We are anonymous, we are legion

Iraq Delegation to Visit India for Study of E-Governance in Indian Cities ― Meetings in Bangalore and Delhi

praskrishna — 2011-08-02T07:13:52Z

An Iraqi Government delegation headed by HE Mr. Abdul Kareem Al-Samarai, Minister of Science & Technology, Government of Iraq will be in India on a e-governance tour. The study tour is organised by the United Nations Development Programme (UNDP) and the Economic and Social Commission for Western Asia (ESCWA).

The Building e-Iraq National e-Governance strategic plan clearly emphasizes the need for connecting services and citizens to better access of information and services using ICTs as a leading resource/innovative force and as a contributing factor to enhancing transparency and accountability as well as facilitate the effective and efficient provisioning of essential services. In this context, and as identified by the Iraqi e-governance ministerial steering committee, community service centers (CSCs) have been identified as having a direct bearing on sustainable social and economical changes consistent with the MDGs.

As agreed within the steering committee, the community based connectivity services centres will be hosted within existing community structures throughout Iraq in order to enhance penetration levels and provide for cost-effective strategies. Post offices and youth centres would henceforth represent the point of entry for the community centres, where the Iraqi government is rehabilitating the buildings and has already provided Internet access with the hope of introducing e-governance services. The centres will also be linked with the implementation of the pilot e-services to promote access to information resources and government programmes and services. Additionally, the centres will serve to address local issues and priorities.

UNDP in partnership with ESCWA is organizing a study tour to India that would expose senior Iraqi stakeholders to e-government and e-governance as a means to enhance the effectiveness and efficiency of the public sector in service provision, and make them learn from India's experience in:

Harnessing ICT technologies in service of community development, inclusiveness and empowerment, particularly at the local level;

Highlighting e-governance practices in connecting citizens to the state – at both the federal and local levels – and enhancing services;
Presenting success stories and lessons learned from India’s experience in instigating and operating CSCs; and
Providing the Government of India with a frame of reference in designing an appropriate, efficient and effective decentralized planning process and service delivery.

Dr. Samir Salim Raouf, Deputy Minister, Ministry of Science and Technology, Dr. Mahmood Kasim Sharief, Director General, Ministry of Science and Technology, Zagros Fattah Mohammed Mohammed, Director General, Ministry of Planning - KRG, Najwa Saeed Fathullah, Director General, Ministry of Finance, Majeed Hameed Jassim, Director General, Ministry of Communication, Dr. Kathim Mohammed Breesam, Director General, Ministry of Planning, Majed Sadoon Jasim, Director General, Ministry of Interior, Naeef Thamer Hussien, Director General, Ministry of Education, Ismael Khaleel Murad, Chief of Information, Ministry of Higher Education, Anwer Alwan Jassim, Ministry of Higher Education, Khalaf Muhammad Khalaf, Deputy Director General, Ministry of Education, Samer Noori Taqi, Chief of Information, Ministry of Municipalities and Public Works, Safaa Mohammed Kassar, Anbar Governorates, Abdulamer Abdulwahid Mubarak, Basra Governorates, Isam Hussein Ali, Ministry of Science and Technology, Sudipto Mukherjee, Head of Economic Recovery and Poverty Alleviation, UNDP, Abeer Fawaeer, E-Governance Specialist, UNDP and Dalia Zendi, Project Associate, UNDP will participate in the meetings.

Study tour structure

The delegation will hold meetings with Deepak Menon of India Water Portal, Ashok Kamath of Pratham Books, Srikanth Nadhamuni of E-governments foundation, Dr. Subbramanya of Geodesic, Parth Sarwate of Azim Premji Foundation, Abhay Singhavi of Narayana Hrydayalaya and MN Vidyashankar and DS Ravindran of Department of e-governance, Government of Karnataka.

In Delhi, the delegation will hold meetings in the Department of Information Technology, National Informatics Centre, National Institute for Smart Government, Ministry of Urban Development and Ministry of Panchayati Raj.

Expected outcomes

The study tour will be concluded in Delhi with a brainstorming session to discuss and explore the results achieved by the study tour, and ultimately formulate an integrated framework for identifying, establishing, operating and managing CSCs in Iraq with wider national and local e-governance development plan in line with overarching public sector and modernization programme and generate a list of pilots quick-win e-services applications that can be implemented in Iraq.

Other expected outputs are:

To identify critical and relevant lessons from the Indian e-governance models, with particular emphasis on linkages between ICT and broad-based development in the areas of education, health, water and social development of rural and urban areas;
To enhance awareness on the role and operation of CSCs at various levels and their pivotal role in facilitating access to essential services and reducing service costs;
To improve understanding of the challenges in the effective application of ICTs for development and the key factors in the design and implementation of ICT for development projects and programmes;
To enhance the understanding of the measures to be undertaken by the centre and the provinces to identify and put in place e-services;
To highlight the successes and lessons learned from the Indian decentralized and local area planning and development model;
To learn about the latest development in IT industry and the infrastructure required for CSCs and e-services; and
To explore working partnerships between the Government of India and the Indian IT companies.

This study tour is in furtherance to the e-Governance Action plan prepared by the Iraq Government. The Centre for Internet and Society is assisting the delegation for the meetings held in Bangalore.

For more details visit https://cis-india.org/internet-governance/blog/iraqi-e-governance-india-tour

IPv6: The Transition Challenge

nishant — 2012-06-13T09:59:27Z

The future of our connected networks is Internet Protocol version 6 (IPv6). Not only is it more efficient and faster than IPv4 which we are currently working with, it is also more reliable and secure.

The IPv6, for instance, has an in-built security protocol called IPSec, which authenticates and secures all IP data. The data carrying capacity of IPv6 networks is also going to be higher. This means that more devices with more features will be able to work seamlessly through these networks. Despite the larger load of information, IPv6 packets are easier to handle and route, just like postcards with pincodes in their addresses are easier to deliver than those without.

We have already seen great examples of successful implementation during the 2008 Beijing Olympics. Every aspect from the security surveillance to managing vehicles and the coverage of the Olympic events was done over IPv6, including live streaming of the events over the Internet. The Chinese government, in fact, has already launched a ‘China Next Generation Internet’ (CNGI) project to build IPv6 networks which are going to radically change the face of high-speed internet in the country. With all these benefits available to us in this next generation protocol, the question that remains is why only a meagre 2% of the world’s internet traffic is conducted through it? Why haven’t more ISPs shifted to IPv6?

There are two very clear reasons. The first one is that of costs and infrastructure. The IPv6 platforms do not communicate easily with the IPv4 networks. We have the choice of a mammoth transition of all IPv4 websites and networks to new IPv6 protocols. This idea of abandoning IPv4 and moving to a new protocol is not only redundant; it is also futile, because IPv4 is already running the largest network in human history quite efficiently. What we need is translators which will be able to speak to both the different versions and help our devices work through them seamlessly. Older, more successful technologies have been able to do this. So, television, for instance, whether it receives terrestrial data, satellite images or data transferred via cable, is able to translate and render them into images and sounds which we can consume with ease. However, the translators for the IPv4 – IPv6 still expensive and we need more resources diverted towards making them affordable.

The second reason is linked to the first. In order for IPv6 to become popular, it needs a minimum threshold of service providers and users riding that network. As long as the deployment remains nascent, there will be no concentrated energy to actually try and make the bridges between versions 4 and 6. While global technology organisations like Tata Communications are ready for the transition, we are going to need a systemic change among all stakeholders to make IPv6 a reality, towards a faster, safer and more robust Internet.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

The above blog post was reproduced in MIS Asia, CIO Asia, Computer World Singapore, and Computer World Malaysia.

For more details visit https://cis-india.org/internet-governance/ip-v-6-the-transition-challenge

IPv6: Embrace The Change

nishant — 2012-06-13T06:09:43Z

A moment of transition is always filled with anxiety. There is concern over the unknown and there is a reluctance to move out of the familiar. However, a transition does not necessarily mean migration; or in other words, as we transition to IPv6 as the new protocol for digital and electronic communication, it does not mean that we are going to abandon the internet as we know it.

In fact, for most of the users, it is going to be a transparent transition, where their devices are going to be able to harness the powers of IPv4 and 6. While there are huge benefits at the back-end, leading to better security protocols and low maintenance, there are a few advantages that the user should also celebrate.

Faster Internet: Because IPv6 will open up a huge range of IP addresses, direct routing of data becomes a possibility. As data does not have to be routed through many servers or nodes within a network, it can reach its destination faster. With the way our digital access and sharing is going right now, this is not to be taken lightly. In many ways this is the same transition we had from the dial-up connections, where the transfer of picture and video files within minutes was totally unheard of, while now we’re in an age where we stream high density video on all our computing devices with ease.

More collaborative and shared Internet: With the abundance of IP addresses coming our way, there is going to be more scope for multiple devices to be connected online. New platforms of collaborative knowledge production and sharing can be designed to become infinite and inclusive in their scale and architecture.

More connected devices: The inter-operability features of IPv6 ensure that more devices are able to communicate with each other with ease. The science-fiction futuristic dream of a completely connected environment where human and artificial intelligence can work together, using a range of devices, is actually a material possibility with large scale IPv6 implementation. This can also trigger new innovation that helps reconstruct some of our existing devices in new forms and shapes.

While affordability and the migration to new network infrastructure are the gating factors to this transition, these are diminishing costs and we are looking at more interesting internet architecture as we move towards IPv6. Perhaps, one of the most reassuring points of this transition is that we do not need to abandon the familiar internet we are already working with; the transition is not a moving on, but a moving to, and in it are the promises of a safe, secure and speedy internet. Global technology organisations like Tata Communications have embraced this change; it’s only a matter of time before others too recognise the need for IPv6 and the huge difference it will make to our lives.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

For more details visit https://cis-india.org/internet-governance/ip-v-6-embrace-the-change

IPv6: The First Steps

nishant — 2012-06-05T07:18:16Z

The Centre for Internet & Society has entered into a small collaboration with Tata Telecommunications in India to celebrate the IPv6 day on June 6th. We will write 5500 word vignettes, which will be sent to their global database consisting of more than 900,000 users in the Asia-Pacific.

It is commonplace to interchange the words Internet and Cyberspace. However, we should make a distinction between the two. Cyberspace is an experiential phenomenon, supported by the Internet but smaller. It refers to the actions, transactions, negotiations performed within the digital network.

The Internet is a protocol – a set of rules that allows for a digitally connected network of databases to interact with each other. This happens through a standard set of commonly accepted rules, Internet Protocol version 4 – IPv4. IPv4 allows differently configured networks, working on different platforms, and designed through different technologies to communicate effectively by agreeing on a bare minimum of universally accepted codes for data to navigate cyberspace with the least bit of effort.

IPv4 was defined in 1981, when there were few computers in the world with even fewer connected to networks. It was the protocol that assigned a computer on the Internet, with an IP address, the unique name of a connected device which can be recognised by digital networks. Packets of data transmitted over the Internet need an unique IP address associated to their origin and destination, so that information can travel smoothly. IPv4 was developed so that 4,294,967,296 (2^32) unique IP addresses could be accommodated within the network. When it was designed, it looked like an almost infinite system. No one had ever imagined that the World Wide Web would emerge so quickly! We have reached a point now, where the last free IP addresses have been allotted in February of 2012, and we are now reaching a ‘real-estate’ crisis on the Internet.

Since every device with Internet connectivity has a unique IP address – computers, servers, tablets, smart-phones, e-book readers and even alarm clocks – we need a lot more IP addresses. IPv6 – or Internet Protocol version 6 – is a new standard by which we are now going to expand the ‘land’ upon which the Internet can grow. IPv6 is an overhaul of the existing system which will be able to handle 340 undecillion (2^128) unique addresses. Leading global Internet Service Providers and technology companies like Tata Communications have recognised this as the need of the hour since increasingly we are living in digital information societies. However, IPv6 is going to have a range of serious implications for our hardware and software needs as well as our usage patterns and how the Internet is going to expand in the future.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com or write to Nishant Shah, Director-Research at the Bangalore based Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/ip-v-6

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

IOCOSE's talk at CIS

praskrishna — 2014-11-25T01:02:24Z

Please join us at the Centre for Internet and Society in Bangalore on Thursday, November 27, 2014 at 7 p.m. for a presentation of the work of the artists group IOCOSE, current artists in residence at T.A.J./SKE Residency.

What is the life of a drone 'in times of peace'? What are the creative potential of a drone? Drones do not have such a thing as a ‘life’. But what if?

The title of our project, 'In Times of Peace' refers to Paul Virilio's theory of logistics (Pure War, 1983).

Quoting an article published by the Pentagon in late '40s, the theorist highlighted the fact that the text presented logistics as the procedure for which the potential of a nation lies in its armed forces, 'in times of peace' as in times of war.

But what does it mean to live 'in times of peace'? And what does this mean for a drone?”

The talk will open with the announcement of the winner of the NoTube Contest 2014 which will be held at the Sree Venkateshwara Cyber Cafe in Bangalore on the very same day.

IOCOSE

IOCOSE is a collective of four artists who has been working in Italy and Europe since 2006. It organises actions in order to subvert ideologies, practices and processes of identification and production of meanings. It uses pranks and hoaxes as tactical means, as joyful and sound tools. IOCOSE thinks about the streets, internet and word of mouth as a battlefield. Tactics such as mimesis and trickery are used to lead and delude the audience into a semantic pitfall. IOCOSE’s work has been shown internationally, such as at Jeu de Paume (Paris, France; 2011); Tate Modern (London, UK; 2011), Festival Nrmal, (Monterrey, Mexico; 2011); Furtherfield Gallery (London, UK; 2012); Venice Biennal (Italy; 2011), Macro (Rome, Italy; 2012); CLICK Festival (Helsingor, Denmark; 2013); Science gallery (Dublin, Ireland, 2012), http://www.iocose.org

T.A.J. RESIDENCY & SKE PROJECTS

T.A.J. RESIDENCY & SKE PROJECTS is a residency program established in 2013 as a collaborative project between a visual artist and a gallerist. Intended as an interdisciplinary residency, it has already hosted visual artists, curators, academics, scientists, fiction writers and journalists. There is always one visual artist in residence. The residency program is also open to applicants from the fields of architecture, design, music, film, performing arts and education, http://t-a-j.in

Marialaura Ghidini

Marialaura is a curator, researcher and writer. She is the founder director of or-bits.com since 2009. Currently she is AHRC-doctoral researcher with CRUMB (Curatorial Upstart Media Bliss) at the University of Sunderland. Based in London, UK, from Brescia, Italy. She can be contacted at mlghidini@gmail.com

For more details visit https://cis-india.org/internet-governance/events/iocose-talk-at-cis

Invisible Censorship: How the Government Censors Without Being Seen

pranesh — 2012-01-04T08:59:14Z

The Indian government wants to censor the Internet without being seen to be censoring the Internet. This article by Pranesh Prakash shows how the government has been able to achieve this through the Information Technology Act and the Intermediary Guidelines Rules it passed in April 2011. It now wants methods of censorship that leave even fewer traces, which is why Mr. Kapil Sibal, Union Minister for Communications and Information Technology talks of Internet 'self-regulation', and has brought about an amendment of the Copyright Act that requires instant removal of content.

Power of the Internet and Freedom of Expression

The Internet, as anyone who has ever experienced the wonder of going online would know, is a very different communications platform from any that has existed before. It is the one medium where anybody can directly share their thoughts with billions of other people in an instant. People who would never have any chance of being published in a newspaper now have the opportunity to have a blog and provide their thoughts to the world. This also means that thoughts that many newspapers would decide not to publish can be published online since the Web does not, and more importantly cannot, have any editors to filter content. For many dictatorships, the right of people to freely express their thoughts is something that must be heavily regulated. Unfortunately, we are now faced with the situation where some democratic countries are also trying to do so by censoring the Internet.

Intermediary Guidelines Rules

In India, the new 'Intermediary Guidelines' Rules and the Cyber Cafe Rules that have been in effect since April 2011 give not only the government, but all citizens of India, great powers to censor the Internet. These rules, which were made by the Department of Information Technology and not by the Parliament, require that all intermediaries remove content that is 'disparaging', 'relating to... gambling', 'harm minors in any way', to which the user 'does not have rights'. When was the last time you checked wither you had 'rights' to a joke before forwarding it? Did you share a Twitter message containing the term "#IdiotKapilSibal", as thousands of people did a few days ago? Well, that is 'disparaging', and Twitter is required by the new law to block all such content. The government of Sikkim can run advertisements for its PlayWin lottery in newspapers, but under the new law it cannot do so online. As you can see, through these ridiculous examples, the Intermediary Guidelines are very badly thought-out and their drafting is even worse. Worst of all, they are unconstitutional, as they put limits on freedom of speech that contravene Article 19(1)(a) and 19(2) of the Constitution, and do so in a manner that lacks any semblance of due process and fairness.

Excessive Censoring by Internet Companies

We, at the Centre for Internet and Society in Bangalore, decided to test the censorship powers of the new rules by sending frivolous complaints to a number of intermediaries. Six out of seven intermediaries removed content, including search results listings, on the basis of the most ridiculous complaints. The people whose content was removed were not told, nor was the general public informed that the content was removed. If we hadn't kept track, it would be as though that content never existed. Such censorship existed during Stalin's rule in the Soviet Union. Not even during the Emergency has such censorship ever existed in India. Yet, not only was what the Internet companies did legal under the Intermediary Guideline Rules, but if they had not, they could have been punished for content put up by someone else. That is like punishing the post office for the harmful letters that people may send over post.

Government Has Powers to Censor and Already Censors

Currently, the government can either block content by using section 69A of the Information Technology Act (which can be revealed using RTI), or it has to send requests to the Internet companies to get content removed. Google has released statistics of government request for content removal as part of its Transparency Report. While Mr. Sibal uses the examples of communally sensitive material as a reason to force censorship of the Internet, out of the 358 items requested to be removed from January 2011 to June 2011 from Google service by the Indian government (including state governments), only 8 were for hate speech and only 1 was for national security. Instead, 255 items (71 per cent of all requests) were asked to be removed for 'government criticism'. Google, despite the government in India not having the powers to ban government criticism due to the Constitution, complied in 51 per cent of all requests. That means they removed many instances of government criticism as well.

'Self-Regulation': Undetectable Censorship

Mr. Sibal's more recent efforts at forcing major Internet companies such as Indiatimes, Facebook, Google, Yahoo, and Microsoft, to 'self-regulate' reveals a desire to gain ever greater powers to bypass the IT Act when censoring Internet content that is 'objectionable' (to the government). Mr. Sibal also wants to avoid embarrassing statistics such as that revealed by Google's Transparency Report. He wants Internet companies to 'self-regulate' user-uploaded content, so that the government would never have to send these requests for removal in the first place, nor block sites officially using the IT Act. If the government was indeed sincere about its motives, it would not be talking about 'transparency' and 'dialogue' only after it was exposed in the press that the Department of Information Technology was holding secret talks with Internet companies. Given the clandestine manner in which it sought to bring about these new censorship measures, the motives of the government are suspect. Yet, both Mr. Sibal and Mr. Sachin Pilot have been insisting that the government has no plans of Internet censorship, and Mr. Pilot has made that statement officially in the Lok Sabha. This, thus seems to be an instance of censoring without censorship.

Backdoor Censorship through Copyright Act

Further, since the government cannot bring about censorship laws in a straightforward manner, they are trying to do so surreptitiously, through the back door. Mr. Sibal's latest proposed amendment to the Copyright Act, which is before the Rajya Sabha right now, has a provision called section 52(1)(c) by which anyone can send a notice complaining about infringement of his copyright. The Internet company will have to remove the content immediately without question, even if the notice is false or malicious. The sender of false or malicious notices is not penalized. But the Internet company will be penalized if it doesn't remove the content that has been complained about. The complaint need not even be shown to be true before the content is removed. Indeed, anyone can complain about any content, without even having to show that they own the rights to that content. The government seems to be keen to have the power to remove content from the Internet without following any 'due process' or fair procedure. Indeed, it not only wants to give itself this power, but it is keen on giving all individuals this power.

It's ultimate effect will be the death of the Internet as we know it. Bid adieu to it while there is still time.

The article was translated to Marathi and featured in Lokmat

For more details visit https://cis-india.org/internet-governance/invisible-censorship

Investigating TLS blocking in India

Simone Basso, Gurshabad Grover and Kushagra Singh — 2020-07-09T01:23:43Z

A study into Transport Layer Security (TLS)-based blocking by three popular Indian ISPs: ACT Fibernet, Bharti Airtel and Reliance Jio.

Gurshabad Grover and Kushgra Singh collaborated with Simone Basso (OONI) to investigate TLS-based blocking in India. The research report was published on OONI's blog. It was edited and reviewed by Maria Xynou and Arturo Filastò.

Summary

This report investigates Transport Layer Security (TLS)-based blocking in India. Previous research by the Centre for Internet & Society, India (CIS) has already exposed TLS blocking based on the value of the SNI field. OONI has also implemented and started testing SNI-based TLS blocking measurements.

Recently, the Magma Project documented cases where CIS India and OONI’s methodologies could be improved. They specifically found that blocking sometimes appears to depend not only on the value of the SNI field but also on the address of the web server being used. These findings were later confirmed by OONI measurements in Spain and Iran through the use of an extended measurement methodology.

We were therefore curious to see whether such an extended methodology would discover further cases of TLS blocking in India. To answer this research question we ran experiments on the networks of three popular Indian Internet Service Providers (ISPs) (ACT Fibernet, Bharti Airtel, and Reliance Jio) which account for over 70% of the internet subscribers in India.

We recorded SNI-based blocking on both Bharti Airtel and Reliance Jio. We also discovered that Reliance Jio blocks TLS traffic not just based on the SNI value, but also on the web server involved with the TLS handshake. Moreover, we noticed that ACT Fibernet’s DNS resolver directs users towards servers owned by ACT Fibernet itself. Such servers caused the TLS handshake to fail, but the root cause of censorship was the DNS.

We also document that one of the endpoints we tested, collegehumor.com:443, does not allow establishing TCP connection from several vantage points and control measurements. Yet, in Reliance Jio, we see cases where the connections to such endpoints complete successfully and a timeout occurs during the TLS handshake. We believe this is caused by some kind of proxy that terminates the TCP connection and performs the TLS handshake.

Read the full research report on OONI's blog.

For more details visit https://cis-india.org/internet-governance/blog/investigating-tls-blocking-in-india

Inventions that will make a difference

praskrishna — 2014-02-12T11:07:02Z

In an increasingly tech-driven world, what does 2014 have to offer? Geeta Padmanabhan turns the spotlight on some life-changing gadgets.

Geeta Padmanabhan's article published in the Hindu on January 1, 2014 quotes Maria Xynou.

Digiterati, have you tried Snapchat, the service that makes messages/photos/captions you send disappear in a few seconds once opened? The app with its swelling popularity among the young demands a re-think about data: do you need it around forever? In a remarkable step forward, 2014 may see Forever Internet and Erasable Internet living side by side.

What else is in store? “Your mobile devices and PCs will get more intelligent and remember your different passwords,” said J. Prasanna, AVS labs. “Advanced biometrics will enable scanning (fingerprint/retina) without devices. Sharper attack simulation on the cyber-world will force corporates to improve defence. Industrial houses will opt for more mobile devices — computers like raspberry pi — for logistics/checking. “You may not see a workstation at all!” Maria Xynou, The Centre for Internet and Society, foresees surveillance technologies getting smarter with artificial intelligence software, and people fending them off with crypto-like privacy software. “This might trigger more intrusive technologies,” she said.

Big data will grow bigger. Many of the products we depend on — Google's spell-checker, translation service, traffic maps, search-suggestions; Amazon.com's AMZN +0.13% media; Facebook’s News Feed, “friend” facilities — have come out of a huge cache of user data. But Kaspersky Lab expects cybercriminals to use refined mobile-phishing, banking-Trojans and mobile-botnets to hack and modify private information. VPN (virtual private network) services and Tor-anonymisers will become popular, demand for local encryption tools will spurt, it predicts.

Folding phones?

Now that curved display (G-Flex) is here, 2014 may bring in “roll-up or fold” smartphones/tablets to fit into our wallets. Also, with smarter tracking-tools and voice-recognition technology smartphones will become so intuitive and efficient that they may reflexively cater to our needs. “It will become a context engine — aware of where it is, where you are going, what you need,” said futurist Paul Saffo. Apple will launch the anticipated big-screen iPhones and iPads (12.9-inch or 13.3-inch), reports Digitimes. Upcoming iPhone models will have a 20mm chipset, and a choice between 4.7-inch and 6-inch display panel. But don't throw away your MacBook Air or MacPro yet.

“Prepare for a life-changing gadget,” says BBC, referring to Oculus Rift, a “consumer-focused virtual-reality headset”, to be launched by Kickstarter. You wear it and you'll see yourself running along a beach, flying in a spaceship, riding a roller-coaster, it says. Impatient for the “real” one? There are no tech hurdles to having a vehicle that is part-car, part-plane, part-drone parked outside your home, says Missy Cummings, Aeronautics/Astronautics Professor, MIT. The fly-by-wire Airbus is a drone, anyway. Automated systems with micro-second reactions will make transportation network — ground and air — safer. Your regular car will gain advanced tech features, from in-built sat-navs, parking assistance to voice-activated/touchscreen DVD players and radios.

Educator Sugata Mitra hopes to launch an entire school in the cloud — the tech-cloud. Retired teachers in remote areas will teach through Skype, classrooms will be beamed from all parts of the planet — “deep in the jungle, or high on a mountain.” Kids can just gather at one home for lessons, he said.

Robots will take longer strides in 2014. Google's Japanese start-up robot won the Darpa rescue-challenge by carrying out all the eight rescue-themed tasks ahead of rivals. Its dexterous, independent “robot army” will carry packages, push strollers. LiveScience reports Knightscope's five-foot K5 robot-cop's on-board sensor that can see, hear, touch and smell its surroundings will combine its observations with public data and use the information to predict if, when and where a crime is likely to occur. Asutosh Saxena's team at Cornell University has created a robot (PR2) programmed to free shop-assistants from drudgery — it packs purchases at check-out counters. Forrester Research's Jeff Ernst believes ICANN’s gTLD (generic top-level domain) program is a game-changer. The introduction of .brand and .category will help you choose products with ease and marketers fight off cybersquatters.

The best gift

To me the best gift of 2014 is the Copenhagen wheel. With an attached computer/sensor-aided device, this bicycle wheel monitors pedalling and activates an on-board electric-motor when you need support. Connecting wirelessly to the biker's smartphone, the device tracks distance travelled and elevation gained, shares with friends the number of calories burned, locks the wheel remotely as you walk away from the bike. An electric-hybrid bicycle!

Mark Anderson, Strategic News Service anticipates Apple's Siri-like products to get an upgrade, visualisation tools to usher in “seeing data.” Software-defined networking and storage will cause a “stampede to virtualise everything.” Technical work to break down barriers between clouds will spawn software that can run anywhere. E-mapping will include MALT (Micromapping, Advertising, Location/ID, Transactions). Indoor maps and location information will place advertising targeted at you, leading to transaction in which “your phone will direct you to where things on your shopping-list are. You pick them up, the store knows who you are, how you pay, and you’ll just walk out.”

Track these

2014 will see computers that can learn from their own mistakes.
Spending on mobile, work-collaboration and video-conferencing apps will rise.
Demand for “big data” analysts will soar.
Small start-ups will raise money more through crowdfunding, less from venture capitalists.

For more details visit https://cis-india.org/news/the-hindu-january-1-2014-geeta-padmanabhan-inventions-that-will-make-a-difference

Introduction: About the Privacy and Surveillance Roundtables

manoj — 2014-11-27T13:34:56Z

The Privacy and Surveillance Roundtables is a Centre for Internet and Society (CIS) initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. The Roundtable will be closed-door deliberation involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1^st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

For more details visit https://cis-india.org/internet-governance/blog/introduction-about-the-privacy-and-surveillance-roundtables

Interview with the Tactical Technology Collective on Privacy and Surveillance

maria — 2013-10-18T09:56:16Z

The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of the Tactical Technology Collective, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.

Tactical Tech's Privacy & Expression programme builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.

Anne Roth works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.

The Centre for Internet and Society interviewed Anne Roth on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/ Why not?
What is the balance between Internet freedom and surveillance?
According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/ Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective

Interview with the Citizen Lab on Internet Filtering in India

maria — 2013-06-26T09:47:14Z

Maria Xynou recently interviewed Masashi Crete-Nishihata and Jakub Dalek from the Citizen Lab on internet filtering in India. View this interview and gain an insight on Netsweeper and FinFisher!

A few days ago, Masashi Crete-Nishihata (research manager) and Jakub Dalek (systems administrator) from the Citizen Lab visited the Centre for Internet and Society (CIS) to share their research with us.

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. The OpenNet Initiative is one of the Citizen Lab's ongoing projects which aims to document patterns of Internet surveillance and censorship around the world. OpenNet.Asia is another ongoing project which focuses on censorship and surveillance in Asia.

The following video entails an interview of both Masashi Crete-Nishihata and Jakub Dalek on the following questions:

1. Why is it important to investigate Internet filtering around the world?

2. How high are the levels of Internet filtering in India, in comparison to the rest of the world?

3. "Censorship and surveillance of the Internet aim at tackling crime and terrorism and in increasing overall security." Please comment.

4. What is Netsweeper and how is it being used in India? What consequences does this have?

5. What is FinFisher and how could it be used in India?

Video

For more details visit https://cis-india.org/internet-governance/blog/interview-with-citizen-lab-on-internet-filtering

Interview with Pranesh Prakash

praskrishna — 2012-11-30T06:58:39Z

Pranesh Prakash of the Centre for Internet and Society talks to Mint’s Surabhi Agarwal about the controversial Section 66A of the IT Act and the government’s decision to tweak it.

This video was published in LiveMint on November 30, 2012:

For more details visit https://cis-india.org/news/livemint-november-30-2012-video-interview-with-pranesh-prakash

Interview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman

maria — 2013-07-19T13:02:14Z

Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India!

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

For more details visit https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman

Interview with Mr. Billy Hawkes - Irish Data Protection Commissioner

maria — 2013-07-12T11:06:31Z

Maria Xynou recently interviewed Mr. Billy Hawkes, the Irish Data Protection Commissioner, at the CIS´ 4th Privacy Round Table meeting. View this interview and gain an insight on recommendations for data protection in India!

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The Irish Data Protection Commissioner was asked the following questions:

1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

2. Does your office differ from other EU data protection commissioner offices?

3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?

4. Why should privacy legislation be enacted in India?

5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?

6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?

7. How can India protect its citizens´ data when it is stored in foreign servers?

video

For more details visit https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner