learning from the experience of other nations that have already implemented the use of Whole Body Imaging” we can decide what policies India should have in place and most importantly whether or not India realistically has a use for this technology.
Adequate privacy, it is said, is obtained when the restriction on access to persons and personal information allows a person not to be subjected to intrusion and public exposure [1]. Full body scanners can be called intrusive because in effect they allow the government to carry out strip searches by using technology to remove clothes instead of physically doing the same. Apart from this there are other concerns. For instance there have been instances when these images have been saved and have been uploaded on the internet [2]. In Lagos these images have been used as pornographic material. There is also a cause of concern amongst transgender who do not feel comfortable in revealing their gender which is different from the gender that they portray[3] and they are of the opinion that this information could lead to harassment. Since the scanners can detect medical equipment people who use colostomy bags and catheters which are otherwise hidden may find these scans embarrassing [4].

USA

In the U.S, Whole Body Imaging was introduced in light of the growing concerns with regard to security at airports and terrorist attacks. The Transportation Security Administration is responsible for monitoring security at the airport. The TSA has thus introduced Full Body Scanners at airports. In order to address the privacy concerns that have been raised the TSA has taken the following steps:

Ensuring that the Security officer who is privy to the scan is not the same as the officer interacting with the person who is being scanned.
The TSA has also stated that personally identifiable information will not be stored and distributed.[5]
Another step towards safeguarding the privacy of the passengers has been to blur the faces of the person being scanned.[6]

Though the TSA has taken various steps to ensure the privacy of individuals, one can argue that these measures are not without loopholes. The fact that the Security Officer looking at the scan and the Security officer handling the passenger are different does not do away with this invasion of privacy. There is also the added concern that these images may be uploaded on the internet, which in fact has already been done. The release and collection of these images is in contravention of the Privacy Act of 1974 that governs the collection, maintenance, use and dissemination of personal identifiable information about individuals which in the possession of the federal agencies. The TSA assures that the images will not be retained, but the fact is that the machines have been programmed such as to enable retention of images, if the same has been disable, it can be tampered with. Lastly, on the point of blurring of faces, it is a software fix and can be undone as easily as the application of the software. The TSA in its Privacy impact Assessment report had listed down that full body scanning would initially be a secondary screening measure. What this means is that everyone goes through one level of security screening and if one is randomly selected or the security has reason to suspect a passenger, the passenger can be called for a second level of screening. At which point the passengers will undergo full body scanning.
A federal judge in California, in 1976 said that the laws of privacy “encompass the individual's regard for his own dignity; his resistance to humiliation and embarrassment; his privilege against unwanted exposure of his nude body and bodily functions." As already stated, these body scanners lead to situations that can be embarrassing, do lead to unwanted exposure of body, and can lead to situation where the person scanned could be humiliated (as in the case of transgender and other persons with catheters and colostomy bags). The Electronic Privacy Information Center is a non-profit group that was established to focus attention on civil liberties issue. EPIC challenged the constitutional validity of full body scanning, claiming that the same violated the fourth amendment [9]. The amendment guards against unlawful searches and seizures. In the case of whole body imaging, travelers are subjected to “invasive searches” without any suspicion that they did anything wrong, and without being informed of the reason he/she is being subjected to a search of such a nature. [10] The latest is the use of this technology in courthouses in Florida and at train stations.

UK

In the UK if a passenger is selected for full body scanning, the passenger must comply [11]. The passenger is forbidden from flying if he or she refuses to the scanning process and cannot ask for an alternate screening process [12] Unlike the US in the UK the option of a pat-down search is not available. The steps taken to protect the privacy of the passengers are the same as practiced in the US.

The images of the passengers are not retained
The images are produce in such a manner that the Security officer cannot recognize the person.

A major concern in UK is the violation of child pornography laws that do not allow the creation of indecent images of a child. However, a rule that would have exempted persons under the age of 18 from full body scans was overturned by the government in the UK [13]. Gordon Brown the Prime Minister of UK in 2010 gave permission for the use of full body scanners at the airports. BAA Ltd, which operates six airports in UK (including the Heathrow Airport) has undertaken the installation of these scanners at its airports. In general, the security at the airports comes under the ambit of the Homeland Security and the department will be supervising the installation of the machines. Lord Adonis, the Transport Secretary, confirmed the new policy in a written parliamentary statement, saying that the scanners would help security staff to detect explosives or other dangerous items [14].

One of the major opponents of Whole Body Imaging has been the Equality and Human Right Commission (EHRC), which is of the opinion that the use of this technology would breach the privacy rules under the Human Rights Act [15]. The move to use this technology has raised concerns about the excessive collection of personal data. Big Brother Watch, a campaign that fights intrusion on privacy and protects liberties of people, started an online movement that opposes and raises concerns with full body scanning. It has also listed down all the airports around the world that are using (or are going to be using) this technology [16]. The only group that has openly welcomed this move of the government has been the Liberal Democrats [17]. The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators.

The privacy policy should include as a minimum:

rules regarding the location of the equipment;
A process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
A process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
Prohibition on copying or transferring the images in any way;
Instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
A process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The BodyScanner Task Force was established by the European Commission to publish an impact assessment report and to advise the commission, but the task force has yet to publish its report with specific legislative proposals [18].

Concerns in the UK also arose in light of a response of a judge to a complaint by the Electronic Privacy Information Centre (based in Washington). The judge stated that the Department of Homeland Security (USA) would be allowed to keep images of individuals screened at the airport [19]. This raises concerns amongst activists as to which images can and which images cannot be saved by the airport authorities.

Australia

Post the attempted attack on Christmas Day, pressure on countries such as Australia increased to make use of whole body imaging technology. However, the Association of Asia Pacific Airliners, an association of the international carriers servicing in Australia, criticised the use of full body scanners [20]. Apart from the privacy concerns, that people all over the world share, another aspect that is cause for concern in Australia is the increase in traveling cost. The machines used for whole body imaging is extremely expensive, and thus the question posed time and again in Australia is if it will be economically viable to make use of this technology?[21] The Queensland Council for civil liberties has opposed the use of this Advance Imaging Technology (AIT) and has stated that passengers should be allowed to refuse being scanned and should be allowed to opt for a pat down. Kevin Rudd (the Prime Minister of Australia at the time of implementation of this technology) had taken note of the privacy concerns and assured that such measure would be undertaken that would mitigate these concerns. Currently, Body scanners are installed at the international airports in Australia. The transport minister has said that the images produced would be stick figures and not naked images [22]. This move has been taken in light of the back clash that body scanners faced in the USA. Changes regarding whole body imaging have been referred to the Privacy Commissioner in order to ensure that privacy is not intruded. Namely, Full Body screening will not be applied to all the passengers - instead passengers will either be randomly selected or will be selected on the basis of their profiles [23].

India

Currently in India whole body scanners can be found at the Delhi International Airport [24]. Thus, debate and discussion about the use of these scanners has not gained much momentum in India. It would be advisable that when framing legislation or guidelines to govern full body scanners, India incorporates the experiences of other nations who have already started the use of this technology.

Generally speaking it seems as though the use of a full body scanner would not be recommendable for the Indian scenario. It has already been seen that these scans are not very effective in detecting plastic and fluids [25]. Additionally the scanner only shows objects that are on the body and not in the body. Thus, the effectiveness of these scanners is questionable (especially considering it cannot detect plastics and light fluids) [26]. Additionally, in India the demographic using these scanners would be very different from the people using these scanners in other countries. For instance, it has been pointed out that the interest of Muslim women has not been taken into account when introducing this method of screening. Apart from personal privacy issues there are religious issues that arise, and though the instances of the same maybe far apart in other nations, in India the same will act as a hindrance on a daily basis. If not dealt with delicately this can be a major cause of concern that will have far reaching ramifications. Furthermore, one cannot stress enough the cost that will be involved with the implementation of these scanners. These scanners are extremely expensive and require trained Security Officers to operate them. Additionally, what the scanners seek to accomplish can be achieved by insuring that the pat-downs are carried out properly. But there is a caveat that must be mentioned here. In US, one is allowed to choose between a pat-down and a body scanner. There have been instances when these pat-downs have been more intrusive than the body scanners. Thus, there should be guidelines in place as to how these pat-downs should be carried out. The guidelines should specify actions that the Security Officials would not be allowed to carry out.

Lastly, even if India decided to adopt the full body scanners, considering it helps save time and takes only 15 seconds to complete, it should not be used as a primary screening method. Hypothetically, if body scanners are used as a secondary screening process, alternate screening processes should be available if the passenger does not wish to subject himself/ herself to the scan. But then the question is why should the government invest so much in an expensive technology which the passengers can easily avoid?

Bibliography:

[1].A Companion to Philosophy of Law and Legal Theory, Constitutional Law and Privacy, Anita. L. Allen Pg 147.

[2].http://gizmodo.com/5690749/these-are-the-first-100-leaked-body-scans.

[3]. Available at http://www.airlinereporter.com/2010/08/we-do-not-have-all-the-same-body-parts-and-body-scanners-violates-your-privacy/.

[4].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searchers.

[5].Privacy impact assessment report. Available at - http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_wbi.pdf.

[6].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searches.

[7].http://travel.usatoday.com/flights/2010-07-13-1Abodyscans13_ST_N.htm .

[8].http://www.stopdigitalstripsearches.org/.

[9]. http://epic.org/privac/airtravel/backscatter/.

[10].http://www.dailymail.co.uk/news/article-2012249/TSA-scanners-catch-implant-bomber-admit-officials.html?ito=feeds-newsxml.

[11].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[12].http://www.bigbrotherwatch.org.uk/home/2010/03/body-scanner-refuseniks.html.

[13].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[14].http://www.timesonline.co.uk/tol/news/uk/article7011224.ece.

[15].http://www.timesonline.co.uk/tol/news/politics/article6990990.ece.

[16].http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[17].http://news.bbc.co.uk/2/hi/8438355.stm.

[18].http://www.huntonprivacyblog.com/2010/02/articles/european-union-1/uk-airports-implement-compulsory-use-of-full-body-scanners/.

[19].http://www.bigbrotherwatch.org.uk/home/2011/01/judge-blocks-investigations-into-body-scanners.html.

[20].http://www.theaustralian.com.au/travel/backlash-to-airport-body-scans/story-e6frg8rf-1225817485755.

[21].http://www.sbs.com.au/news/article/1190826/full-body-scanners-to-be-introduced-at-airports.

[22].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[23].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[24].List of Airports with full body scanners. Available at http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[25].http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html.

[26].http://www.bigbrotherwatch.org.uk/home/2010/01/invasion-of-the-body-scanners.html.

For more details visit https://cis-india.org/internet-governance/blog/privacy_wholebodyimagingcomparison

WHO's WHO LEGAL names Malavika Jayaram as one of the top lawyers for Internet and e-Commerce Issues in India

praskrishna — 2012-11-20T11:22:03Z

Malavika Jayaram was one of 10 Indian lawyers selected for inclusion as the top lawyers for internet and e-commerce issues in India. The new volume for 2012 was recently published following a process of peer reviews and independent research.

WHO'sWHOLEGAL published an online biography of Malavika:

A dual-qualified lawyer, Malavika spent eight years in London - with Allen & Overy as an IP/IT lawyer in the communications, media & technology group; and with Citigroup, first as vice president and counsel in the technology legal team, and later as senior business analyst.

A lawyer for over 15 years, she relocated to India in 2006. She is a partner at Jayaram & Jayaram, focusing on domestic and cross-border corporate and technology intensive transactions. She represents clients in the aerospace, automotive, hydraulics and pharmaceutical sectors, as well as in the information technology, e-commerce and communication spaces. She has a special interest in new media and the arts, and advises start-ups, innovators, educational institutions and artists on digital rights, cultural heritage and the dissemination of creative works. Malavika is a fellow at the Centre for Internet and Society, reviewing and commenting on legislative and policy developments, and will have a monograph on privacy and identity in India published this year.

A graduate of the National Law School of India, she has an LLM from Northwestern University, Chicago. She is working on a PhD on data protection and privacy, with a special focus on India's e-governance schemes and the new biometric ID project. She is on the advisory board of the Indian Journal of Law & Technology, and is the author of the India chapter of Getting the Deal Through - Data Protection & Privacy, which is being launched this year. Malavika will be a visiting scholar during autumn 2012 at the Center for Global Communication Studies at the Annenberg School, University of Pennsylvania.

For more details visit https://cis-india.org/news/whoswholegal-profiles-malavika-jayaram

Who is Following Me: Tracking the Trackers (IGF2012)

praskrishna — 2012-12-07T17:17:32Z

The Internet Society and the Council of Europe are co-organising a workshop at the IGF (Baku - 8 November 2012 - 09:00 - 10:30) regarding online tracking. Malavika Jayaram is a speaker.

Interest in online tracking as a policy issue spiked with the release of the Preliminary Federal Trade Commission Staff Report in December 2010 entitled Protecting Consumer Privacy in an Era of Rapid Change – A Proposed Framework for Businesses and Policymakers calling for a “do not track” mechanism, the launch of the W3C Tracking Protection Workng Group and the recent entry into force of the so-called European “Cookie Directive” provisions. However, the actual and potential observation of individuals’ interactions online has long been a concern for privacy advocates and others.

Much of the policy attention is currently focused on cookies used to track users to build profiles for more targeted advertising, but some of the more difficult issues are:

How to deal with less-observable tracking (e.g. browser and/or device fingerprinting, monitoring of publicly disclosed information)
How to develop laws that accommodate different tracking scenarios – for example:
- different entities (law enforcement, companies, etc.);
- different and sometimes multiple purposes (security, personalising user experience, targeting advertising, malicious activity; etc.);
- first-party and third-party tracking o single site and multiple site tracking
Transparency (particularly on small mobile devices)
Whether a traditional consent model is sufficient and effective

The panel:

Wendy Seltzer, Policy Council, World Wide Web Consortium (W3C)
Kimon Zorbas, Vice President, Interactive Advertising Bureau (IAB) Europe
Cornelia Kutterer, Director of Regulatory Policy, Corporate Affairs, LCA, Microsoft EMEA
Malavika Jayaram, partner at Jayaram & Jayaram, Bangalore
Shaundra Watson, Counsel for international consumer protection, USA Federal Trade Commission
Rob van Eijk, Council of Europe expert, Leiden University (PhD student)

The moderators:

Christine Runnegar, Internet Society
Sophie Kwasny, Council of Europe

The remote moderator:

James Lawson, Council of Europe

This workshop will explore:

Current and emerging trends in online tracking (and their related purposes)
How to give individuals full knowledge of the tracking that occurs when they go online
Mechanisms to give individuals greater control over tracking and data use
The respective roles of all actors (government, law enforcement, Internet intermediaries, businesses, browser vendors, application developers, advertisers, data brokers, users, Internet technical community, etc.)
Whether effective data protection online can be ensured solely by law.
Whether self-regulation and voluntary consensus standards offer better options for tuning privacy choice to the rapidly advancing technology environment.

Please read our background paper and update

For more details visit https://cis-india.org/news/who-is-following-me

Who Governs the Internet? Implications for Freedom and National Security

sunil — 2014-04-05T16:23:36Z

The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

For more details visit https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security

White Paper on RTI and Privacy V1.2

vipul — 2014-11-09T02:53:51Z

This white paper explores the relationship between privacy and transparency in the context of the right to information in India. Analysing pertinent case law and legislation - the paper highlights how the courts and the law in India address questions of transparency vs. privacy.

Introduction

Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as Bennet Coleman v. Union of India,[1] Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd.,[2] etc. The same Articles of the Constitution were also interpreted in Kharak Singh v.State of U.P.,[3] Govind v. State of M.P., [4] and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "RTI Act").

Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. [5] The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.[6]

A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.[7] The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. [8]

This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.[9] The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.[10] The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. [11]

An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. [12] This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. [13] Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.[14] Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.

The Privacy Exception

As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.[15]

It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. [16] This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.

The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.

One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.[17]

Scope of Proviso to section 8(1)(j)
Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), [18] the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.[19] In the words of the Delhi High Court:

" The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. "

The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.

Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.

We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.

Personal Information
The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. [20]

The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. [21] The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",[22] and as including tax returns, medical records etc.[23] It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.[24]

Larger Public Interest
The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.

Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.[25]

There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".[26] However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from Kharak Singh[27] all the way to Naz Foundation, [28] seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.

In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:

1. The test laid down by Union Public Service Commission v. R.K. Jain:

(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;

(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND

(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. [29]

2. The other test was laid down in Vijay Prakash v. Union of India, but in the specific circumstances of disclosure of personal information relating to a public official:

(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;

(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and

(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. [30]

Constitutional Restrictions
Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,[31] 19(1)(a) [32] and 21[33] of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:

a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; ^{^[34]}

b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;^{^[35]}

c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the Maneka Gandhi case.^{^[36]}

d) The right can be restricted if there is an important countervailing interest which is superior; ^{^[37]}

e) It can be restricted if there is a compelling state interest to be served by doing so; ^{^[38]}

f) It can be restricted in case there is a compelling public interest to be served by doing so; ^{^[39]}

g) The Rajagopal tests - This case lays down three exceptions to the rule that a person's private information cannot be published, viz. i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.^{^[40]}

Section 8(1)(j) in Practice

The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.

Private Information of Public Officials
Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.[41] However this argument has been repeatedly rejected by the Courts, [42] just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.

If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.[43] In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.

Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,[44] however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner,[45] and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.

It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:

(i) Details of postings of public servants at various points of time, since this was not considered as personal information; [46]

(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; [47]

(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;[48]

(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;[49]

(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; [50]

(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. [51]

The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):

(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;[52]

(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;[53]

(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); [54]

(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;[55]

(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);[56]

(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.[57]

It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.

Passport Information of Private Individuals
The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of Union of India v. Hardev Singh,[58] and the view taken inHardev Singh was later endorsed and relied upon in Union of India v. Rajesh Bhatia, [59] while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.

A list of the Courts conclusions is given below:

Information that can be revealed:

(i) Name of passport holder;

(ii) Whether a visa was issued to a third party or not;

(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;

(iv) Nature of documents submitted as proof;

(v) Name of police station from where verification for passport was done;

(vi) Whether any report was called for from the jurisdictional police;

(vii) Whether passport was renewed through an agent or through a foreign embassy;

(viii) Whether it was renewed in India or any foreign country;

(ix) Whether tatkal facility was availed by the passport holder;

Information that cannot be revealed:

(i) Contents of the documents submitted with the passport application;

(ii) Marital status and name and address of husband;

(iii) Whether person's name figures as mother/guardian in the passport of any minor;

(iv) Copy of passport application form;

(v) Residential address of passport holder;

(vi) Details of cases filed/pending against passport holder;

(vii) Copy of old passport;

(viii) Report of the police and CID for issuing the passport;

(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.

Other Instances

Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:

(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;[60]

(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; [61]

(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;[62]

(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.[63]

Conclusion

A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.

However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the Hardev Singh and Rajesh Bhatia cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of Girish Ramchandra Deshpande in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.

The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "Illustrations" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.

List of References

Primary Sources

1. Australia Freedom of Information Act, 1982.

2. Bennet Coleman v. Union of India, AIR 1973 SC 106.

3. Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.

5. Canadian Access to Information Act.

6. Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667

7. Constitution of India, 1950.

8. Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

9. Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

10. Jamia Millia Islamia v. Sh. Ikramuddin, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

11. Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

12. Kharak Singh v. State of U.P., AIR 1963 SC 129.

13. Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.

14. Naz Foundation Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

15. P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

16. Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82.

17. President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

18. Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

19. R. Rajagopal v. Union of India, Supreme Court of India, dated 7-10-1994.

20. Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

21. Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

22. Right to Information Act, 2005

23. Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

24. Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

25. Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

26. Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

27. Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd., (1995) 5 SCC 139.

28. U.K. Freedom of Information Act, 2000.

29. UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

30. Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151

31. Union of India v. Hardev Singh WP(C) 3444 of 2012 dated 23-08-2013.

32. Union of India v. Rajesh Bhatia WP(C) 2232/2012 dated 17-09-2013.

33. Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

34. Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

Secondary Sources

1. "Country Report for U.K.", Privacy International, available at https://www.privacyinternational.org/reports/united-kingdom.

2. "Country Report for Australia", Privacy International, available at https://www.privacyinternational.org/reports/australia.

3. "Country Report for Canada", Privacy International, available at https://www.privacyinternational.org/reports/canada.

[1] AIR 1973 SC 106. This case held that the freedom of the press embodies in itself the right of the people to read.

[2] (1995) 5 SCC 139.

[3] AIR 1963 SC 129.

[4] Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[5] Section 8(1) in its entirety states as follows:

(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;

(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;

(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;

(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;

(f) information received in confidence from foreign Government;

(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;

(h) information which would impede the process of investigation or apprehension or prosecution of offenders;

(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:

Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:

Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;

(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

[6] Section 11 of the RTI Act.

[7] The Registrar General v. A. Kanagaraj, (Madras High Court, 14 June 2013, available at http://www.indiankanoon.org/doc/36226888/.

[8] Arvind Kejriwal v. Central Public Information Officer, (Delhi High Court, 30 September 2011, available at http://www.indiankanoon.org/doc/1923225/.

[9] Sections 40 and 41 of the U.K. Freedom of Information Act, 2000.

[10] Section 11A read with section 47-F of the Australia Freedom of Information Act, 1982.

[11] Section 19 of the Canadian Access to Information Act.

[12] Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

[13] Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

[14] Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.

[15] Calcutta High Court, WP(W) No. 33290 of 2013, dated 20-11-2013.

[16] Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

[17] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

[18] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom), para 14. Where the Court held that since the medical records of a convict cannot be denied to Parliament or State legislature therefore they cannot be exempted from disclosure under the Act.

[19] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[20] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[21] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[22] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[23] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[24] Jamia Millia Islamia v. Sh. Ikramuddin , Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

[25] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[26] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[27] AIR 1963 SC 129.

[28] Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

[29] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012. This ruling was overturned by a Division Bench of the High Court relying upon a subsequent Supreme Court ruling, however, it could be argued that the Division Bench did not per se disagree with the discussion and the principles laid down in this case, but only the way they were applied.

[30] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[31] Right to equality.

[32] Freedom of speech and expression.

[33] Right to life.

[34] Article 19(2) of the Constitution of India, 1950.

[35] Article 19(5) of the Constitution of India, 1950.

[36] Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978. The test laid down in this case is universally considered to be that the procedure established by law which restricts the fundamental right should be just, fair and reasonable.

[37] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[38] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[39] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975. However the Court later used phrases such as "reasonable restriction in public interest" and "reasonable restriction upon it for compelling interest of State" interchangeably which seems to suggest that the terms "compelling public interest" and "compelling state interest" used by the Court are being used synonymously and the Court does not draw any distinction between them. It is also important to note that the wider phrase "countervailing interest is shown to be superior" seems to suggest that it is possible, atleast in theory, to have other interests apart from public interest or state interest also which could trump the right to privacy.

[40] R. Rajagopal v. Union of India , Supreme Court of India, dated 7-10-1994. These tests have been listed as one group since they are all applicable in the specific context of publication of private information.

[41] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[42] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010. Also see Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[43] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667. This case also held that information cannot be denied on the ground that it would be too voluminous.

[44] Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151; Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012

[45] 2012 (119) AIC 105 (SC).

[46] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[47] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[48] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667.

[49] Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

[50] UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

[51] Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

[52] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[53] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[54] R.K. Jain v. Union Public Service Commission, Delhi High Court, LPA No. 618 of 2012, dated 12-11-2012.

[55] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[56] Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

[57] Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82. It must be mentioned that this case was not exactly under the procedure prescribed under the RTI Act but was a public interest litigation although the courts relied upon the provisions of the RTI Act.

[58] WP(C) 3444 of 2012 dated 23-08-2013.

[59] WP(C) 2232/2012 dated 17-09-2013.

[60] President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

[61] P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

[62] Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

[63] Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

For more details visit https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2

White Paper on Data Protection and Privacy

Admin — 2018-03-07T14:57:53Z

National Institute of Public Finance and Policy is organizing a roundtable on data protection and privacy in New Delhi on March 8, 2018. Sunil Abraham is participating as a moderator in the session on Rights and Protections. Amber Sinha is also participating as a panelist.

Agenda here

For more details visit https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

When Whistle Blowers Unite

sunil — 2012-03-21T10:17:48Z

Leaking corporate or government information in public interest through popular Web service providers is risky but Wikileaks.org is one option that you could try out.

Leaking corporate or government information in public interest in the age of Satyam has new challenges. You couldn't just upload it to a blog, social networking website or even a document management system like Google documents. Google, Yahoo and most other Web service providers nearly always comply with the national law and cooperate with enforcement agencies. In India there have been several arrests in connection with alleged illegal email messages and content on social networking websites. It did not take court order – just a request from the local police station. Furthermore, you would have to undertake additional risky activity online to draw media attention to your documents. Also those who stand to lose from the leak can send a couple of copyright take down notices which will lead to deletion. So your only real option is Wikileaks.org, where they boast: Every source protected. No documents censored. All legal attacks defeated.

Launched in December 2006, Wikileaks.org stands alone on the Internet as the last refuge for the truth. Even though the promoters are European and US academic organisations, journalists and NGOs – a near neutral point of view is realised by sparing no one across the political and ideological spectrum. It is the archive of the whistle-blowers of the world and it is ugly: login information and private emails of a holocaust denier, secret documents from the Church of Scientology, Internet block-lists from Thailand and standard operating procedures for US guards at Guantanamo Bay, et cetera. One could safely assume that these guys have very few friends. Unlike Wikipedia.org whose technology it employs, Wikileaks does not have an open and participatory editorial policy. It accepts documents through a trusted journalist–source system.

Leaking controversial documents can result in loss of job, limb and life, so extreme caution is always advised. Remember that India still does not have laws protecting whistle blowers, in spite of a bill being introduced in 2006. What follows is only a very rough guide to digital whistle blowing, so please get expert advice before you try these at home:

Download and install military grade encryption software like Pretty Good Privacy. Generate a pair of keys – a public and a private one. Use your private key in combination to a journalist's public key to send him or her, a 'for your eyes only message' email. Only the journalist will be able to decrypt the message using your public key and his private key. Note however, that an Indian court under the 2008 amendment of the IT Act can ask you to disclose your key-pair.
Step outside. Working from home is a bad idea since DOT mandates that all ISPs retain logs for all users and for all services utilized for an indeterminate time-period. Office is still worse as your network administrator might be also logging your activities.
Find an anonymous public access point. Cyber-cafes, especially in New Delhi, Maharashtra, Karnataka and Tamil Nadu are asking users to provide identity cards and record contact details and in some cases web-cam photographs as well. Using your laptop in a coffee shop may work but DOT is considering cracking down on open wifi networks.
Use an anonymizing service so that the chain of digital evidence leading up to Wikileaks is obliterated. TOR is the anonymizing solution of choice. Several TOR servers that provide private tunnels across the Internet work in unison, to form a cloud of anonymity.

If you were leaking large amounts of data, uploading it may be too risky. Burn the data on DVDs and mail them to Wikileaks. However, do ensure that all digital files have been purged of personal information. For word files this can be done by converting to PDF. Also you may not want to leave any finger-prints on the package. India will soon have a database of finger prints thanks to the National Unique Identity (NUID) project. We know this thanks to the leaked NUID project document on Wikileaks.org, days before the consultation.

For more details visit https://cis-india.org/internet-governance/blog/whistle-blowers-unite

When the war’s on WhatsApp

praskrishna — 2016-09-25T16:36:01Z

Slick, jingoistic videos are whipping up pro-war rhetoric on social media after the Uri terror attack.

The article by Manju V was published in the Times of India on September 25, 2016. Nishant Shah was quoted.

It packs a meaner punch than any 140-character tweet. In 140 jingoistic seconds, the cleverly packaged YouTube film veers from Mohammed Rafi to Chandra Shekhar Azad drumming up pro-war rhetoric to avenge the Pathankot attack. Set to the tone of chirping crickets on a moonlit night somewhere along the western border that India shares with its neighbour, the short film has two armymen in fatigues deliberate over the absolute need to respond with a counter attack. It ends in a staccato military drumbeat with a voiceover quoting Azad: "If yet your blood does not rage, then it is water that flows in your veins."

Posted about 10 days after the Pathankot attack in January, the video was resurrected last week after the country woke up to the Uri attack that killed 18 Indian soldiers in the deadliest assault on security forces in Kashmir in over two decades. Even as photographs of a grenade smoke-filled valley, tricolour-draped coffins, grieving sons, daughters and widows made the rounds in media outlets scores of Indians marched onto social media, some armed with incendiary prose and other with slick videos that expressed more anger than anguish.

In another video doing the rounds, a jawan, or someone in uniform, sings a poem warning Pakistan. His mates join in the refrain: "Kashmir toh hoga, lekin Pakistan nahi hoga."

These videos of jawans threatening to decimate Pakistan were shared by thousands. WhatsApp profile pictures and statuses were changed, Facebook posts got longer and vitriolic, Twitter #UriAttack exploded with expletives as the enough-is-enough sentiment peaked. It heralded the beginning of an era where the dynamics of Indo-Pakistan relations will play out not just in the diplomatic corridors of Delhi and Islamabad, the valley of Kashmir or the barracks of security forces; but also on the mobile phones, tablets and laptops of millions of Indians.

When contacted for a comment, the makers of the war-mongering 'Pathankot Tolerance' video didn't endorse war outright. "My individual opinion is that war is not a solution," said producer Santosh Singh, who heads the Mumbai-based V Seven Pictures. "Before we resort to war, we have to solve our internal problems. How can we let infiltration take place so blatantly?" he asked. Why then does the video not talk about this? Singh said that when one hears about such attacks, the instant reaction is to retaliate. "The video is based on that sentiment."

An electronics engineer, Singh also owns an IT recruitment firm. His film production company, which he runs along with his friend Vivek Joshi, made the Mauka Mauka World Cup video that went viral and also produces short films and videos for clients. "We have no political affiliations, in fact we turned down a couple of political parties who approached us," says Singh, adding that his company has made 30-35 films in less than two years. "Of these, about 10 are on issues close to our heart, like those on Afzal Guru and the Pathankot attack. We upload them on YouTube, they are aired without ads. We don't earn money from them," he adds.

Ugly gets outlet

Nitin Pai, director of Takshashila Institution, an independent centre for research and education in public policy, says that social media and some television studios have enabled people to express their subconscious fears and desires. "It is not just today that the people of India have been angry with Pakistan for fomenting terrorism in our country. But it is only now that they have ways to express this anger; unfortunately, social media dynamics amplify this anger in a grotesque, distorted manner, allowing the ugly and less-sensible views to rise to the top of the public discourse," said Pai.

Tracing the many origins of this phenomenon, psychiatrist Harish Shetty says that in an angst-ridden, globalized world, we need a whipping boy. "With the Uri attacks, the entire nation had a common enemy. In expressing collective anger, there's catharsis." The current outpouring is not just over the deaths of soldiers; such an incident also opens up older wounds, he says. "For a long time, Indians have found their leaders to be helpless. It's like a family that is attacked again and again by a neighbour, but the father does nothing about it. There has been a lack of strong response from 'papa figures' across time, which has led to a sense of anger and rage. After the Uri attacks, the collective self-esteem of the country took a beating, and people felt a need to assert themselves on social media. At such times strong action is viewed as legitimate, valid and free of guilt," he adds.

Amplifying angst

If social media brought together protesters in Tunisia and Egypt during the Arab spring, in democratic India it has turned into a platform for expressing mass disenchantment with the government, especially in the wake of such attacks.

Social media plays several roles in times of crises, says Nishant Shah, professor of digital media and co-founder of the Centre for Internet & Society, Bengaluru. One, it amplifies what is already being said in friend circles and living-room conversations in front of the telly, but spreads it to a larger audience. "The second role it plays is distribution: social media allows people to inherit other people's opinions, thus exposing them to new ways of thinking but also find corroborators for their own viewpoints," he says. The third is catalysis — social media also has the capacity to generate new information. "The format creates new kinds of truths. Things that can be caught in Snapchat videos, or visuals which can be remixed, all become a part of this zeitgeist," Shah says.

Virtual wars

But in India at least, social media is no indicator of considered public opinion, points out Pai. Shah adds: "What we are seeing is a filter bubble of a privileged set of people who are engaging in this debate."

Then again, what's said on social media needn't be endorsed in real life. Vivek Joshi, who wrote and directed the Pathankot video, says nobody in the world would want a war. "But when it comes to the lives of our soldiers, an answer has to be given. If the government had taken any visible action, then there would have been no need to put out a video like this," Joshi adds. And therein probably comes the new-age heuristic of venting out on social media.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-september-25-2016-manju-vi-when-the-war-is-on-whatsapp

When the virtual world wakes up the real one

praskrishna — 2013-11-30T09:35:06Z

The unprecedented wave of voices speaking up against sexual harassment in recent times has as much to do with technology as the determination to seek justice. From Twitter to Tumblr, and blogs to pastebin, the internet's anonymity, reach and speed allow small, personal stories of abuse to swell into big stories.

The article by Malini Nair was published in the Times of India on November 24. Nishant Shah is quoted.

The outrage over the Tehelka case started with a post on pastebin, an anonymous document sharing site, on Wednesday evening. It contained the email managing editor Shoma Chaudhury had sent to the Tehelka staff with editor Tarun Tejpal's "atonement" letter appended below. A few hours later, the story had ballooned into a heated debate, and the outpouring forced what was being dismissed as an "internal matter" to be treated as a criminal case.

The two women who recently spoke up against harassment at the hands of a retired Supreme Court judge also used Facebook and the blogosphere to tell their stories, ensuring that the real world was actually moved into taking action. "The social web's biggest comfort is that we are no longer alone," says Nishant Shah, director, Research at the Centre for Internet and Society, Bangalore. "No matter what has happened to us, it has happened to somebody else. The possibility of finding credulous and empathetic audiences who but share our pain, understand it, and respond to it is unprecedented." Retweets and comments have often been described as the digital equivalent of holding hands.

Shah's pick of web campaigns that highlighted the problems include Blank Noise which calls women to talk of small, everyday stories of harassment, the Pink Chaddi drive and Why We Need Feminism, a web venture across American universities.

The other reason why the net encourages victims of abuse who might otherwise have stayed quiet to speak out is its "pseudonymity", as Shah terms it. In societies where there is shame attached to talking about sexual assault, the online space saves women from having to put themselves out in the "physical space" while ensuring that the perpetrator is exposed, he points out.

A plus for social web is that it gets other victims to speak up as well, gathering force and magnitude in the process. This happened in the instance of the legal interns. Another instance that surfaced just a month ago was of two American women science bloggers Danielle Lee and Monica Byrne. When Lee refused to write a piece for free for Biology Online, she was called "urban whore" by an enraged editor. She blogged about it and the ensuing storm over social media got her huge support. After Lee's expose, Byrne blogged about an acutely sexual conversation a powerful science writer inflicted on her. The outrage this provoked abated only after he made amends.

As an article in Gender and Culture blog project puts it: "( The digital world provided) a forum for these victims to document their abuse, and a courtroom where the abusers have been judged and found guilty by public opinion".

Of course there are problems with the internet's version of justice — it tends to play judge, jury and executioner with giddy recklessness. In the Tehelka case, the first questionable moment came when the survivor's email was tweeted and re-tweeted with no concern for her requests for anonymity. "The problem with Twitter and Facebook is the incredible and gross violations of privacy of the survivor. And otherwise responsible adults join lynch mobs calling either the survivor or the accused names, making ridiculous allegations, desperately looking for an easy narrative to hang everything on," says author Nisha Susan, who led the Pink Chaddi campaign.

Commentator Santosh Desai says that it is tough to choose between an unbridled but powerful social web and one that is cautious and governed by norms. "Earlier, there were receivers and broadcasters who were few and governed by licenses and a code of behaviour. Now everyone is a broadcaster, everyone is a circulator and everyone is an aggregator. Having no oversight here could be problematic," he says.

Susan says communities need to go beyond social media in such situations. "It should also be a time for us to reflect. On what we would do in such a situation, how we could perhaps prevent it, on the sense of entitlement powerful men have all over the world, on the awful pressures young women face. We should all be reflecting. Instead we are just re-tweeting."

For more details visit https://cis-india.org/news/the-times-of-india-malini-nair-november-24-2013-when-the-virtual-world-wakes-up-the-real-one

When the digital spills into the physical

praskrishna — 2011-12-22T05:42:39Z

Nishant Shah, Director-Research, Centre for Internet and Society, Bengaluru, tells us why flash mobs are an interesting sign of our times, and not just a passing fad.

What is a flash mob?
There are many different forms of flash mobs, if you look at their content. In terms of structure, it has to do with a bunch of people, who are connected to each other by common technologies but don't necessarily know each other, and yet, come together in a public space to perform a set of pre-decided actions. Congregate, Orchestrate and Disperse -- that is the anatomy of a flash-mob. Hence it is different from other kinds of mobilisations, because it is very rare for anybody to know who is the organiser of a flash mob.

There are no long speeches, political expositions or agendas used in order to bring people together for a flash mob. Once the brief performance has been done, people don't stay back to form communities and discuss. The word 'flash' draws its inspiration both from 'flash-floods' and 'flash-in-a-pan', both referring to the immanence and suddenness of a flashmob.

What is a smart mob?
Howard Rheingold coined the term smart mob in a book by the same name. Smart mobs are a more inclusive form of digital technology-based mobilisation. Rheingold uses the term to refer to a series of sharing, collaborative, performative engagements that have emerged around the world, especially with young people using the Internet. The people don't know each other, but through different Peer-to-Peer (p2p) protocols, are able to share their resources towards a particular purpose. So it might be a group of friends who want to dance at the train station, or geeks sharing their idle computing time to search for records of UFOs, or people using location based applications to meet each other in caf ©s and form friendships. Smart mobs are essentially different from flashmobs because they have a specific agenda and are geared towards a longer, sustained and enduring practice of community belonging and building.

What role does the Internet and digital technology play in organising flash mobs?
One of the fundamental tenets of flash mobs is the condition of anonymity. The web offers the necessary condition where the intended participant does not have to disclose any personal information. They are able to interact, communicate, receive and share information while giving out nothing more than their email addresses and cellphone numbers. It would have been impossible to think of a flash mob without the use of these technologies because while the postal service would also offer similar conditions (though the physical address is more of an identifier), the flash mob also requires a speed and scale which would otherwise have been impossible in an analogue world.

What is a flash mob best suited to achieve? Is it a form of celebration, a protest, campaign, a quick way to poke fun, or be ironic?
I would say the flash mob is a tool — a process that can be deployed for anything that you want. You can use it as a form of celebration or protest. You can also use it to bully somebody, to destroy public property or create conditions of danger. However, that is true of any tool that we use. A hammer, for example, can be used to hit a nail, or hit some one. The flash mob is a symptom of how our digital and physical realities are merging. It uses the aesthetics of p2p, interaction with strangers, gaming elements with more control over the spaces that we occupy, 'avatar'ification which allows for a pseudonymous existence, etc. to organise something in the physical world. And it is these spillages of the digital into the physical (and vice versa) that make flash mobs significantly more interesting than just a passing fad.

MidDay published this interview in their newspaper on 18 December 2011. The original can be read here

For more details visit https://cis-india.org/when-digital-spills-into-physical

When revolutions go viral

praskrishna — 2011-09-01T04:46:38Z

Thanks to Facebook and Twitter, the urban Indian youth, famously detached from the goings-on in the country, came out on the streets to support the anti-corruption movement - not only here but abroad as well. TOI-Crest looks at the anatomy of a modern protest movement.

I try to change my display picture, update my BBM status and send out a tweet as often as possible. I feel like I really need to do my bit for the country, " a college student was overheard saying outside Mumbai's Azad Maidan where protests against the anti-corruption movement are still under way. Once used to reconnect with long-lost school friends or to post vacation pictures, social networking sites have surfaced as the new forum for political activism. The world's attention is now on the potential of the digital sphere in historical revolutions as witnessed in Egypt and Tunisia. Though set in a vastly different political context, and used to different ends, the power of social media to drive citizen action in India has become apparent as Team Anna's call to action resonates through the Internet.

From earlier this year at Jantar Mantar to the culmination of the protests when Anna Hazare became a household name, the anti-corruption movement has harnessed technology and social media tools to engineer large-scale protests. Not only has the movement deviated from traditional methods of mass mobilisation, but it has also brought young urban India into the fold of political activism. Ritesh Singh, a third-year computer science student at IIT Khargapur, created the 'India Against Corruption' Facebook page in December last year. Since then, the page has gathered more than four lakh supporters. There are also several regional chapters and over 150 unofficial Facebook pages devoted to Anna Hazare and India Against Corruption.

The 'Students Against Corruption' group has been encouraging students to use social media for the cause by sending out messages such as "Students should share and promote this page for the goodness (sic) of the nation . . . This is the thing dat we can do for our nation. . . This is wat India needs. . . Promote it, share it, blog it, discuss it . . . then feel the change. " Petitions, calls to action and encouragement to join Hazare's fast also became commonplace in the last three months. The blog post '10 Ways to Support Anna Hazare on Social Media' by social media manager Sorav Jain has been shared 256 times on Facebook.

Relying on symbolism such as Gandhian photographs and references to the freedom struggle, Team Anna has created a media phenomenon. Text messages such as 'Behri sarkar ko janta ki aawaz sunai nahi de rahi hain! Lets show ppls anger!' and 'ANNA ki aag shuru ho gayi hai, Inquilab Zindabad' have helped in creating mass support. Meanwhile twitter has been abuzz with dialogue, support and reactions to the protests, as Anna Hazare's campaign became the top trending topic in India over the past few weeks. While the image of Hazare meditating at Raj Ghat became iconic on August 15, 2011, Team Anna's voice was heard on the TV, on mobile phones, YouTube and even on T-shirts. Developers are in the process of launching an India Against Corruption game, India Against Corruption mobile applications, India Against Corruption browser toolbars and more.

Though digital activism is often criticised as passive armchair activism or slacktivism, the use of technology in organising social protests has brought a different kind of activist on the street: young, urban India. "It's not as if what is happening is new, but it is happening on an unprecedented scale, " says Nishant Shah, research director for the Centre for Internet and Society, Bangalore. "Traditional media has also done this in different ways, but in the past the protesters have been the disenfranchised. The use of social media has mobilised a new constituency - it has brought the urban middle class to the street. However, the use of such tools is producing a different kind of exclusion. There is a noticeable lack of poor urban people in the protests. This is not the representation of 1. 2 billion Indians as it is being made out to be. "

The use of social media has garnered support for Team Anna from the unlikeliest parts, catapulting 'India Against Corruption' (IAC) into a global phenomenon. Young Indians living in places like New York, Singapore, London and Hong Kong are tweeting, facebooking, organising and gathering to talk about Hazare and his cause. Some young professionals have even taken time off from their careers to fly down to India and physically support the cause.

Sunil Khaitan, an investment banker working with Deutsche Bank in Hong Kong flew down last Friday to attend the protests at the Ramlila ground and address the crowd at Mumbai's Azad Maidan. Khaitan, 28, is originally from Kolkata and graduated from IIM Bangalore in 2006. "I was involved in the Right to Information movement in 2005, have been in touch with Professor Trilochan Sastry at IIM Bangalore, and have been tracking this movement from the days of Jantar Mantar, " he says.

Khaitan is also active in the Hong Kong chapter of IAC, which organised a meeting on August 21, 2011, attended by over 300 people. "There is a clearly outlined process on the IAC website which tells you how to conduct a meeting, " says Khaitan. "As the news channels are not available in HK, so many people are not aware of the real cause. So we talked about the points of contention and showed videos with Arvind Kejriwal, Kiran Bedi and Hazare addressing the crowd. " He argues that harnessing social media has helped get people from different walks of life involved with the Hazare movement.

Social networking sites have also helped create a close-knit Indian community in Hong Kong. "Anna has also made a big point about the youth being present in the protests, and it is easier to connect with the youth through social media, " says Khaitan.

"Peer pressure also comes into the picture in that age group - people want to get involved to appear impressive to their friends. " But though technology has brought a new demographic of Indians into the realm of protest, it manifests its power through the oldest form of networking - word of mouth.

This article was published in the Times of India (Crescent Edition) on 27 August 2011, read the original story here

For more details visit https://cis-india.org/news/revolutions-viral