We are anonymous, we are legion

Is free speech an Indian value?

praskrishna — 2013-04-30T07:18:10Z

Is freedom of speech and expression deeply accepted in Indian society? Or is it merely a European cultural import that made its way along with the English language and appeared in the Constitution because of the founding fathers' genius? Satarupa Sen Bhattacharya reviews Freedom Song, a film and connects the dots.

Satarupa Sen Bhattacharya's blog post was published in India Together on April 27, 2013. Snehashish Ghosh is quoted.

Debates on freedom of speech can be traced back to the earliest evolutions of human society, but if there is a time which could be considered most apposite for this debate to come to the fore and dominate public thought and discourse, this surely would be it for Indian society.

From the banishment of literary icons such as Salman Rushdie to repeated assaults on artists and cartoonists seeking to express their viewpoints through their art, and even the gag on the common man’s voice in traditional and new media, freedom of speech and expression has found itself under fire increasingly and in the most alarming of ways.

Is India as a nation becoming more intolerant of contrarian perspectives, or is it merely that voices seeking to stifle dissent are now amplified, thanks to a greater number, as well as newer forms, of media covering this debate?

Can India really achieve free speech in the way that its founding fathers conceived of and constitutionalized it?

These are the questions probed in Freedom Song – a 52-minute documentary from the Public Services Broadcasting Trust, co-directed by veteran journalist, author and academic Paranjoy Guha Thakurta and Professor Subi Chaturvedi.

Freedom Song, the film

Interestingly, since the time Freedom Song was conceived of and filmed, the clamp-down or attacks on free speech in India have only become more frequent and flagrant. This was made much before the time that Salman Rushdie, in almost a repeat of the 2010 Jaipur Lit-fest incident, was stopped by the state from attending the screening of Midnight’s Children in Kolkata; or when two young girls from Palghar in Maharashtra were arrested by the police merely because one of them had questioned on Facebook the derailment of normal life in Mumbai following Balasaheb Thackeray’s death and the other had ‘liked’ it; or even before the long-awaited Kamal Hassan film Vishwaroopam was banned for purportedly offending the sensibilities of a religious community in a few scenes, which the director eventually had to agree to censor in order to ensure that his creation could reach the audience.

Freedom Song, the documentary, chronologically precedes all of these as well as the debate and outrage over sociologist Ashish Nandy’s remarks on corruption and backward castes; yet, when one sees it now, recalls the numerous incidents highlighted in the film, and hears the debates that rage on, the larger context and culture that has facilitated the perpetuation of suppression become clearer. It also drives home, disturbingly, the alarming regularity with which speech and expression have been muffled. It can thus be seen as a commentary on the gradual but consistent build-up to the current climate where there is an almost systematic and continuous crackdown on free speech whenever it inconveniences the powers-that-be.

Gags on expression - recent incidents

In July 2010, when T.J. Joseph, a professor of Malayalam at the Newman College in Thodupuzha (Ernakulam district) in Kerala was arrested by police following a controversial examination question set by him, allegedly containing disparaging remarks about the Prophet Mohammad. He was released on bail but suspended from his post following protests by Islamic organizations. But suspension wasn’t the last of Joseph’s tribulations: he was brutally attacked by a gang of men who chopped off his hand at the wrist with an axe. He was also stabbed in the arms and legs. While Joseph’s hand was stitched back in a 16-hour-long operation, even as he was recuperating, his college terminated his services on grounds that he had offended the religious sentiments of students. He was also stripped of all benefits and pension.

Curiously, Joseph himself distances the entire incident from the issue of freedom of expression. In his conversation with the film-makers he says that whatever happened could be interpreted as attempts to meddle with and dilute academic independence in the state. “The incident is not related to the issue of freedom of expression...external attempts to break down communication between students and their teacher was at the core of the entire episode,” says Joseph. Even Union Minister for Human Resource Development Shashi Tharoor, who hails from the state himself, attributes this incident to the act of some anti-social fringe elements who masquerade as representatives of a particular community. But these arguments from the victim himself, and an eminent authority, cannot resolve the question of his expulsion from service. Nor can they address the fact that the atmosphere of tolerance in the country is such that anti-socials can hijack as simple an academic exercise as question-setting to their advantage and perpetrate such atrocities.

A more recent incident highlighted in the documentary is the arrest and detention of Ambikesh Mahapatra, a professor of Chemistry in Jadavpur University of West Bengal for forwarding a set of cartoons that allegedly defamed Chief Minister Mamata Banerjee. Shortly after the dismissal of Union Railway Minister, Trinamool’s Dinesh Trivedi, and his replacement by Mukul Roy, the widely-circulated cartoon showed Roy and the CM having a conversation along the lines of one in a very popular Satyajit-Ray film, conspiring to get rid of Trivedi.

Ambikesh was not the creator of this cartoon – as he himself says, he received it on a forwarded email. Amused by it, he wanted to share it with his friends. Thus he forwarded it again to over 60 members of his housing co-operative society, some of whom happened to have affiliations to the party in power. This action led to the professor being arrested and charged under IPC Sections 509 (insulting the modesty of a woman), Section 500 (defamation) and Section 66 A of the IT Act (causing offence using a computer). He had to spend a night in jail before he was released on bail the following afternoon.

However, charges against the professor have since been dropped and the West Bengal Human Rights Commission (WBHRC) ruled that the state police were indeed guilty of harassing the professor (and one of his colleagues, who had also been arrested).

Paranjoy Guha Thakurta, co-director of Freedom Song

Muffling creativity

One thing that stands out pretty sharply in Freedom Song is the deep angst shared by the creative fraternity in the country over the assault on free speech. Perhaps, by dint of being that section of society which is most inclined to spontaneous and non-conformist expression, they also constitute one of the most vulnerable groups when it comes to being restrained or gagged.

One of the darkest chapters of suppression of artistic expression in India relates to the forced exile of iconic painter M F Hussain during the last days of his life, after being targeted for his nudist depictions of Hindu Gods and Goddesses. Sadly, as artist Arpana Caur points out, such waves of intolerance or fanaticism fail to factor in either subjective value judgments (how deeply Hussain must have loved Hindu culture and mythology to actually apply his creative instincts to bring it alive) or objective facts (that the nudist paintings were actually done in the ancient Khajuraho tradition of figurative depiction, it was not something Hussain had developed).

Often, the gag on works by artists and writers has transcended to direct discrimination against the person himself. The state of West Bengal banned exiled Bangladeshi author Taslima Nasreen’s book “Dwikhandito” in 2003 on fears that it would stoke communal disharmony. When human rights activists challenged the decision in Court and managed to win rulings on her behalf, the writer herself was banished from public life in the state. She was unceremoniously asked to leave the state in 2007, after violent protests against her by fundamentalists. Much later in 2012, even after the political reins in the state had changed hands, the launch of her book at the Kolkata Book Fair was cancelled upon threats of protest.

One of the most heart-rending is the story of Pakistani singer Ali Haidar, who confesses to being almost brainwashed, in one of his weakest moments, by radical elements into believing that the loss of his child was in fact a retribution for him having taken up music as a profession.

The feeling of anger, frustration and even a sense of bewilderment among the artists, writers and performers interviewed in the documentary is almost palpable. As Rajiv Lochan, Director of the National Gallery of Modern Art, says, “Freedom of expression, creative freedom…in simple words, that is the only freedom you are born with...” The unuttered question of how anyone can take that away from you hangs heavy in the silence.

If artists are the most vulnerable, they are also perhaps the most resilient. In the context of the various cartoon controversies that this nation has seen and the proscriptions of cartoonists from Shankar to Aseem Trivedi, eminent political cartoonist Sudhir Tailang says, “We cartoonists know only one way of protest, which is the most peaceful, Gandhian way…you do what you want, we’ll draw a cartoon…and more cartoons… we’ll flood you with cartoons.”

The defiance and rejection of censorship is also strongly voiced by noted danseuse Mallika Sarabhai, who talks of the various forms of attack and insult that she has been subjected to for her unconventional presentations and activism, but asserts that despite all of it, she feels it is her “dharma to go on.”

The language barrier

Perhaps unwittingly, Freedom Song tends to favour the premise that freedom of speech as a principle in India is largely a preoccupation among the English-educated, intellectual and creative segments of the populace. Even the musical score that has played such a dominant part in invoking the spirit of freedom throughout the film seems to underline that - from the refrains of Bob Marley’s ‘Won't you help to sing these songs of freedom,’ to the remixed pop version of ‘Raghupati Raghav Raja Ram’ that one hears in parties and joints in India’s westernized urban landscape.

How attuned to the issue of free speech is the wide majority of India, the section that still follows vernacular media and are relatively distanced from the constructs of Anglo-Saxon influence? The verdict on the linguistic divide does not emerge with clear certainty when we talk to intellectuals or thought leaders from various parts of the country.

In the words of academic Subhoranjan Dasgupta, a professor at the Kolkata-based Institute of Development Studies, mainstream Bengali media has played a big role in highlighting transgressions of freedom of speech and expression every time it has occurred, irrespective of the political regime in power at the time.

"Whether in the case of the ban on Taslima Nasreen or the arrest of Professor Mahapatra, local media - and especially two widely-followed dailies, the Anandabazar Patrika and Ei Shomoy - have been audibly vocal and consistent in their coverage of these incidents," says Dasgupta. "Irrespective of political ideologies, the common man in Bengal knows that Taslima Nasreen got a raw deal or that what happened to the professor was not acceptable," he adds. Ostensibly, the role of local media in such public consciousness cannot be written off. In a way, it might not be an exaggeration to say that the voices of these publications have been instrumental, to a large extent, in ensuring that these issues grab the eyeballs of the largest number possible, and hence gain traction.

And yet, a completely different picture emerges as one reaches out to another part of the country. Badri Seshadri, Publisher, New Horizon Media - a Chennai-based company that publishes books in Tamil, and an active blogger, feels that notions of freedom, or free speech, are essentially offshoots of the modern era which have found a voice in our country primarily through English media.

Seshadri goes back to the freedom struggle in India when many among the noted thought leaders and freedom exponents wrote both in English and the local language. In those days, the discourse on freedom of thought and expression were perhaps more at par across spheres. But with the dying trend of bilingual writing, intellectual writing increasingly gravitated towards English. Today, the gulf between English writers and regional writers has become so huge in his state that even the most fundamental of issues are discussed in vocabularies that cannot bridge the schism. Issues pertaining to secularism and democracy are viewed with a completely different lens in vernacular media, and those pertaining to liberalism, not at all.

"Take the case of the most recent ban on Kamal Hassan's Vishwaroopam," points out Seshadri; "this was not a film made in Hindi or English that you could assume to be emotively disconnected from the Tamil mindspace. It was a film that had been made by one of the cult film personalities of the region, and yet even as the national English media followed this issue and consistently questioned the violation of an individual's right to creative freedom, deliberations in local channels and publications were strangely muted and focused only on whether or not the disputed scenes in the film could be considered to be offensive to the Islamic community. The larger debate on whether one has the right to offend, in an impersonal way, was completely missing." Those who want to toe the line of liberalism either through their writing or new media are dismissed as harbouring "fancy" ideals or pandering to Western sensibilities.

Guhathakurta, himself, disagrees with the claim that free expression is essentially a Western construct or that debates around it are restricted to the chattering classes in plush drawing rooms. “It is something that concerns every common man,” he says, referring to the case of Laxmi Oraon, the teenaged tribal girl who was stripped, beaten and molested in the streets of Guwahati, where she had been part of a peaceful protest rally, seeking the inclusion of 80 lakh Adivasis living in Assam in the ST category. Traumatised and deeply angered by the brutal injustice meted out to her and the lack of legal redress, Laxmi eventually even contested the Lok Sabha elections, points out the director in order to elucidate the struggle that even the most marginalized take part in to press for their fundamental rights.


A still from the documentary Freedom Song. Pic: PSBT India via Youtube

"Reasonable” restrictions

Despite the continuous infringements on artistic and even individual expression, what emerges from the film is not a blanket wave of intolerance that is engulfing society but rather certain powerful groups with vested interests who are driven either by fanaticism for their ideologies or by the lure of political mileage to raise voices against freedom. In the age of 24x7 channels, their voices gain in both volume and pitch and new media enables greater visibility and debate around it.

As Tharoor says, “The government has the lowest level of tolerance possible because it cannot be seen as offending anybody who is held precious by any segments of Indian society.”

Veteran journalist Saeed Naqvi points out, “You have a whole link between the politician, the vote bank and the proprietor. Therefore, the freedom of the press, while this trio exists, is under threat.”

But having said all of the above, it is also clear that defining freedom, especially in an absolute sense, is in itself a huge challenge that most of society acknowledges. More so, in the context of Article 19 (2) of the Constitution which itself allows the state to impose “reasonable restrictions on the exercise of the right...in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”

Senior journalists such as Rajdeep Sardesai are quoted in the documentary, expressing their support for such ‘reasonable restrictions’ to combat the spread of expression or opinion that fuels divisiveness or hatred in society. But the fact remains that such restrictions not only add a qualifier to freedom as enshrined in the founding principles, but also create the larger question of ‘who decides?’

Young India however would prefer to see Article 19 (2) as an enabler rather than as a veto. As Apar Gupta, an advocate of the Supreme Court says in the film, he would like to believe that the incorporation of “reasonable restrictions” was done with a view to ensuring that the Constitution does not remain a static document and does not apply only to fixed definitions of facts and circumstances. Certainly not with the objective of curbing any form of dissent or deviation from convention.

Fali S. Nariman, senior advocate to the Supreme Court and a constitutional jurist, also points out very pertinently that the range of restrictions in 19(2) does not include public interest.

Reality does not bear that out though; especially when one looks at the many recent instances of arbitrary impositions of Sec 66A of the IT Act in booking individuals for expression of their opinion and stances through channels offered by new media and Internet. The documentary in itself does not delve deep into the challenges and threats to freedom of expression that have emerged in the FB/Twitter era, perhaps because many of the most volatile and controversial cases surrounding freedom of speech on the Internet occurred after the film was made. But a new debate is brewing in India, especially after the Palghar incident or the arrest of a Puducherry businessman for allegedly posting 'offensive' text on the micro-blogging site Twitter about the son of an Union Minister.

Snehashish Ghosh, a lawyer and Policy Associate at the Centre for Internet and Society, Bangalore, says, “Essentially, there are eight restrictions on freedom of speech and expression as enumerated in Article 19(2) of the Constitution. The Supreme Court in many cases has held that these reasonable restrictions should be construed narrowly and with due regards to the value of freedom of speech in a democratic society. Section 66A in its current form goes well beyond the restrictions laid down under Article 19(2). Therefore, it is liable to be struck down for being in violation of Article 19(1)(a) of the Constitution.”

Snehashish also feels that technologically, in the present time, it would be near-impossible to 'monitor' the Internet. As far as regulations are concerned, there are laws already in place which ensure the implementation of reasonable restrictions. For example, the Indian Penal Code, 1860 already covers offenses such as incitement of violence, obscenity, criminal intimidation and outraging religious sentiments. The laws which are being applied offline are well equipped to deal with offenses committed online. There is no need to have extraordinary laws where ordinary laws suffice.

But in a country that appears to grow increasingly thin-skinned with time, the import of such logic could well be lost.

Access and freedom

Interestingly, Freedom Song begins with a series of frames capturing the widely different and divergent faces of Indian society, fast moving scenes juxtaposing the educated, affluent sections of urban India against the child who performs on sidewalks to earn his bread or the old emaciated man getting his night’s sleep on the pavement. The clear correlation between access – to basic needs, education and media – and the very consciousness of freedom is hard to ignore.

“Freedom to me is the ability to do what I want, where no one tells me to do anything” says one child on screen, evidently from an English-speaking, relatively privileged background; but one cannot help feeling that his coherence and articulation on freedom would be hard to come across in the children on the streets who are filmed in some of the previous shots.

The point that access to the very basic necessities of life is a necessary condition for freedom of expression is driven home by social activist Ram Bhat in the documentary, who says that despite the technologies aiding free expression, and the profusion of players in this debate, talk of freedom of speech will be pointless unless the problem of access is solved. In its absence, such freedom will remain the privilege of a few.

On balance, in all the voices that emerge from our conversations, and the many more episodes that Freedom Song, the documentary narrates, the only thing that can be concluded without doubt is the challenge of establishing freedom as a perennial or permanent concept in a country as complex and diverse as India. A truly effective and desirable state of free speech and expression can only evolve out of a continuous, fearless, rational dialogue between society and its stakeholders, in which all voices are expressed and heard.

Whether India, as a whole, can facilitate such a dialogue is going to be the moot question in the times to come.

For more details visit https://cis-india.org/news/india-together-april-27-2013-satarupa-sen-bhattacharya-is-free-speech-an-indian-value

Is Facebook tracking your virtual footprints?

praskrishna — 2011-11-24T03:02:00Z

Social media experts claim number of cases of privacy violations against the site has increased in past few months; Facebook rubbishes the allegations. This article by Sheetal Sukhija was published in MidDay on 22 November 2011.

If you thought your online footprints would be erased by merely clicking on the 'delete web history' option and no one would ever know about your virtual movements, think again.

For, some popular social networking sites have been accused of tracking their users' movements on the Internet even when they log out from the sites.

According to reports in the international media, Facebook, the virtual face of around 80 crore people across the globe, is battling a series of legal cases for alleged violating users' privacy worldwide.

While the social media giant has categorically said that they have not misused any user data, internet experts have dubbed the website 'the big brother of new media'.

"Many users claim that when they log onto their accounts, Facebook automatically installs a cookie onto a user's browser, which keeps tracking their movement on the internet.

We believe that Facebook might be using this just to boost their marketing and not to sell this data to any third party," said Sunil Abraham, Executive Director, Centre For Internet and Society.

Experts also believe that using such strategies have now made Facebook the world leader when it comes to credible demographic information.

"Facebook has achieved the status of possessing the most accurate demographic information. It is a credible source to understand consumer habits of a single unique user and even user groups. However, using such information is surely a violation of privacy," he added.

Former member of NASSCOM, Pratap Reddy, believes that often people ignore the 'fine print' or the agreement page while creating an account on a social networking site or elsewhere on the net. "When users sign up on these social networking websites, they often ignore the fine print.

When legal cases come up, companies often defend their stance by saying that their agreement page (or privacy policy page) mentioned all such things and make up a leeway for themselves," argued Reddy.

He added, "This is surely a violation, but there is also a positive side to this. Such websites are only trying to facilitate users better, based on their past web history. This helps them put you onto people/issues/topics that you have previously searched - like a mediator," added Reddy.

All about marketing?
Experts argued that this is not for the first time a website is being sued for such an act. In the past, Google, Adobe, Microsoft, Yahoo and other online advertising agencies too have been criticised for using such controversial tracking cookie technology.

According to reports, users from across the world have been taking legal recourse after pointing out that Facebook used cookie technology to track their virtual movements even after they have logged out of the social networking site.

Australian blogger Nik Cubrilovic is the latest user to join the growing list of people suing the website for violating federal wiretap laws, reported a UK-based tabloid.

The other side
Defending their stance, Facebook argued in its official statement that they are not tracking users across the web.

Facebook's official stance: Facebook does not track users across the web. Instead, we use cookies on social plugins to personalise content, to help maintain and improve what we do, or for safety and security.

No information we receive when you see a social plugins is used to target ads, we delete or anonymise this information within 90 days, and we never sell your information.

Specific to logged out cookies, they are used for safety and protection. They are used for identifying spammers and phishers, detecting when somebody unauthorised is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birth date, powering account security features such as 2nd factor login approvals and notification and identifying shared computers to discourage the use of 'keep me logged in'.

Security tips
Internet security software experts suggest that installing strong anti-virus software would be the first step towards protecting your privacy.

Installing an anti-virus software
Every such software has a social network control option that prompts users when any unsolicited cookie is installed. By using this option, a user holds the right to refuse such installations.

Read the original article published in MidDay here

For more details visit https://cis-india.org/news/facebook-tracking-footprints

Is Facebook too powerful without legal safeguards?

Admin — 2018-03-25T01:38:57Z

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, according to some experts.

The article by Vidhi Choudhary was published in Hindustan Times on March 24, 2018

It’s time India moves to put in place legal safeguards to contain the potential harm that Internet giants like Facebook Inc. can cause, experts say, amid a raging scandal over access gained by political marketing firm Cambridge Analytica to user data on the social media network. India is a key market for Facebook with 217 million people using the platform every month.

Concerns centre around protection of user privacy and freedom of speech, harassment by Internet trolls, spread of misinformation and fake news, said Apar Gupta, a Delhi-based lawyer who is part of Save The Internet , a group of individuals and non-government organisations fighting to preserve net neutrality. It’s time to take stock of the concerns and the sufficiency of India’s legal framework to address them, Gupta said.

“Companies like Facebook have grown too big and too powerful without adequate legal safeguards,” he said.

On Thursday, Facebook founder and CEO Mark Zuckerberg pledged to stop the misuse of user data on its site to manipulate voters in India,Brazil and the US. The social media network is under scrutiny after a whistleblower alleged that London-based Cambridge Analytica accessed user data to prepare voter profiles that helped Donald Trump win the US presidential election in 2016.

Information technology and law minister Ravi Shankar Prasad on Wednesday warned social media platforms such as Facebook of “stringent action” in case of any attempt to sway the country’s electoral process. The government is considering a new regulatory framework for online content, including on social media and websites, Union minister for information and broadcasting Smriti Irani said on 17 March at the News18 Rising India Summit , conceding that the law is not clear about online news and broadcast content.

“We remain strongly committed to protecting people’s information. We have announced that we are planning to introduce improvements to our settings and give people more prominent controls ,” an India-based Facebook spokesperson said in response to an emailed query from Hindustan Times .” We have a lot of work to do to regain people’s trust and are working hard to tackle past abuse, prevent future abuse and will continue to engage with the Election Commission of India and relevant stakeholders to answer any questions they may have.”

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, said Sunil Abraham, founder of the think tank Centre for Internet and Society.

“Evil is a function of power. As internet giants get bigger and bigger, they’ll become more and more evil. In fact, in jurisdictions like India, where we don’t have a data protection law and a sufficiently agile competition commission to take on these Internet giants, they can do whatever they want to..,” said Abraham.

Internet networks have helped undermine the business model for real news and replace it with a vibrant fake news model, in the process cornering the lion’s share of the digital advertising revenue, said Abraham . Facebook and Google dominate the Rs 9,490 crore digital advertising market in India.

“Since they don’t see themselves as a media company, their primary objective is to maximize the amount of time their users spend on the platform,” he said, adding that social media networks aren’t concerned whether the content they present is the truth or lies

“It would be laziness on our part to just blame Facebook and then feel morally superior. We have to regulate them using competition law and a data protection law so that they behave themselves on our jurisdiction,” Abraham said.

The legal framework for Indian social media users is limited. Section 43 (A) of the IT Act operates merely as a data security law applicable only to someone whose privacy has been infringed and can demonstrate that he/she has suffered a financial loss in the process.

“Whatever is known from the Cambridge Analytica episode is that none of the users have lost money or property but democracy has been undermined. So we cannot use the IT Act in India to save our democracy,” he said.

Facebook operates in an opaque manner in the manner in which it regulates content, said Geeta Seshu, consulting editor for media website The Hoot.

“When complaints are launched, they are upheld if they meet Facebook’s so-called community standards. Often users who are dissenting voices against hate or discrimination or misogyny have found themselves blocked. The process to appeal back to Facebook is very arbitrary. Users spend months and years being blocked on the platform. Facebook manipulates user data, when it decides to use algorithms to push content or boost certain articles for a certain sum of money,” she added.

In December, Alex Hardiman, head of news products at Facebook, said restoring trust and credibility to news on Facebook is one of the biggest priorities for the company.

“There is a lot that we are doing to make sure that we eradicate any false news or misinformation on Facebook. We’ve found that false news is actually a very small percentage of content. But there were a lot of financial motivations for posting false news,” she said in an interview to Mint when he was in Delhi to attend the Hindustan Times Leadership Summit. “So, one of the first things we have done is remove any financial incentives. We have also done a lot to make sure we can quickly identify and remove fake accounts. Also, we have been doing a lot to better understand clickbait content and train classifiers to identify and downlink it.We have also started third-party fact-checking. We have partnered with third-party organizations in the US, France, Germany and a few other countries,” said Hardiman.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-march-24-2018-vidhi-choudhary-is-facebook-too-powerful-without-legal-safeguards

Is Data Protection Enough?

elonnai — 2012-03-22T05:28:51Z

The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.

In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.

Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.

Sources

http://www.thehindu.com/news/national/article905944.ece

http://is.gd/hJWD8 http://is.gd/hJWSX

http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage

Matthan, Rahul. The Mint:Technology. Nov. 24 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit https://cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security

Is Bhutan selling its soul to Google?

praskrishna — 2014-01-30T12:27:33Z

Migrating Bhutan government’s communications to Google servers, allowing the United States access to confidential data, raises questions

"Bhutan’s adoption of Google Apps is a disastrous decision, and I wouldn’t advocate for it even if it were free," Pranesh Prakash, Policy Director of the Bangalore-based Centre for Internet and Society said.

He added that the project would end up tying Bhutan to a single vendor, Google, since there is no easy way to migrate from Google Apps to another system. "That means that even if in the future some other system is found to be far better than Google, the migration costs would deter the adoption of that system," said Pranesh Prakash, who is also a fellow with the Information Society Project, Yale Law School.

The article by Lucky Wangmo from Thimphu and Pema Seldon form Bangalore was published in Business Bhutan on January 25, 2014. Download Volume 5, Issue 4, NU 15 published by Business Bhutan here.

For more details visit https://cis-india.org/news/business-bhutan-vol-5-issue-4-lucky-wangmo-pema-seldon-is-bhutan-selling-its-soul-to-google

Is Aadhaar Essential To Achieve Error-Free Electoral Rolls?

praskrishna — 2018-12-25T01:21:45Z

The Election Commission’s plans to link Aadhaar with electoral rolls may have stirred a hornet’s nest.

The article was published in Bloomberg's Quint on December 16, 2018. Pranesh Prakash was quoted.

The commission plans to undertake the exercise to clean up electoral rolls—which need to be updated frequently to avoid duplication and errors, The Economic Times newspaper reported citing people aware of the matter. But with privacy concerns raised against the Aadhaar, is this the best way to achieve error-free voter data?

Pranesh Prakash, policy director at the Centre for Internet and Society, doesn’t think so. Using Aadhaar data without the consent of the user poses legal problems, he told BloombergQuint in a conversation. “For the Election Commission to link Aadhaar with citizens’ voter ID would require amending the law.”

It is questionable whether this will fall within the bounds that the SC has set for usage of Aadhaar.

Pranesh Prakash, Policy Director, Centre for Internet and Society

The former legal advisor of the Election Commission SK Mendiratta, however, brushed aside privacy concerns relating to the process. The Election Commission, according to him, is a constitutional body and can use information with the government to ensure purity of the electoral roll.

Reetika Khera, associate professor at Indian Institute of Management-Ahmedabad, said this could be bad for voters. She cited the mass deletion of voters from electoral rolls in Telangana ahead of the recent elections, and urged that due process must be followed.

There are serious problems with the use of algorithmic approaches in various spheres. Aadhaar as a tool to clean up the electoral rolls is the problem.

Reetika Khera, Associate Professor, IIM Ahmedabad

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls

Iron out contradictions in the Digital India programme

sumandro — 2015-07-28T01:04:28Z

The Digital India initiative takes an ambitious 'Phir Bhi Dil Hai Hindustani' approach to develop communication infrastructure, government information systems, and general capacity to digitise public life in India. I of course use 'public life' in the sense of the wide sphere of interactions between people and public institutions.

The article was published in the Hindustan Times on July 15, 2015.

The 'Phir Bhi Dil Hai Hindustani' approach involves putting together Japanese shoes, British trousers, and a Russian cap to make an entertainer with a pure Indian heart. In this case, the analogy must not be understood as different components of the initiative coming from different countries, but as coming from different efforts to use digital technologies for governance in India.

It is deploying the Public Information Infrastructure vision, inclusive of the National Optical Fibre Network (now renamed as BharatNet) and the national cloud computing platform titled Meghraj, so passionately conceptualised and pursued by Sam Pitroda. It has chosen the Aadhaar ID and the authentication-as-a-service infrastructure built by Nandan Nilekani, Ram Sewak Sharma, and the team, as the identity platform for all governmental processes across Digital India projects. It has closely embraced the mandate proposed by Jaswant Singh led National Task Force on Information Technology and Software Development for completely electronic interface for paper-free citizen-government interactions.

The digital literacy and online education aspects of the initiative build upon the National Mission on Education through ICT driven by Kapil Sibal. Two of the three vision areas of the Digital India initiative, namely 'Digital infrastructure as a utility to every citizen' and 'governance and service on demand,' are directly drawn from the two core emphasis clusters of the National e-Governance Plan designed by R. Chandrashekhar and team, namely the creation of the national and state-level network and data infrastructures, and the National Mission Mode projects to enable electronic delivery of services across ministries.

And this is not a bad thing at all. In fact, the need for this programmatic and strategic convergence has been felt for quite some time now, and it is wonderful to see the Prime Minister directly addressing this need. Although, while drawing benefits from the existing programmes, the DI initiative must also deal with the challenges inherited in the process.

Recently circulated documents describes that the institutional framework for Digital India will be headed by a Monitoring Committee overseeing two main drivers of the initiative: the Digital India Advisory Group led by the minister of communication and information technology, and the Apex Committee chaired by the cabinet secretary. While the former will function primarily through guiding the implementation works by the Department of Electronics and Information Technology (DeitY), the latter will lead the activities of both the DeitY and the various sectoral ministries.

Here lies one possible institutional bottleneck that the Digital India architecture inherits from the National e-Governance Plan. Putting the DeitY in the driving seat of the digital transformation agenda in parallel with all other central government departments indicate an understanding that the transformation is fundamentally a technical issue. However, most often what is needed is administrative reform at a larger scale, and re-engineering of processes at a smaller scale.

Government agencies that have addressed such challenges in the past, such as the department of administrative reforms and public grievances, is not mentioned explicitly within the institutional framework, and instead DeitY has been trusted with a range of tasks that may be beyond its scope and core skills.

The danger of this is that the Digital India initiative will end up initiating more infrastructural and software projects, without transforming the underlying governmental processes. For example, the recently launched eBasta website creates a centralised online shop for publishers of educational materials to make books available for teachers to browse and select for their classes, and for the students to directly download, against payment or otherwise. The website has been developed by the Centre for Development of Advanced Computing and DeitY. At the same time, the ministry of human resource development, which is responsible for matters related to public education, has already collaborated with the Central Institute of Educational Technology and the Homi Bhabha Centre for Science Education in TIFR to build a comprehensive platform for multi-media resources for education – the National Repository of Open Educational Resources. The initial plans of the DI initiative are yet to explicitly recognise that the key challenge is not in building new applications and websites, but aligning existing efforts.

This mismatch, between what the Digital India initiative proposes to achieve and how it plans to achieve it, is further demonstrated in the 'e-Governance Policy Initiatives under Digital India' document. The compilation lists the key policies to govern designing and implementation of the Digital India programmes, but surprisingly fails to mention any policies, acts, and pending bills approved or initiated by any previous government. This is remarkably counter-productive as the existing policy frameworks, such as the Framework for Mobile Governance, the National Data Sharing and Accessibility Policy, and the Interoperability Framework for e-Governance, are suitably placed to complement the new policies around use of free of open source softwares for e-governance systems, so as to ensure their transparency, interoperability, and inclusive outreach. Several pending bills like The National Identification Authority of India Bill, 2010, The Electronic Delivery of Services Bill, 2011, and The Privacy (Protection) Bill, 2013, are absolutely fundamental for comprehensive and secure implementation of the various programmes under the Digital India initiative.

The next year will complete a decade of development of national e-governance systems in India, since the launch of National e-Governance Plan in 2006. Given this history of information systems sometimes partially implemented and sometimes working in isolation, a 'Phir Bhi Dil Hai Hindustani' approach to digitise India is a very pragmatic one. What we surely do not need is increased contradiction among e-governance systems. Simultaneously, we neither need digital systems that centralise governmental power within one ministry on technical grounds, or expose citizens to abuse of their digital identity and assets due to lack of sufficient legal frameworks.

(Sumandro Chattapadhyay is research director, The Centre for Internet and Society. The views expressed are personal.)

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-july-15-2015-sumandro-chattapadhyay-iron-out-contradictions-in-the-digital-india-programme

Iraqi Minister meets Secretary, Indian Ministry of Panchayat Raj

praskrishna — 2011-05-01T03:52:26Z

His Excellency Mr. Abdul Kareem El-Samarai, the Iraqi Minister of Science and Technology was among 15 other senior bureaucrats from Iraq who met with Mr. ANP Sinha, Secretary, Ministry of Panchayati Raj to discuss the Ministry’s efforts at introducing ICT at the Panchayat level through its e-Panchayat initiatives. This was as part of their study tour to India in association with UNDP-Iraq and UNDP-India. They also met with Mr. Shankar Aggarwal, Additional Secretary, DIT earlier in the day who briefed them about the various aspects of the National e-Governance Plan envisaged by the Government of India to make government services accessible and affordable to all Indian citizens. This news was published by the Karnataka News Network on April 27, 2011.

"India-Iraq cooperation will extend beyond ICT to all other areas of governance within two months" announced Mr. El-Samarai in a separate meeting today as part of the study tour in Delhi convened by Communication Multimedia and Infrastructure (CMAI) Association of India in partnership with the Centre for Internet and Society, Bangalore.

The meeting was also attended by top level telecom officials of the country including Mr. Satya Pal, Advisor to the DoT, Mr. NK Goyal, President, CMAI, Mr. B.M. Baveja, Senior Director and Group Head, Ministry of IT and Mr. S.N. Gupta, Chief Regulatory Officer, BT Telecom among others. Mr. El-Samarai emphasised that Iraq’s newly elected Government is stable and is taking all efforts to use ICT to provide basic services to Iraqi citizens apart from forwarding reforms in health and educational sectors. He stressed on the need for Iraq’s neighbours to respect the sovereignty of the country and welcomed India’s cooperation in Iraq’s efforts in introducing e-governance initiatives and use of ICT in the country. "We look forward to cooperation with India in enhancing our national efforts at governance reform", he said.

"E-Governance is crucial to effect a higher growth rate in India – upto 12% - and ensure that the growth is inclusive and sustainable", said Mr. Aggarwal while noting that e-governance is not only electronic governance but also “empowered governance". The delegates were also addressed about the recent developments in the e-governance strategy of the government including formulation of the National e-Governance Plan, mobile governance and standardisation initiatives, and establishment of data centres and Citizen Service Centres (CSCs) across the country.

The delegation's visit to Delhi was followed by their visit to Bangalore last week in context of the ‘Building e-Iraq National e-Governance Strategy’ of the Iraqi Government which attempts to increase transparency and government accountability in Iraq through ICT in addition to providing better services to citizens through e-governance initiatives. “This visit is not an end in itself but the beginning of an expanded cooperation between Iraqi and Indian Governments in forwarding national efforts at development and reform through use of technology”, said Ms. Caitlin Wiesen, Country Director of UNDP-India.

The delegation visited the National Informatics Centre and got a glimpse of the technology used at the NIC to manage data integration and ICT infrastructure for the entire e-government framework of the country. They also got a direct experience of the technology as they interacted with the NIC officials at Gandhinagar and Chennai directly from the Delhi office through video conferencing technology. Mr. B.K. Gairola, Director General of NIC addressed the delegation about the functions of the NIC including infrastructure for GIS facilities, cyber security for government departments, establishment of data centres and MMPs executed by the NIC to strengthen e-governance processes in the country.

The delegation had a meeting with the Secretary, IT, Government of Delhi yesterday about the National Convergence Mission Plan. They had also visited Narayana Hrudayalaya, Bangalore One Centre and Azim Premji Foundation in Bangalore last week apart from other e-governance initiatives. “We really appreciate the efforts of UNDP in organising the study tour and we will take all efforts to strengthen the relationship that Iraq shares with India”, said Mr. El-Samarai. The last leg of the study tour included a meeting with Mr. Patrice Coeur-Bizot, UNDP Resident Representative who noted that 60 years of cooperation between UNDP-India and the Indian Government resulted in the first ever discussion on e-governance in India under the auspices of the UNDP. “I cannot stress enough on the importance of forging synergy of efforts between UNDP-India and the Iraqi e-Government initiative”, he said. The tour will be concluded by a reception hosted by the Country Representative, UNDP-India before returning to Baghdad.

For more details contact- krithika@cis-india.org (Krithika Dutta, Centre for Internet and Society-Bangalore)

Read the original news published by Karnataka News Network here

For more details visit https://cis-india.org/news/iraq-tour-of-india

Iraqi delegation in Bangalore to study e-governance projects

praskrishna — 2011-04-21T09:41:45Z

A 20-member delegation from Iraq, led by its Science and Technology Minister Abdul Kareem El-Samarai, is in this tech hub for a firsthand account of the e-governance projects used for community development and as an interface between the government and citizens. This news was published in the Economic Times, April 20, 2011.

The delegation, on a three-day study tour since Tuesday in partnership with the United Nations Development Programme (UNDP) and the Centre for Internet & Society, visited multi-specialty hospital Narayana Hrudayalaya to learn about tele-medicine services, which provide healthcare in remote villages using information and communication technology (ICT).

"The e-governance projects and ICT practices employed for citizen services and community development in India could be a useful guide in developing a strategy for e-governance in our country," Deputy Iraqi Science and Technology Minister Samir Salim Raouf said in a statement late Wednesday.

The delegation, comprising officials and experts from various fields, also visited the Azim Premji Foundation , a not-for-prof IT organisation set up by IT bellwether Wipro's chairman Azim Premji. The delegation wanted to gain insight into the foundation's efforts to reform school education across the country through ICT and modern management practices.

"What is interesting is that the civil society and the private sector innovate and contribute to governance in India and everything is not left for the government to deal with," Raouf noted.

After interacting with officials and experts in-charge of the e-governance projects in Karnataka, the delegation went to mobile and wireless communications firm Geodisc Ltd to study its innovative product GeoAmida, an open source handheld device for e-governance and banking solutions.

"The mobile device, which can be used in diverse domains such as e-governance, banking, healthcare, transportation and retail, is a unique solution to address various societal problems faced by the Iraqi government, which is set to formulate a policy for e-governance and use ICT for social reform and development," the statement added.

The delegation, which is a part of the 'Building e- Iraq National e-Governance Strategy' of the Iraqi government, will go to New Delhi Friday for studying similar projects of the central government.

"Our objective is to increase transparency and accountability in Iraq through ICT and provide citizen services through e-governance initiatives," Raouf added.

Read the original in Economic Times here

For more details visit https://cis-india.org/news/iraqi-delegation-in-bangalore

Iraq Delegation to Visit India for Study of E-Governance in Indian Cities ― Meetings in Bangalore and Delhi

praskrishna — 2011-08-02T07:13:52Z

An Iraqi Government delegation headed by HE Mr. Abdul Kareem Al-Samarai, Minister of Science & Technology, Government of Iraq will be in India on a e-governance tour. The study tour is organised by the United Nations Development Programme (UNDP) and the Economic and Social Commission for Western Asia (ESCWA).

The Building e-Iraq National e-Governance strategic plan clearly emphasizes the need for connecting services and citizens to better access of information and services using ICTs as a leading resource/innovative force and as a contributing factor to enhancing transparency and accountability as well as facilitate the effective and efficient provisioning of essential services. In this context, and as identified by the Iraqi e-governance ministerial steering committee, community service centers (CSCs) have been identified as having a direct bearing on sustainable social and economical changes consistent with the MDGs.

As agreed within the steering committee, the community based connectivity services centres will be hosted within existing community structures throughout Iraq in order to enhance penetration levels and provide for cost-effective strategies. Post offices and youth centres would henceforth represent the point of entry for the community centres, where the Iraqi government is rehabilitating the buildings and has already provided Internet access with the hope of introducing e-governance services. The centres will also be linked with the implementation of the pilot e-services to promote access to information resources and government programmes and services. Additionally, the centres will serve to address local issues and priorities.

UNDP in partnership with ESCWA is organizing a study tour to India that would expose senior Iraqi stakeholders to e-government and e-governance as a means to enhance the effectiveness and efficiency of the public sector in service provision, and make them learn from India's experience in:

Harnessing ICT technologies in service of community development, inclusiveness and empowerment, particularly at the local level;

Highlighting e-governance practices in connecting citizens to the state – at both the federal and local levels – and enhancing services;
Presenting success stories and lessons learned from India’s experience in instigating and operating CSCs; and
Providing the Government of India with a frame of reference in designing an appropriate, efficient and effective decentralized planning process and service delivery.

Dr. Samir Salim Raouf, Deputy Minister, Ministry of Science and Technology, Dr. Mahmood Kasim Sharief, Director General, Ministry of Science and Technology, Zagros Fattah Mohammed Mohammed, Director General, Ministry of Planning - KRG, Najwa Saeed Fathullah, Director General, Ministry of Finance, Majeed Hameed Jassim, Director General, Ministry of Communication, Dr. Kathim Mohammed Breesam, Director General, Ministry of Planning, Majed Sadoon Jasim, Director General, Ministry of Interior, Naeef Thamer Hussien, Director General, Ministry of Education, Ismael Khaleel Murad, Chief of Information, Ministry of Higher Education, Anwer Alwan Jassim, Ministry of Higher Education, Khalaf Muhammad Khalaf, Deputy Director General, Ministry of Education, Samer Noori Taqi, Chief of Information, Ministry of Municipalities and Public Works, Safaa Mohammed Kassar, Anbar Governorates, Abdulamer Abdulwahid Mubarak, Basra Governorates, Isam Hussein Ali, Ministry of Science and Technology, Sudipto Mukherjee, Head of Economic Recovery and Poverty Alleviation, UNDP, Abeer Fawaeer, E-Governance Specialist, UNDP and Dalia Zendi, Project Associate, UNDP will participate in the meetings.

Study tour structure

The delegation will hold meetings with Deepak Menon of India Water Portal, Ashok Kamath of Pratham Books, Srikanth Nadhamuni of E-governments foundation, Dr. Subbramanya of Geodesic, Parth Sarwate of Azim Premji Foundation, Abhay Singhavi of Narayana Hrydayalaya and MN Vidyashankar and DS Ravindran of Department of e-governance, Government of Karnataka.

In Delhi, the delegation will hold meetings in the Department of Information Technology, National Informatics Centre, National Institute for Smart Government, Ministry of Urban Development and Ministry of Panchayati Raj.

Expected outcomes

The study tour will be concluded in Delhi with a brainstorming session to discuss and explore the results achieved by the study tour, and ultimately formulate an integrated framework for identifying, establishing, operating and managing CSCs in Iraq with wider national and local e-governance development plan in line with overarching public sector and modernization programme and generate a list of pilots quick-win e-services applications that can be implemented in Iraq.

Other expected outputs are:

To identify critical and relevant lessons from the Indian e-governance models, with particular emphasis on linkages between ICT and broad-based development in the areas of education, health, water and social development of rural and urban areas;
To enhance awareness on the role and operation of CSCs at various levels and their pivotal role in facilitating access to essential services and reducing service costs;
To improve understanding of the challenges in the effective application of ICTs for development and the key factors in the design and implementation of ICT for development projects and programmes;
To enhance the understanding of the measures to be undertaken by the centre and the provinces to identify and put in place e-services;
To highlight the successes and lessons learned from the Indian decentralized and local area planning and development model;
To learn about the latest development in IT industry and the infrastructure required for CSCs and e-services; and
To explore working partnerships between the Government of India and the Indian IT companies.

This study tour is in furtherance to the e-Governance Action plan prepared by the Iraq Government. The Centre for Internet and Society is assisting the delegation for the meetings held in Bangalore.

For more details visit https://cis-india.org/internet-governance/blog/iraqi-e-governance-india-tour

IPv6: The Transition Challenge

nishant — 2012-06-13T09:59:27Z

The future of our connected networks is Internet Protocol version 6 (IPv6). Not only is it more efficient and faster than IPv4 which we are currently working with, it is also more reliable and secure.

The IPv6, for instance, has an in-built security protocol called IPSec, which authenticates and secures all IP data. The data carrying capacity of IPv6 networks is also going to be higher. This means that more devices with more features will be able to work seamlessly through these networks. Despite the larger load of information, IPv6 packets are easier to handle and route, just like postcards with pincodes in their addresses are easier to deliver than those without.

We have already seen great examples of successful implementation during the 2008 Beijing Olympics. Every aspect from the security surveillance to managing vehicles and the coverage of the Olympic events was done over IPv6, including live streaming of the events over the Internet. The Chinese government, in fact, has already launched a ‘China Next Generation Internet’ (CNGI) project to build IPv6 networks which are going to radically change the face of high-speed internet in the country. With all these benefits available to us in this next generation protocol, the question that remains is why only a meagre 2% of the world’s internet traffic is conducted through it? Why haven’t more ISPs shifted to IPv6?

There are two very clear reasons. The first one is that of costs and infrastructure. The IPv6 platforms do not communicate easily with the IPv4 networks. We have the choice of a mammoth transition of all IPv4 websites and networks to new IPv6 protocols. This idea of abandoning IPv4 and moving to a new protocol is not only redundant; it is also futile, because IPv4 is already running the largest network in human history quite efficiently. What we need is translators which will be able to speak to both the different versions and help our devices work through them seamlessly. Older, more successful technologies have been able to do this. So, television, for instance, whether it receives terrestrial data, satellite images or data transferred via cable, is able to translate and render them into images and sounds which we can consume with ease. However, the translators for the IPv4 – IPv6 still expensive and we need more resources diverted towards making them affordable.

The second reason is linked to the first. In order for IPv6 to become popular, it needs a minimum threshold of service providers and users riding that network. As long as the deployment remains nascent, there will be no concentrated energy to actually try and make the bridges between versions 4 and 6. While global technology organisations like Tata Communications are ready for the transition, we are going to need a systemic change among all stakeholders to make IPv6 a reality, towards a faster, safer and more robust Internet.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

The above blog post was reproduced in MIS Asia, CIO Asia, Computer World Singapore, and Computer World Malaysia.

For more details visit https://cis-india.org/internet-governance/ip-v-6-the-transition-challenge

IPv6: Embrace The Change

nishant — 2012-06-13T06:09:43Z

A moment of transition is always filled with anxiety. There is concern over the unknown and there is a reluctance to move out of the familiar. However, a transition does not necessarily mean migration; or in other words, as we transition to IPv6 as the new protocol for digital and electronic communication, it does not mean that we are going to abandon the internet as we know it.

In fact, for most of the users, it is going to be a transparent transition, where their devices are going to be able to harness the powers of IPv4 and 6. While there are huge benefits at the back-end, leading to better security protocols and low maintenance, there are a few advantages that the user should also celebrate.

Faster Internet: Because IPv6 will open up a huge range of IP addresses, direct routing of data becomes a possibility. As data does not have to be routed through many servers or nodes within a network, it can reach its destination faster. With the way our digital access and sharing is going right now, this is not to be taken lightly. In many ways this is the same transition we had from the dial-up connections, where the transfer of picture and video files within minutes was totally unheard of, while now we’re in an age where we stream high density video on all our computing devices with ease.

More collaborative and shared Internet: With the abundance of IP addresses coming our way, there is going to be more scope for multiple devices to be connected online. New platforms of collaborative knowledge production and sharing can be designed to become infinite and inclusive in their scale and architecture.

More connected devices: The inter-operability features of IPv6 ensure that more devices are able to communicate with each other with ease. The science-fiction futuristic dream of a completely connected environment where human and artificial intelligence can work together, using a range of devices, is actually a material possibility with large scale IPv6 implementation. This can also trigger new innovation that helps reconstruct some of our existing devices in new forms and shapes.

While affordability and the migration to new network infrastructure are the gating factors to this transition, these are diminishing costs and we are looking at more interesting internet architecture as we move towards IPv6. Perhaps, one of the most reassuring points of this transition is that we do not need to abandon the familiar internet we are already working with; the transition is not a moving on, but a moving to, and in it are the promises of a safe, secure and speedy internet. Global technology organisations like Tata Communications have embraced this change; it’s only a matter of time before others too recognise the need for IPv6 and the huge difference it will make to our lives.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

For more details visit https://cis-india.org/internet-governance/ip-v-6-embrace-the-change

IPv6: The First Steps

nishant — 2012-06-05T07:18:16Z

The Centre for Internet & Society has entered into a small collaboration with Tata Telecommunications in India to celebrate the IPv6 day on June 6th. We will write 5500 word vignettes, which will be sent to their global database consisting of more than 900,000 users in the Asia-Pacific.

It is commonplace to interchange the words Internet and Cyberspace. However, we should make a distinction between the two. Cyberspace is an experiential phenomenon, supported by the Internet but smaller. It refers to the actions, transactions, negotiations performed within the digital network.

The Internet is a protocol – a set of rules that allows for a digitally connected network of databases to interact with each other. This happens through a standard set of commonly accepted rules, Internet Protocol version 4 – IPv4. IPv4 allows differently configured networks, working on different platforms, and designed through different technologies to communicate effectively by agreeing on a bare minimum of universally accepted codes for data to navigate cyberspace with the least bit of effort.

IPv4 was defined in 1981, when there were few computers in the world with even fewer connected to networks. It was the protocol that assigned a computer on the Internet, with an IP address, the unique name of a connected device which can be recognised by digital networks. Packets of data transmitted over the Internet need an unique IP address associated to their origin and destination, so that information can travel smoothly. IPv4 was developed so that 4,294,967,296 (2^32) unique IP addresses could be accommodated within the network. When it was designed, it looked like an almost infinite system. No one had ever imagined that the World Wide Web would emerge so quickly! We have reached a point now, where the last free IP addresses have been allotted in February of 2012, and we are now reaching a ‘real-estate’ crisis on the Internet.

Since every device with Internet connectivity has a unique IP address – computers, servers, tablets, smart-phones, e-book readers and even alarm clocks – we need a lot more IP addresses. IPv6 – or Internet Protocol version 6 – is a new standard by which we are now going to expand the ‘land’ upon which the Internet can grow. IPv6 is an overhaul of the existing system which will be able to handle 340 undecillion (2^128) unique addresses. Leading global Internet Service Providers and technology companies like Tata Communications have recognised this as the need of the hour since increasingly we are living in digital information societies. However, IPv6 is going to have a range of serious implications for our hardware and software needs as well as our usage patterns and how the Internet is going to expand in the future.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com or write to Nishant Shah, Director-Research at the Bangalore based Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/ip-v-6

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.