We are anonymous, we are legion

The trouble with trolls

praskrishna — 2014-07-28T05:42:36Z

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

The article by Vishal Mathur was published in Livemint on July 22, 2014. Sunil Abraham gave his inputs.

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide. Avoid conversation if you can The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse. Report to the social network You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties. Keep a copy of the offensive posts Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst. Don’t ignore privacy settings Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.” Get help from the law In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide.

Avoid conversation if you can
The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse.

Report to the social network
You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties.

Keep a copy of the offensive posts
Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst.

Don’t ignore privacy settings
Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.”

Get help from the law
In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

For more details visit https://cis-india.org/news/livemint-july-22-2014-vishal-mathur-the-trouble-with-trolls

ICT Awareness Program for Myanmar Parliamentarians in Yangon

praskrishna — 2014-07-29T09:37:26Z

Myanmar ICT for Development Organization-MIDO conducted ICT policy training for multi- party parliamentarian representatives in Yangon on July 26 and 27, 2014. Sunil Abraham presented on Innovation Ecosystem and Thinking about Internet Regulation.

Sunil's Presentations

Schedule

Day 1	Topic	Resource Person
0930-1030	What is the significance of ICTs to legislators?	Rohan Samarajiva (RS)
1030-1115	Stories from the field: What do poor people do with ICTs?	Helani Galpaya (HG)
1115-1145	Break
1145-1245	Legislation, policies, plans, strategies, regulation	RS
1245-1330	Modalities of making and implementing ICT policy	RS and HG
1330-1430	Lunch	Videos
1430-1530	What is independent regulation? Why is it needed for sector growth	RS
1530-1600	Break
1600-1700	Panel discussion: How social media can be used in public life	Sunil Abraham (SA), RS & Charitha Herath (CH)
Day 2
930-1030	Regulation of online speech	Nay Phone Latt (NPL)
1030-1100	Break
1100-1200	How to think about Internet policy	SA; counterpoint by CH
1200-1300	Hope in the heart and money in the pocket: Results of effective policy	RS
1300-1400	Lunch	Videos

We plan to have simultaneous interpretation. There will be time for discussion within each session.

Brief descriptions of sessions

What is the significance of ICTs to legislators?

Rohan Samarajiva

This is the introduction, wherein we bring out the economic, social and political significance of ICTs. Why legislators should pay attention to the subject.

Stories from the field: What do poor people do with ICTs?

Helani Galpaya

Here we present the findings of how the poor use ICTs, using demand-side data (both quant and quality) from Myanmar and countries in similar circumstances.

Legislation, policies, plans, strategies, regulation

In this session, a former policy advisor/regulator will present a perspective on the important distinctions between legislation, policies, plans, strategies, and regulation.

Modalities of making and implementing ICT policy

RS and HG

Here we will delve into the practical details of making policy and of implementing policy, using examples.

What is independent regulation? Why is it needed for sector growth

Progress in electronic connectivity is the foundation that will reduce the frictions in the Myanmar economy, create jobs and exports and enable social, political and economic innovations. This requires massive investments, most of which will be private and most of which will come from outside the country. What legislators need to know about creating an environment that will attract and retain foreign investment in a globalized economy will be discussed.

How social media can be used in public life

Sunil Abraham, RS and Charitha Herath

In the panel discussion, SA will pose questions to a policy advisor who has used social media in a political campaign and a social media savvy current government official.

How to think about Internet policy

SA; counterpoint by CH

A leading advocate of enlightened Internet policy, Sunil Abraham of the Center for Internet and Society in Bangalore, India, will present his ideas, highlighting the international dimension of Internet policy. CH will share his perspectives as a serving government official.

Regulation of online speech

Nay Phone Latt

Here, Myanmar’s leading blogger and founder of MIDO will discuss the current concerns with legislation that seeks to control online speech.

Hope in the heart and money in the pocket: Results of effective policy

Results of effective policy implementation will be discussed with reference to specific country experiences.

Resource persons

Rohan Samarajiva, PhD, (program director) is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asian and Pacific economies. He was Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e-Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99). In this capacity, he established the Telecom Regulatory Commission of Sri Lanka; conducted the first public hearing and public notice proceedings; successfully concluded a license-violation proceeding; and laid the foundation for a competitive market. He was also a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). Dr. Samarajiva was also Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

Sunil Abraham is the Executive Director of Bangalore based research organization, the Centre for Internet and Society. He founded Mahiti in 1998, a company committed to creating high impact technology and communications solutions. Today, Mahiti employs more than 50 engineers. Sunil continues to serve on the board. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was also granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region.

Helani Galpaya is LIRNEasia’s Chief Executive Officer. Helani leads LIRNEasia’s 2012-2014 IDRC funded research on improving customer life cycle management practices in the delivery of electricity and e-government services using ICTs. She recently completed an assessment of how the poor in Bangladesh and Sri Lanka use telecenters to access government services. For UNCTAD and GTZ she authored a report on how government procurement practices can be used to promote a country’s ICT sector and for the World Bank/InfoDev Broadband Toolkit, a report on broadband strategies in Sri Lanka. She has been an invited speaker at various international forums on topics ranging from m-Government to ICT indicators to communicating research to policy makers. Prior to LIRNEasia, Helani worked at the ICT Agency of Sri Lanka, implementing the World-Bank funded e-Sri Lanka initiative. Prior to her return to Sri Lanka, she worked in the United States at Booz & Co., Marengo Research, Citibank, and Merrill Lynch. Helani holds a Masters in Technology and Policy from the Massachusetts Institute of Technology, and a Bachelor’s in Computer Science from Mount Holyoke College, USA.

Charitha Herath has served as Secretary, Ministry of Mass Media and Information in the Government of Sri Lanka since 2012. Prior to his present appointment, he was the Chairman of the Central Environment Authority. Currently on secondment for national services from his permanent academic position as a Senior Lecturer in the Department of Philosophy and Psychology at the University of Peradeniya in Sri Lanka, he continues to work on his academic research, specializing in governments and politics in Asia, ethnic studies, cultural psychology, social and political philosophy, with his main focus on political psychology. More detail at http://charithaherath.wordpress.com/about-2/

Nay Phone Latt is the Co-founder and Executive Director of Myanmar ICT Development Organization (MIDO). He graduated from Yangon Technological University with a civil engineering degree in 2004. He co-founded the Myanmar Blogger Society in 2007. Award winner of PEN Barbara Goldsmith Award and RFS’s Cyber Dissidents Award. Former Political Prisoner. CEC Member of Myanmar Journalists Association(MJA) Chief Editor of ThanLwinAinMat Online Magazine (www.thanlwin.com). Member of Board of Directors of House of Media & Entertainment (HOME).

For more details visit https://cis-india.org/news/ict-awareness-program-for-myanmar-parliamentarians-yangon

UK’s Interception of Communications Commissioner — A Model of Accountability

joe — 2014-07-24T06:08:53Z

The United Kingdom maintains sophisticated electronic surveillance operations through a number of government agencies, ranging from military intelligence organizations to police departments to tax collection agencies. However, all of this surveillance is governed by one set of national laws outlining specifically what surveillance agencies can and cannot do.

The primary law that governs government investigations is the Regulation of Investigatory Powers Act 2000, abbreviated as RIPA 2000.

To ensure that this law is being followed and surveillance operations in the United Kingdom are not conducted illegally, the RIPA 2000 Part I establishes an Interception of Communications Commissioner, who is tasked with inspecting the surveillance operations, assessing their legality, and compiling an annual report to for the Prime Minister.

On April 8, 2014 the current Commissioner, Rt Hon. Sir Anthony May, laid the 2013 annual report before the House of Commons and the Scottish Parliament. In its introduction, the report notes that it is responding to concerns raised as a result of Edward Snowden’s actions, especially misuse of powers by intelligence agencies and invasion of privacy. The report also acknowledges that the laws governing surveillance, and particularly RIPA 2000, are difficult for the average citizen to understand, so the report includes a narrative outline of relevant provisions in an attempt to make the legislation clear and accessible. However, the report points out that while the Commissioner had complete access to any documents or investigative records necessary to construct the report, the Commissioner was unable to publish surveillance details indiscriminately, due to confidentiality concerns in a report being issued to the public. (It is worth noting here that though the Commissioner is one man, he has an entire agency working under him, so it is possible that he himself did not do or write all of that the report attributes to him). As a whole, the report outlines a series of thorough audits of surveillance operations, and reveals that the overwhelming majority of surveillance in the UK is conducted entirely legally, and that the small minority of incorrectly conducted surveillance appears to be unintentional. Looking beyond the borders of the United Kingdom, the report represents a powerful model of a government initiative to ensure transparency in surveillance efforts across the globe.

The Role of the Commissioner

The report begins in the first person, by outlining the role of the Commissioner. May’s role, he writes, is primarily to audit the interception of data, both to satisfy his own curiosity and to prepare a report for the Prime Minister. Thus, his primary responsibility is to review the lawfulness of surveillance actions, and to that end, his organization possesses considerable investigative powers. He is also tasked with ensuring that prisons are legally administrated, though he makes this duty an afterthought in his report.

Everyone associated with surveillance or interception in the government must disclose whatever the commissioner asks for. In short, he seems well equipped to carry out his work. The Commissioner has a budget of £1,101,000, almost all of which, £948,000 is dedicated to staff salaries.

The report directly addresses questions about the Commissioner’s ability to carry out his duties. Does the Commissioner have full access to whatever materials or data it needs to conduct its investigations, the report asks, and it answers bluntly, yes. It is likely, the report concludes, that the Commissioner also has sufficient resources to adequately carry out his duties. Yes, the Commissioner is fully independent from other government interests; the commissioner answers his own question. Finally, the report asks if the Commissioner should be more open in his reports to the public about surveillance, and he responds that the sensitivity of the material prohibits him from disclosing more, but that the report adequately addresses public concern regardless. There is a degree to which this question and answer routine seems self-congratulatory, but it is good to see that the Commissioner is considering these questions as he carries out his duties.

Interception of Communications

The report first goes into detail about the Commissioner’s audits of communications interception operations, where interception means wiretapping or reading the actual content of text messages, emails, or other communications, as opposed to the metadata associated with communications, such as timestamps and numbers contacted. In this section, the report outlines the steps necessary to conduct an interception, outlining that an interception requires a warrant, and only a Secretary of State (one of five officials) can authorize an interception warrant. Moreover, the only people who can apply for such warrants are the directors of various intelligence, police, and revenue agencies. In practice, the Secretaries of State have senior staff that read warrant applications and present those they deem worthy to the Secretary for his or her signature, as their personal signature is required for authorization.

For a warrant to be granted, it must meet a number of criteria. First, interception warrants must be necessary in the interests of national security, to prevent or detect serious crime, or to safeguard economic wellbeing of the UK. Additionally, a warrant can be granted if it is necessary for similar reasons in other countries with mutual assistance agreements with the UK. Warrants must be proportionate to the ends sought. Finally, interception warrants for communications inside the UK must specify either a person or a location where the interception will take place. Warrants for communications outside of the UK require no such specificity.

In 2013, 2760 interception warrants were authorized, 19% fewer warrants than in 2012. The Commissioner inspected 26 different agencies and examined 600 different warrants throughout 2013. He gave inspected agencies a report on his findings after each inspection, so they could see whether or not they were following the law. He concluded that the agencies that undertake interception “do so lawfully, conscientiously, effectively, and in our national interest.” Thus, all warrants adequately meet the application and authorization requirements outlined in RIPA 2000.

Communications Data

The report goes on to discuss communications data collection, where communications data refers to metadata–not the content of the communications itself, but data associated with it, such as call durations, or a list of email recipients. The Commissioner explains that metadata is easier to obtain than an interception warrant. Designated officials in their respective surveillance organization read and grant metadata warrant applications, instead of one of the Secretaries of State who could grant interception warrants. Additionally, the requirements for a metadata warrant are looser than for interception warrants. Metadata warrants must still be necessary, but necessary for a broader range of causes, ranging from collecting taxes, protecting public health, or for any purpose specified by a Secretary of State.

The relative ease of obtaining a metadata warrant is consistent with a higher number of warrants approved. In 2013, 514,608 metadata warrants were authorized, down from 570,135 in 2012. Local law enforcement applied for 87.5% of those warrants while intelligence agencies accounted for 11.5%. Only a small minority of requests was sent from the revenue office or other departments.

The purposes of these warrants were similarly concentrated. 76.9% of metadata warrants were issued for prevention or detection of crime. Protecting national security justified 11.4% of warrants and another 11.4% of warrants were issued to prevent death or injury. 0.2% of warrants were to identify people who had died or otherwise couldn’t identify themselves, 0.11% of warrants were issued to protect the economic wellbeing of the United Kingdom, and 0.02% of warrants were associated with tax collection. The Commissioner identified less than 0.01% of warrants as being issued in a miscarriage of justice, a very low proportion.

The Commissioner inspected metadata surveillance efforts, conducting 75 inspections in 2013, and classified the practices of those operations inspected as good, fair or poor. 4% of operations had poor practices. He noticed two primary errors. The first was that data was occasionally requested on an incorrect communications address, and the second was that he could not verify that some metadata was not being stored past its useful lifetime. May highlighted that RIPA 2000 does not give concrete lengths for which data should be stored, as Section 15(3) states only that data must be deleted “as soon as there are no longer grounds for retaining it as necessary for any of the authorized purposes.” He noted that he was only concerned because some metadata was being stored for longer periods than associated interception data. As May put it, “I have yet to satisfy myself fully that some of these periods are justified and in those cases I required the agencies to shorten their retention periods or, if not, provide me with more persuasive reasons.” The Commissioner seems determined that this practice will either be eliminated or better justified to him in the near future.

Indian Applications

The United Kingdom’s Interception of Communications Commissioner has similar powers to the Indian Privacy Commissioner suggested by the Report of the Group of Experts on Privacy. Similar to the United Kingdom, it is recommended that a Privacy Commissioner in India have investigative powers in the execution of its charter, and that the Privacy Commissioner represent citizen interests, ensuring that data controllers are in line with the stipulated regulations. The Report also broadly states that “with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight functions.” In this way, the Report touches upon the need for oversight of surveillance, and suggests that this responsibility may be undertaken by the Privacy Commissioner, but does not clearly place this responsibility with the Privacy Commissioner. This raises the question of if India should adopt a similar model to the United Kingdom – and create a privacy commissioner – responsible primarily for overseeing and enforcing data protection standards, and a separate surveillance commissioner – responsible for overseeing and enforcing standards relating to surveillance measures. When evaluating the different approaches there are a number of considerations that should be kept in mind:

Law enforcement and security agencies are the exception to a number of data protection standards including access and disclosure.
There is a higher level of ‘sensitivity’ around issues relating to surveillance than data protection and each needs to be handled differently.
The ‘competence’ required to deliberate on issues related to data protection is different then the ‘competence’ required deliberating on issues related to surveillance.

Additionally, this raises the question of whether India needs a separate regulation governing data protection and a separate regulation governing surveillance.

Allegations of Wrongdoing

It is worth noting that though May describes surveillance operations conducted in compliance with the law, many other organizations have accused the UK government of abusing their powers and spying on citizens and internet users in illegal ways. The GCHQ, the government’s communications surveillance center has come under particular fire. The organization has been accused indiscriminate spying and introducing malware into citizen’s computers, among other things. Led by the NGO Privacy International, internet service providers around the world have recently lodged complaints against the GCHQ, alleging that it uses malicious software to break into their networks. Many of these complaints are based on the information brought to light in Edward Snowden’s document leaks. Privacy International alleges that malware distributed by GCHQ enables access to any stored content, logging keystrokes and “the covert and unauthorized photography or recording of the user and those around him,” which they claim is similar to physically searching through someone’s house unbeknownst to them and without permission. They also accuse GCHQ malware of leaving devices open to attacks by others, such as identity thieves.

Snowden’s files also indicate a high level of collaboration between GCHQ and the NSA. According to the Guardian, which analyzed and reported on many of the Snowden files, the NSA has in past years paid GCHQ to conduct surveillance operations through the US program called Prism. Leaked documents report that the British intelligence agency used Prism to generate 197 intelligence reports in the year to May 2012. Prism is not mentioned at all in the Interception of Communications Commissioner’s report. In fact, while the report’s introduction explains that it will attempt to address details revealed in Snowden’s leaked documents, very little of what those documents indicate is later referenced in the report. May ignores the plethora of accusations of GCHQ wrongdoing.

Thus, while May’s tone appears genuine and sincere, the details of his report do little to dispel fears of widespread surveillance. It is unclear whether May is being totally forthcoming in his report, especially when he devotes so little energy to directly responding to concerns raised by Snowden’s leaks.

Conclusion

May wrapped up his report with some reflections on the state of surveillance in the United Kingdom. He concluded that RIPA 2000 protects consumers in an internet age, though small incursions are imaginable, and especially lauds the law for it’s technological neutrality. That is, RIPA 2000 is a strong law because it deals with surveillance in general and not with any specific technologies like telephones or Facebook, use of which changes over time. The Commissioner also was satisfied that powers were not being misused in the United Kingdom. He reported that there have been a small number of unintentional errors, he noted, and some confusion about the duration of data retention. However, any data storage mistakes seemed to stem from an unspecific law.

Despite May’s report of surveillance run by the books, other UK groups have accused GCHQ, the government’s communications surveillance center, of indiscriminate spying and introducing malware into citizen’s computers. Privacy International has submitted a claim arguing that a litany of malware is employed by the GCHQ to log detailed personal data such as keystrokes. The fact that May’s report does little to disprove these claims casts the Commissioner in an uncertain light. It is unclear whether surveillance is being conducted illegally or, as the report suggests, all surveillance of citizens is being conducted as authorized.

Still, the concept of a transparency report and audit of a nation’s surveillance initiatives report is a step towards government accountability done right, and should serve as a model for enforcement methods in other nations. May’s practice of giving feedback to the organizations he inspects allows them to improve, and the public report he releases serves as a deterrent to illegal surveillance activity. The Interception of Communications Commissioner–provided he reports truthfully and accurately–is what gives the safeguards built into the UK’s interception regime strength and accountability. In other nations looking to establish privacy protections, a similar role would make their surveillance provisions balanced with safeguards and accountability to ensure that the citizens fundamental rights–including the right to privacy–are not compromised.

For more details visit https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability

Information & Communication Technology in Making a Healthy Information Society with special reference to use of ICTS in Educational Technology

praskrishna — 2014-07-18T09:06:20Z

The Department of Computer Science, Andhra Loyola College in collaboration with the Department of Computer Science, Krishna University will be organizing a UGC-sponsored National Seminar on August 11 and 12, 2014 at Andhra Loyola College in Vijayawada.

T. Vishnu Vardhan, Programme Director, Access to Knowledge from the Centre for Internet and Society will be giving a key note address at this event.

See the invitation below:

For more details visit https://cis-india.org/news/information-communication-technology-in-making-a-healthy-information-society-with-special-reference-to-use-of-icts-in-educational-technology

Terror recruiters target Indians on internet

praskrishna — 2014-07-18T06:57:56Z

What's in a name? If it indicates your religious identity, then you could get trolled by strangers wanting to draw you in with videos on the importance of archaic customs and doctored accounts of world history.

The article by Sandhya Soman was published in the Times of India on July 18, 2014. Sunil Abraham gave his inputs.

City-based lawyer Shakeel Ahmed recently took one such bait on the Holocaust from a stranger on WhatsApp just to know what kind of propaganda is in circulation.

"I can laugh at such videos and false images but they might confuse youngsters," says Ahmed. Online baiting to lure sympathizers and recruits by seasoned extremists has been on the police radar. If the four youngsters from Thane and Kalyan are indeed now in Iraq fighting for the Islamic militia ISIS, then a good part of their indoctrination could have happened online, say experts.

ISIS is known to have an aggressive social media policy, including an Arabic-language Twitter app, to spread their message and recruit supporters even after the Iraqi government curtailed internet in areas captured by the group recently. "There are many websites, including jihadi ones, favoured by people with extremist leanings," says Anti-Terrorism Squad (ATS) chief Himanshu Roy. Often, the initial contact is made on social networking sites and messenger services.

"The organizations spot youngsters and befriend them before inviting the trusted select to closed chat rooms," says K P Raghuvanshi, senior police official and former ATS head.

The discussion ranges from arranging finance to direct involvement, says Roy. "We have reason to believe that these four boys, who are all educated and come from reasonably well-off families, would have visited such sites and exchanged views with others," he says, refusing to elaborate. The youngsters are supposed to have been in touch with each other.

Those without a wide social network are easy targets, says Sunil Abraham, executive director of Centre for Internet and Society, a research organization. "If, as a young Muslim, you are in touch with only your friends and family, you might believe the false information that enters your circle of trust," he says. Contrary to belief, you don't meet a variety of people on social media. "Unless you have a critical understanding of internet, the medium with its interactivity and multi-media potential could aid propaganda," he says.

It was terrorist group Al-Qaeda that started using technology effectively since 2001. Its supporters came together to upload good quality videos of beheadings and suicide bombings to grab attention. Now, there is a variety of 'jihadist' software to prevent detection, whether it is a plug-in for instant messaging service, encryption for text messages or a stealth online network, according to media reports.

In India, terrorists took to technology in a big way from 2008 onwards when Indian groups like Indian Mujahideen recruited educated people, says an official. "Even a man who didn't know English, learnt to type Hindi using English alphabets and send and receive attachments," says the officer.

While officials say that it is difficult to monitor all the online activity, Roy says that ATS will tackle it. "This is the first instance of youngsters from Maharashtra going out to fight some other war," he says.

For more details visit https://cis-india.org/news/the-times-of-india-july-18-2014-sandhya-soman-terror-recruiters-target-indians-on-internet

Private Censorship and the Right to Hear

chinmayi — 2014-07-22T05:57:09Z

Very little recourse is available against publishers or intermediaries if these private parties censor an author’s content unreasonably.

The article was published in the Hoot on July 17, 2014 and also mirrored on the website of Centre for Communication Governance.

DNA newspaper's removal of Rana Ayyub's brave piece on Amit Shah, with no explanation, is shocking. It is reminiscent of the role that media owners played in censoring journalists during the Emergency, prompting L.K. Advani to say, "You were asked to bend, but you crawled."

The promptitude with which some media houses are weeding out political writing that might get them into trouble should make us reconsider the way we think about the freedom of the press. Discussions of press freedom often concentrate on the individual's right to speak, but may be more effective if they also accommodated another perspective - the audience's right to hear.

It is fortunate that Ayyub's piece was printed and reached its audience before attempts were made to bury it. Its removal was counterproductive, making DNA's decision a good example of what is popularly known as the Streisand Effect (when an attempt to censor or remove infor-mation has the unintended consequence of publicising the information even more widely).

The controversy that has emerged from DNA removing the article has generated much wider attention for it now that it has appeared on multiple websites, its readership expanding as outrage at its removal ricochets around the Internet.

This incident is hardly the first of its kind. Just weeks ago, news surfaced of Rajdeep Sardesai being pressurised to alter his news channel's political coverage before the national election. The Mint reported that the people pressurising Sardesai wanted a complete blackout of Kejriwal and the Aam Admi party from CNN-IBN. Had he capitulated, significant news of great public interest would have been lost to a large audience. CNN-IBN's decision would have been put down to editorial discretion, and we the public would have been none the wiser.

Luckily for their audience, Sardesai and Sagarika Ghose quit the channel that they built from scratch instead of compromising their journalistic integrity. However, the league of editors who choose to crawl remains large, their decisions protected by the Indian constitution.

The freedom of the press in India only protects the press from the government's direct attempts to influence it. Both big business and the state have far more instruments at their disposal than just direct ownership or censorship diktats. These include withdrawal of lucrative advertisements, defamation notices threatening journalists with enormous fines and imprisonment, and sometimes even physical violence. Who can forget how Tehelka magazine's exposure of largescale government wrongdoing resulted in its financiers being persecuted by the Enforcement Directorate, with one of them even being jailed for some time.

The instruments of harassment work best when the legal notices are sent to third party publishers or intermediaries. Unlike the authors who may wish to defend their work or modify it a little to make it suitable for publication, a publishing house or web platform would usually prefer to avoid expensive litigation. Third party publishers will often remove legitimate con-tent to avoid spending time and money fighting for it. Pressurising them is a fairly effective way to silence authors and journalists.

Consider the different news outlets and publishing houses that control what reaches us as news or commentary. If they can be forced to bury content, citing editorial discretion, consider what this means for the quality of news that reaches the Indian public. Indira Gandhi understood this weakness of the press, and successfully controlled the Indian media by managing the proprietors.

Although media ownership still remains concentrated in a few hands, the disruptive element that still offers some hope of free public dialogue is the Internet where, through blogs, small websites and social media, journalists can still get access to the public sphere. This means that when DNA deletes Rana Ayyub's article, copies of it are immediately posted in other places.

However, online journalism is also vulnerable. Online intermediaries which receive content blocking and take down orders tend to over-comply rather than risk litigation. Like publishers, these intermediaries can easily prevent speakers from reaching their audiences. Just look at the volume of information online that is dependent on third party intermediaries such as Rediff, Facebook, WordPress or Twitter. The only thing that keeps the state and big business from easily controlling the flow of information on the Internet is that it is difficult to exert cross-border pressure on online intermediaries located outside India.

However, the ease with which most of the mainstream media is controlled makes it easy to construct a bubble of fiction around audiences, leaving them in blissful ignorance of how little they really know. Very little recourse is available against publishers or intermediaries if these private parties censor an author's content unreasonably. Unlike state censorship, private censorship is invisible, and is protected by the online and offline intermediaries' right to their editorial choices.

Ordinarily, there is nothing wrong with editorial discretion or even with a media house choosing a particular slant to its stories. However, it is important for the public to have access to a healthy range of perspectives and interests, with a diversity of content. If news of public significance is regularly filtered out, it affects the state of our democracy. Citizens cannot participate in governance without access to important information.

It is, therefore, vital to acknowledge the harm caused by private censorship. A democracy is endangered when a few parties disproportionately control access to the public sphere. We need to think of how to ensure that the voices of journalists and scholars reach their audience. Media freedom should be seen in the context of the right of the audience, the Indian public, to receive information.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-17-2014-chinmayi-arun-private-censorship-and-the-right-to-hear

First Privacy and Surveillance Roundtable

anandini — 2014-08-09T04:13:50Z

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders.

Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and Training.

The first of seven proposed roundtable meetings on “Privacy and Surveillance” conducted by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and the Council for Fair Business Practices was held in Mumbai on the 28th of June, 2014.

The roundtable’s discussion centered on the Draft Privacy Protection Bill formed by CIS in 2013, which contains provisions on the regulation of interception and surveillance and its implications on individual privacy. Other background documents to the event included the Report of the Group of Experts on Privacy, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context

The Chair of the Roundtable began by giving a brief background of Surveillance regulation in India, focusing its scope to primarily telegraphic, postal and electronic surveillance.

Why a surveillance regime now?

A move to review the existing privacy laws in India came in the wake of Indo-EU Fair Trade Agreement negotiations; where a Data Adequacy Assessment conducted by European Commission found India’s data protection policies and practices inadequate for India to be granted EU secure status. The EU’s data protection regime is in contrast, fairly strong, governed by the framework of the EU Data Protection Directive, 1995.

In response to this, the Department of Personnel and Training, which drafted the Right to Information Act of 2005 and the Whistleblower’s Protection Act, 2011 was given the task of forming a Privacy Bill. Although the initial draft of the Bill was made available to the public, as per reports, the Second draft of the Bill has been shared selectively with certain security agencies and not with service providers or the public.

Discussion

The Chair began the discussion by posing certain preliminary questions to the Roundtable:

What should a surveillance law contain and how should it function?
If the system is warrant based, who would be competent to execute it?
Can any government department be allowed a surveillance request?

A larger question posed was whether the concerns and questions posed above would be irrelevant with the possible enforcement of a Central Monitoring System in the near future? As per reports, the Central Monitoring System would allow the government to intercept communications independently without using service providers and thus, in effect, shielding such information from the public entirely.

The CIS Privacy Protection Bill’s Regulatory Mechanism

The discussion then focused on the type of regulatory mechanism that a privacy and surveillance regime in India should have in place. The participants did not find favour in either a quasi-judicial body or a self-regulatory system – instead opting for a strict regulatory regime.

The CIS Draft Privacy Protection Bill proposes a regime that consists of a Data Protection Regulation Authority that is similar to the Telecom Regulatory Authority of India, including the provision for an appellate body. The Bill envisions that the Authority will act as an adjudicating body for all complaints relating to the handling of personal data in addition to forming and reviewing rules on personal data protection.

Although, the Draft Bill dealt with privacy and surveillance under one regulatory authority, the Chair proposes a division between the two frameworks, as the former is governed primarily by civil law, and the latter is regulated by criminal law and procedure. Though in a 2014 leaked version of the governments Privacy Bill, surveillance and privacy are addressed under one regulation, as per reports, the Department of Personnel and Training is also considering creating two separate regulations: one for data protection and one for surveillance.

Authorities in Other Jurisdictions

The discussion then moved to comparing the regulatory authorities within other jurisdictions and the procedures followed by them. The focus was largely on the United States and the United Kingdom, which have marked differences in their privacy and surveillance systems.

In the United Kingdom, for example, a surveillance order is reviewed by an Independent Commissioner followed by an Appellate Tribunal, which has the power to award compensation. In contrast, the United States follows a far less transparent system which governs foreigners and citizens under separate legislations. A secret court was set up under the FISA, an independent review process, however, exists for such orders within this framework.

The Authority for Authorizing Surveillance in India

The authority for regulating requests for interceptions of communication under the Draft CIS Privacy Protection Bill is a magistrate. As per the procedure, an authorised officer must approach the Magistrate for approval of a warrant for surveillance. Two participants felt that a Magistrate is not the appropriate authority to regulate surveillance requests as it would mean vesting power in a few people, who are not elected via a democratic process.

In the present regime, the regulation of interception of telecommunications under Indian Law is governed by the Telegraph Act,1885 and the Telegraph Rules,1951. Section 5(2) of the Act and Rule 419A of the Telegraph Rules, permit interception only after an order of approval from the Home Secretary of the Union Government or of the State Governments, which in urgent cases, can be granted by an officer of the Joint Secretary Level or above of the Ministry of Home Affairs of the Union or that State’s Government.

Although most participants felt confident that a judicial authority rather than an executive authority would serve as the best platform for regulating surveillance, there was debate on what level of a Magistrate Judge would be apt for receiving and authorizing surveillance requests - or whether the judge should be a Magistrate at all. Certain participants felt that even District Magistrates would not have the competence and knowledge to adjudicate on these matters. The possibility of making High Court Judges the authorities responsible for authorizing surveillance requests was also suggested. To this suggestion participants noted that there are not enough High Court judges for such a system as of now.

The next issue raised was whether the judges of the surveillance system should be independent or not, and if the orders of the Courts are to be kept secret, would this then compromise the independence of such regulators. As part of this discussion, questions were raised about the procedures under the Foreign Intelligence Surveillance Act, the US regulation governing the surveillance of foreign individuals, and if such secrecy could be afforded in India. During the discussions, certain stakeholders felt that a system of surveillance regulation in India should be kept secret in the interests of national security. Others highlighted that this is the existing practice in India giving the example of the Intelligence Bureau and Research and Analysis Wing orders which are completely private, adding however, that none of these surveillance regulations in India have provisions on disclosure.

When can interception of communications take place?

The interception of communications under the CIS Privacy Protection Bill is governed by the submission of a report by an authorised officer to a Magistrate who issues a warrant for such surveillance. Under the relevant provision, the threshold for warranting surveillance is suspicious conduct. Several participants felt that the term ‘suspicious conduct’ was too wide and discretionary to justify the interception of communication and suggested a far higher threshold for surveillance. Citing the Amar Singh Case, a participant stated that a good way to ensure ‘raise the bar’ and avoid frivolous interception requests would be to require officers submitting interception request to issue affidavits. A participant suggested that authorising officers could be held responsible for issuing frivolous interception requests. Some participants agreed, but felt that there is a need for a higher and stronger standard for interception before provisions are made for penalising an officer. As part of this discussion, a stakeholder added that the term “person” i.e. the subject of surveillance needed definition within the Bill.

The discussion then moved to comparing other jurisdictions’ thresholds on permitting surveillance. The Chair explained here that the US follows the rule of probable cause, which is where a reasonable suspicion exists, coupled with circumstances that could prove such a suspicion true. The UK follows the standard of ‘reasonable suspicion’, a comparatively lesser degree of strength than probable cause. In India, the standard for telephonic interception under the Telegraph Act 1885 is the “occurrence of any public emergency or in the interest of public safety” on the satisfaction of the Home Secretary/Administrative Officer.

The participants, while rejecting the standard of ‘suspicious conduct’ and agreeing that a stronger threshold was needed, were unable to offer other possible alternatives.

Multiple warrants, Storing and sharing of Information by Governmental Agencies

The provision for interception in the CIS Privacy Protection Bill stipulates that a request for surveillance should be accompanied by warrants previously issued with respect to that individual. The recovery of prior warrants suggests the sharing of information of surveillance warrants across multiple governmental agencies which certain participants agree, could prevent the duplication of warrants.

Participants briefly discussed how the Central Monitoring System will allow for a permanent log of all surveillance activities to be recorded and stored, and the privacy implications of this. It was noted that as per reports, the hardware purported to be used for interception by the CMS is Israeli, and is designed to store a log of all metadata.

A participant stated that automation component of the Centralized Monitoring System may be positive considering that authentication of requests i.e. tracing the source of the interception may be made easier with such a system.

Conditions prior to issuing warrant

The CIS Privacy Protect Bill states that a Magistrate should be satisfied of either. A reasonable threat to national security, defence or public order; or a cognisable offence, the prevention, investigation or prosecution of which is necessary in the public interest. When discussing these standards, certain participants felt that the inclusion of ‘cognizable offences’ was too broad, whereas others suggested that the offences would necessarily require an interception to be conducted should be listed. This led to further discussion on what kind of categorisation should be followed and whether there would be any requirement for disclosure when the list is narrowed down to graver and serious offences.

The chair also posed the question as to whether the term ‘national security’ should elaborated upon, highlighting the lack of a definition in spite of two landmark Supreme Court judgments on national security legislations, Terrorist and Disruptive Activities Act,1985 and the Prevention of Terrorism Act, i.e. Kartar Singh v Union of India [1] and PUCL v Union of India.[2]

Kinds of information and degree of control

The discussion then focused on the kinds of information that can be intercepted and collected. A crucial distinction was made here, between content data and metadata, the former being the content of the communication itself and the latter being information about the communication. As per Indian law, only content data is regulated and not meta-data. On whether a warrant should be issued by a Magistrate in his chambers or in camera, most participants agreed that in chambers was the better alternative. However, under the CIS Privacy Protection Bill, in chamber proceedings have been made optional, which stakeholders agreed should be discretionary depending on the case and its sensitivity.

Evidentiary Value

The foundation of this discussion, the Chair noted, is the evidentiary value given to information collected from interception of communications. For instance, the United States follows the exclusionary rule, also known as the “fruit of the poisonous tree rule”, where evidence collected from an improper investigation discredits the evidence itself as well as further evidence found on the basis of it.

Indian courts however, allow for the admission of evidence collected through improper collection, as does the UK. In Malkani v State of Maharashtra[3] the Supreme Court stated that an electronically recorded conversation can be admissible as evidence, and stated that evidence collected from an improper investigation can be relied upon for the discovery of further evidence - thereby negating the application of the exclusionary rule.

Emergent Circumstances: who should the authority be?

The next question posed to the participants was who the apt authority would be to allow surveillance in emergent circumstances. The CIS Privacy Protection Bill places this power with the Home Secretary, stating that if the Home Secretary is satisfied of a grave threat to national security, defence or public order, he can permit surveillance. The existing law under the Telegraph Act 1885 uses the term ‘unavoidable circumstance’, though not elaborating on what this amounts to for such situations, where an officer not below the rank of a Joint Secretary evaluates the request. In response to this question, a stakeholder suggested that the issuing authority should be limited to the police and administrative services alone. In the CIS Privacy Protection Bill - a review committee for such decisions relating to interception is comprised of senior administrative officials both at the Central and State Government level. A participant suggested that the review committee should also include the Defence secretary and the Home secretary.

Sharing of Information

The CIS Privacy Protection Bill states that information gathered from surveillance should not be shared be shared amongst persons, with the exception that if the information is sensitive in terms of national security or prejudicing an investigation, an authorised officer can share the information with an authorised officer of any other competent organisation.

A participant highlighted that this provision is lacking an authority for determining the sharing of information. Another participant noted that the sharing of information should be limited amongst certain governmental agencies, rather than to ‘any competent organisation.’

Proposals for Telecommunication Service Providers

In the Indian interception regime, although surveillance orders are passed by the Government, the actual interception of communication is done by the service provider. Certain proposals have been introduced to protect service providers from liability. For example, an execution provision ensures that a warrant is not served on a service provider more than seven days after it is issued. In addition an indemnity provision prevents any action being taken against a service provider in a court of law, and indemnifies them against any losses that arise from the execution of the warrant, but not outside the scope of the warrant. During discussions, stakeholders felt that the standard should be a blanket indemnity without any conditions to assure service providers.

Under the Indian interception regime, a service provider must also ensure confidentiality of the content and meta data of the intercepted communications. To this, a participant suggested that in situations of information collection, a service provider may have a policy for obtaining customer consent prior to the interception. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011 are clearer in this respect, which allow for the disclosure of information to governmental agencies without consent.

Another participant mentioned that the inconsistencies between laws on information disclosure and collection, such as the IT Act, the Right to Information Act and the recently enacted Whistleblower’s Protection Act, 2011 need to be harmonised. Other stakeholders agreed with this, though they stated that surveillance regulations should prevail over other laws in case of any inconsistency.

Conclusions

The inputs from the Bombay Roundtable seem to point towards a more regulated approach, with the addition of a review system to enhance accountability. While most stakeholders here agreed that national security is a criterion that takes precedence over concerns of privacy vis-à-vis surveillance, there is a concomitant need to define the limits of permissible interception. The view here is that a judicial model would prove to be a better system than the executive system; however, there is no clear answer as of yet on who would constitute this model. While the procedure for interception was covered in depth, the nature of the information itself was covered briefly and more discussion would be welcome here in forthcoming sessions.

Click to download the Report (PDF, 188 Kb)

[1]. 1994 4 SCC 569.

[2]. (1997) 1 SCC 301.

[3]. [1973] 2 S.C.R. 417.

For more details visit https://cis-india.org/internet-governance/blog/privacy-surveillance-roundtable-mumbai

GNI and IAMAI Launch Interactive Slideshow Exploring Impact of India's Internet Laws

jyoti — 2014-07-17T12:01:01Z

The Global Network Initiative and the Internet and Mobile Association of India have come together to explain how India’s Internet and technology laws impact economic innovation and freedom of expression.

The Global Network Initiative (GNI), and the Internet and Mobile Association of India (IAMAI) have launched an interactive slide show exploring the impact of existing Internet laws on users and businesses in India. The slide show created by Newsbound, and to which Centre for Internet and Society (CIS) has contributed its comments—explain the existing legislative mechanisms prevalent in India, map the challenges of the regulatory environment and highlight areas where such mechanisms can be strengthened.

Foregrounding the difficulties of content regulation, the slides are aimed at informing users and the public of the constraints of current legal mechanisms in place, including safe harbour and take down and notice provisions. Highlighting Section 79(3) and the Intermediary Liability Rules issued in 2011, the slide show identifies some of the challenges faced by Internet platforms, such as the broad interpretation of the legislation by the executive branch.

Challenges governing Internet platforms highlighted in the slide show include uniform Terms of Service that do not consider the type of service being provided by the platform, uncertain requirements for taking down content and compliance obligations related to information disclosure. Further the issues of over compliance and misuse of the legal notice and take down system introduced under Section 79 of the Information Technology (Intermediaries Guidelines) Rules 2011.

The Rules were created with the purpose of providing guidelines for the ‘post-publication redressal mechanism expression as envisioned in the Constitution of India'. However, since their introduction, the Rules have been criticised extensively, by both the national and the international media on account of not conforming to principles of natural justice and freedom of expression. Critics have pointed out that by not recognising the different functions performed by the different intermediaries and by not providing safeguards against misuse of such mechanism for suppressing legitimate expression, the Rules have a chilling effect on freedom of expression.

Under the current Rules, the third party provider/creator of information is not given a chance to be heard by the intermediary, nor is there a requirement to give a reasoned decision by the intermediary to the creator whose content has been taken down. The take down procedure also, does not have any provisions for restoring the removed information, such as providing a counter notice filing mechanism or appealing to a higher authority. Further, the content criteria for removal of content includes terms like 'disparaging' and 'objectionable', which are not defined and prima facie seem to be beyond the reasonable restrictions envisioned by the Constitution of India. With uncertainty in content criteria and no safeguards to prevent abuse complainant may send frivolous complaints and suppress legitimate expressions without any fear of repercussions.

Most importantly, the redressal mechanism under the Rules shifts the burden of censorship, previously, the exclusive domain of the judiciary or the executive, and makes it the responsibility of private intermediaries. Often, private intermediaries, do not have sufficient legal resources to subjectively determine the legitimacy of a legal claim, resulting in over compliance to limit liability. The slide show cites the 2011 CIS research carried out by Rishabh Dara to determine whether the Rules lead to a chilling effect on online free expression, towards highlighting the issue of over compliance and self censorship.

The initiative is timely, given the change of guard in India, and stresses, not only the economic impact of fixing the Internet legal framework, but also the larger impact on users rights and freedom of expression. The initiative calls for a legal environment for the Internet that enables innovation, protects the rights of users, and provides clear rules and regulations for businesses large and small.

See the slideshow here: How India’s Internet Laws Can Help Propel the Country Forward

Other GNI reports and resources:

Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose

Strengthening Protections for Online Platforms Could Add Billions to India’s GDP

For more details visit https://cis-india.org/internet-governance/blog/gni-and-iamai-launch-interactive-slideshow-exploring-impact-of-indias-internet-laws

Living in a Fish Bowl

praskrishna — 2014-07-16T07:15:22Z

Though India needs a comprehensive law on the right to privacy, it may not be ready for something as avant garde as the “right to be forgotten” on the Internet, argues Shuma Raha

The article by Shuma Raha was published in the Telegraph on July 16, 2014. Sunil Abraham gave his inputs.

If you do a Google search for journalist and television personality Barkha Dutt, a raft of scurrilous information about her pops up. It isn’t tucked away somewhere on the 10th page either — it’s all up front, right there in “autosuggest”, almost prompting you to go and check it out. And thanks to Google’s search algorithm, the more people click on that link, it further strengthens the score for that “hit”.

Dutt says she has brought the matter to the attention of Google, but to no avail. “I have lost interest in the whole struggle,” she says. “But Google definitely needs to do something about the slanderous, inaccurate, fictional information out there that creates a narrative of its own.”

Well, in Europe at least, the tech giant has taken a step in that direction. Late last month, it started erasing search results that threw up information deemed to be “irrelevant”, “outdated” or “excessive”. The move came after the European Court of Justice ruled that Internet search engines would have to allow people the “right to be forgotten” in specific cases and accordingly, take down information about them.

The European Court ruling has triggered a huge debate since an individual’s right to be forgotten seems to be at complete loggerheads with people’s right to know. Nevertheless, it’s a landmark decision when it comes to right to privacy on the Internet. After all, the online space has perma-memory and inaccurate or irrelevant or outdated information about a person can be embedded there forever, damaging him or her in manifold ways.

So how far are we in India from securing the right to be forgotten on the Internet?

The short answer to that is, very far. That is because India does not have a well-defined privacy regime wherein one could envisage a court of law handing out a similar — and some would say a somewhat radical — order on a Google or a Bing. “The right to be forgotten is a bit too advanced for us,” says Sunil Abraham, director, Centre for Internet and Society, a non-profit organisation that works on policy issues relating to freedom of expression and privacy. “After all, we are yet to come up with a privacy and data protection regime that implements the best practices of European countries.”

Adds Apar Gupta, a Delhi-based lawyer, who has written extensively on privacy issues, “Sector specific privacy legislation do exist, but they do not provide substantive rights or efficient remedy in case of violations.”
No one disputes that India should get a right to privacy law, especially one that relates to the collection, processing and use of personal data. Right now the government’s surveillance mechanisms like the Central Monitoring System and the Lawful Interception and Monitoring Systems allow security agencies and income tax authorities to intercept communication, snoop on phone conversations, read emails and SMSes with little or no safeguards for privacy protection.

A right to privacy bill has, in fact, been in the works since as early as 2011. But the government has been dragging its feet over it. Early this year, a new version of the draft bill was “leaked” to the press. But few are happy with it. On the positive side, it raises the penalty for unlawful interception of communication (from Rs 1 lakh to Rs 2 crore) and increases penalties for other offences such as obtaining personal data under false pretexts. But crucially, it almost wholly exempts intelligence agencies from the purview of the law, thereby allowing them unbridled access to personal information. Of course, no one knows if this “leaked” draft is indeed the official one.

Experts say that the government should really formulate a right to privacy law based on the recommendations of a committee chaired by Justice A.P. Shah. The report, which was published in 2012, proposes that the right to privacy be statutorily extended to all Indians. It recommends, among other things, the appointment of privacy commissioners and the formulation of certain “national privacy principles” such as taking the consent of the individual prior to the collection of data, allowing him the choice to withdraw such consent, limiting the use of personal information to the stated purpose and so on. The privacy principles would apply to all data collectors in both private and public sectors.
There are, of course, a number of provisions in existing laws that relate to privacy. For example, Rule 419A of the Indian Telegraph Rules, 1951, sets down certain privacy safeguards such as maintaining details about the officer ordering an intercept of telecommunication.

Moreover, Section 66E of the Information Technology Act, 2000, prescribes “punishment for the violation of privacy” (in the context of capturing “private” images of a person without his or her consent); Section 43A lays down that a “body corporate” will be liable to pay compensation in case it fails to protect personal data gathered in the course of its operation; and Section 79 stipulates that “intermediaries” — entities such as Google, Facebook, Twitter — would have to take down any information stored or transmitted by them that is found to be grossly harassing, defamatory, blasphemous, obscene, pornographic and so on, within 36 hours of being notified.

Of course, this section of the IT Act has been roundly criticised as arbitrary and Draconian, but that is another story.
The point is that despite the fair number of privacy provisions, in the absence of a comprehensive law, the untrammelled and unauthorised use of personal data cannot be ruled out. “Every country in the world collects personal data. But once the data are collected for a particular purpose they should not be used for any other purpose. The law has to be in a position to catch the violators,” says Kamlesh Bajaj, CEO of Data Security Council of India, an organisation that works to promote data protection and privacy best practices.

As always, the key issue is that an individual’s right to privacy has to be balanced with public interest. And it is in that context that experts feel that even if India were to have a privacy law, it is probably not ready for something akin to the European Court ruling on the right to be forgotten. As Gupta says, “It raises a real danger of public personalities blocking legitimate journalism on grounds of privacy. This is specially true in a country like India which permits a high degree of illegality in the name of secrecy and confidentiality.”

Abraham agrees with that view. “I’m not sure if the right to be forgotten will enhance privacy or usher in a level of censorship,” he says.

As Europe grapples with that debate, India’s privacy warriors are asking for something far more fundamental — a comprehensive law that guarantees the right to privacy to all.

For more details visit https://cis-india.org/news/the-telegraph-july-16-2014-living-in-a-fish-bowl

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

Best Practices Meet

praskrishna — 2014-08-06T06:25:20Z

The Best Practices Meet 2014 is being organized by DSCI at Hotel Leela Palace on July 9, 2014. Sunil Abraham will participate as a panelist at the event.

SMAC: new paradigm for Security?

Convergence of Social, Mobile, Analytics, and Cloud, is collectively referred as SMAC technologies. The success of social media products and sites such as Facebook, Twitter, Linkedin many more has been driving organizations’ investment in social computing. Mobile is another example of how technologies invented initially for personal use, entrenched itself into the enterprise ecosystem. Social computing and mobile blurs the boundaries between personal, social and business transactions. They lead to the explosion of information, which provides interesting insights, critical for business benefits. This reflects in huge impetus that has been seen in analytics, widely known as Big Data analytics. On the other hand, cloud brings completely new paradigm of organizing entperise IT, developing new products and services and delivering consumer experiences.

Increasing adoption of SMAC stack by enterprises breaks the existing paradigm of security. The data explosion on mobile devices exposes organizations’ information to inadvertent loss of revenue and brand value. Malicious applications may steal vital information stored on an employee’s mobile device and pave the way for a major data breach. Web application attacks remain the most significant threat for environments of cloud-hosting providers, amongst other apprehensions about data security. Data sovereignty also continue to pose serious concerns, which organizations need to tackle while moving their data to the cloud. Big data facilitates advanced analytics; however, requires protection from intrusion, corruption and securing its access. Furthermore, social media platforms are continuously exploited to launch malicious content and stealthy payload on devices. Social technologies are also plagued by the use of malicious techniques to mine confidential personal information under the guise of innocuous looking web pages via social engineering techniques.

Apart from security concerns, privacy supposed to be a big causality, as each component of the SMAC stack is considered intrusive enough to compromise the personal rights. Convergence and nexus of them add to the woes.

The collaborative and cumulative effect of all of these technologies working in unison essentially magnifies the efforts of the organizations that are able to wield them effectively. This evolution is challenging the ability of current security capabilities to address business critical risks. The way forward for organizations would be to understand the perspective of end users and IT infrastructure in terms of its integration with any or all the elements of SMAC. The organizations will have to deal with the new paradigm of security that will take them to more scalable, granualar, complex, independent and diverse challenges.

The DSCI Best Practices Meet, 2014 brings the security community and other stakeholders together, to deliberate and ponder over these diverse set of issues and challenges. It is aimed at deliberating on the new security paradigm from the perspectives of public policy, enterprise strategies, technology and practices.

Click to download the agenda and other details here.

For more details visit https://cis-india.org/news/best-practices-meet-2014

Delhi High Court Orders Blocking of Websites after Sony Complains Infringement of 2014 FIFA World Cup Telecast Rights

sinha — 2014-07-08T07:02:16Z

Of late the Indian judiciary has been issuing John Doe orders to block websites, most recently in Multi Screen Media v. Sunit Singh and Others. The order mandated blocking of 472 websites, out of which approximately 267 websites were blocked as on July 7, 2014. This trend is an extremely dangerous one because it encourages flagrant censorship by intermediaries based on a judicial order which does not provide for specific blocking of a URL, instead provides for blocking of the entire website.

The High Court of Delhi on June 23, 2014 issued a John Doe injunction restraining more than 400 websites from broadcasting 2014 FIFA world cup matches. News reports indicate that the Single judge bench of Justice V. Kameswar Rao directed the Department of Telecom to issue appropriate directions to ISPs to block the websites that Multi Screen Media provided, as well as “any other website identified by the plaintiff” in the future. On July 4, Justice G. S. Sistani permitted reducing the list to 219 websites.

Background

Multi Screen Media (MSM) is the official broadcaster for the ongoing 2014 FIFA World Cup tournament. FIFA (the Governing body) had exclusively licensed rights to MSM which included live, delayed, highlights, on demand, and repeat broadcast of the FIFA matches. MSM complained that the defendants indulged in hosting, streaming, providing access to, etc, thereby infringing the exclusive rights and broadcast and reproduction rights of MSM.

The court in the instant order held that the defendants had prima facie infringed MSM’s broadcasting rights, which are guaranteed by section 37 of the Copyright Act, 1957. In an over-zealous attempt to pre-empt infringement the court called for a blanket ban on all websites identified by MSM. Further, the court directed the concerned authorities to ensure ISPs complied with this order and block the websites mentioned by MSM presently, and other websites which may be subsequently be notified by MSM.

Where the Court went Wrong

The court stated that MSM successfully established a prima facie case, and on its basis granted a sweeping injunction to MSM ordering blocking 471 second level domains. I’d like to point out numerous flaws with the order-

Dissatisfactory "Prima facie case"

In my opinion the court could have scrutinised the list of websites provided by MSM more carefully. There is nothing in the order to suggest that evidence was proffered by MSM in support of the list. The order reveals that the list was prepared by MarkScan, a “consulting boutique dedicated to (the client’s) IP requirements in the cyberspace and the Indian sub-continent.” The list throws up names such as docs.google.com, goo.gl & ad.ly (provide URL shortening service only), torrent indexing websites, IP addresses, online file streaming websites, etc., at a cursory glance. Evidently, perfectly legitimate websites have been targeted by an ill conducted search and shoddily prepared list which may lead to blocking of legitimate content on account of no verification by the court. 471 websites out of 472 mentioned in the first list are second level domains and 23 websites have been listed twice.

2. Generic order which abysmally fails to identify specific infringing URLS

Out of the 472 websites (list provided in the order by MarkScan)-

471 are file streaming websites, video sharing websites, file lockers, URL shorteners, file storage websites; only one is a specific URL [http://www.24livestreamtv.com/brazil-2014-fifa-world-cup-football-%20%C2%A0%C2%A0live-streaming-online-t ].

The order calls for blocking of complete websites. This is in complete contradiction to the 2012 Madras High Court’s order in R K Productions v BSNL which held that only a particular URL where the infringing content is kept should be blocked, rather than the entire website. The Madras High Court order had also made it mandatory for the complainants to provide exact URLs where they find illegal content, such that ISPs could block only that content and not the entire site. MSM did not adhere to this and I have serious doubts if the defendants brought the distinguishing Madras High Court judgment to the attention of the bench. The entire situation is akin to MarkScan scamming MSM by providing their clients a dodgy list, and MSM scamming the court and the public at large.

3. Lack of Transparency – Different blocking messages on different ISPs

The message displayed uniformly on blocked websites was:

"This website/URL has been blocked until further notice either pursuant to court orders or on the directions issued by the Department of Telecommunications."

I observed that a few websites showed the message “Error 404 – File or Directory not found” without the blocking message (above) on the network provider Reliance, and same Error 404 with the blocking message on the network provider Airtel highlighting the non-transparent manner of adherence to the order. Further, both the messages do not indicate the end period of the block.

Legality of John Doe orders in Website Blocking

It is pertinent to reiterate the ‘misuse’ of John Doe orders to block websites in India. The judiciary has erred in applying the John Doe order to protect copyrightable content on the internet. While the R K Productions v BSNL case appears reasonable in terms of permitting blocking of only URL specific content, the application of John Doe order to block websites remains unfounded in law. Ananth Padmanabhan in a three part study (Part I, II and III) had earlier analysed the improper use of John Doe injunctions to block websites in India. The John Doe order was conceived by US courts to pre-emptively remedy the irreparable damages suffered by copyright holders on account of unidentified/unnamed infringers. The interim injunction allowed collection of evidence from infringers, who were identified later as certain defendants and the final relief was accordingly granted. The courts routinely advocated judicious use of the order, and ensured that the identified defendants were provided and informed of their right to apply to the court within twenty four hours for a review of the order and a right to claim damages in an appropriate case. Therefore, the John Doe order applied against primary infringers per se.

On the other hand, whilst extending this remedy in India the courts have unfortunately placed onus on the conduit i.e. the ISP to block websites. This is tantamount to providing final relief at the interim stage, since all content definitely gets blocked; however, this hardly helps in identifying the actual infringer on the internet. The court is prematurely doling out blocking remedies to the complaining party, which, legally speaking should be meted out only during the final disposition of the case after careful examination of the evidence available. Thus, the intent of a John Doe order is miserably lost in such an application. Moreover, this lends an arbitrary amount of power in the hands of intermediaries since ISPs may or may not choose to approach the court for directions to specifically block URLs which provide access to infringing content only.

For more details visit https://cis-india.org/internet-governance/blog/delhi-high-court-orders-blocking-of-websites-after-sony-complains-infringement-of-2014-fifa-world-cup-telecast-rights

COAI, Centre for Internet & Society to hold pan-India meetings on privacy issues

praskrishna — 2014-07-07T07:37:34Z

In order to discuss possible legal frameworks to enable surveillance of voice and data communications in India, the Cellular Operators' Association of India (COAI) along with the Centre for Internet and Society (CIS) will hold seven roundtable meetings across the country in the coming weeks on privacy and surveillance issues.

Originally published by IANS on July 4, 2014 the news was mirrored in the Times of India, NDTV, Business Standard, Economic Times, and World News on the same day. Bhairav Acharya gave his inputs.

The recommendations and dialogues from each of these roundtables will be compiled and submitted to the relevant ministries of the government, a statement issued by COAI said here on Friday.

The roundtable meetings will take place in Mumbai, Ahmedabad, Hyderabad, Bangalore, Chennai and twice in New Delhi.

These roundtables are closed-door meetings involving multiple stakeholders such as the industry leaders, policy makers, and experts from the legal fraternity and civil society.

In the era of freedom, when data connectivity via the internet, has emerged as one of the most powerful tools for communications, infringement of customer privacy by government agencies through telecom networks have forced the industry to initiate discussions on the international best practices on communications privacy and surveillance, and the relevant Indian jurisprudence.

"COAI, with the Centre for Internet and Society has taken this initiative by bringing the relevant stakeholders on a common platform to discuss the matter to arrive at an acceptable conclusion," COAI Director General Rajan S Mathews said.

According to Bhairav Acharya, who advises the CIS: "Legal reform is necessary to identify the limits of permissible surveillance, the protection of privacy, the procedure of intercepting communications, the expectations of service providers, and freedom of all Indians. The law must keep up with technological advancements to create a balanced, proportionate and fair mechanism to enable and regulate surveillance. This will serve India’s national interest."

For more details visit https://cis-india.org/news/ians-july-4-2014-coai-cis-to-hold-pan-india-meetings-on-privacy-issues

The Constitutionality of Indian Surveillance Law: Public Emergency as a Condition Precedent for Intercepting Communications

bedaavyasa — 2014-08-04T04:52:42Z

Bedavyasa Mohanty analyses the nuances of interception of communications under the Indian Telegraph Act and the Indian Post Office Act. In this post he explores the historical bases of surveillance law in India and examines whether the administrative powers of intercepting communications are Constitutionally compatible.

Introduction

State authorised surveillance in India derives its basis from two colonial legislations; §26 of the Indian Post Office Act, 1898 and §5 of the Telegraph Act, 1885 (hereinafter the Act) provide for the interception of postal articles[1] and messages transmitted via telegraph[2] respectively. Both of these sections, which are analogous, provide that the powers laid down therein can only be invoked on the occurrence of a public emergency or in the interest of public safety. The task of issuing orders for interception of communications is vested in an officer authorised by the Central or the State government. This blog examines whether the preconditions set by the legislature for allowing interception act as adequate safeguards. The second part of the blog analyses the limits of discretionary power given to such authorised officers to intercept and detain communications.

Surveillance by law enforcement agencies constitutes a breach of a citizen’s Fundamental Rights of privacy and the Freedom of Speech and Expression. It must therefore be justified against compelling arguments against violations of civil rights. Right to privacy in India has long been considered too ‘broad and moralistic’[3] to be defined judicially. The judiciary, though, has been careful enough to not assign an unbound interpretation to it. It has recognised that the breach of privacy has to be balanced against a compelling public interest [4] and has to be decided on a careful examination of the facts of a certain case. In the same breath, Indian courts have also legitimised surveillance by the state as long as such surveillance is not illegal or unobtrusive and is within bounds [5]. While determining what constitutes legal surveillance, courts have rejected “prior judicial scrutiny” as a mandatory requirement and have held that administrative safeguards are sufficient to legitimise an act of surveillance. [6]

Conditions Precedent for Ordering Interception

§§5(2) of the Telegraph Act and 26(2) of the Indian Post Office Act outline a two tiered test to be satisfied before the interception of telegraphs or postal articles. The first tier consists of sine qua nons in the form of an “occurrence of public emergency” or “in the interests of public safety.” The second set of requirements under the provisions is “the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.” While vesting the power of interception in administrative officials, the sections contemplate a legal fiction where a public emergency exists and it is in the interest of sovereignty, integrity, security of the state or for the maintenance of public order/ friendly relations with foreign states. The term “public emergency,” however, has not been clearly defined by the legislature or by the courts. It thus vests arbitrary powers in a delegated official to order the interception of communication violating one’s Fundamental Rights.

Tracing the History of the Expression “Public Emergency”

The origins of the laws governing interception can be traced back to English laws of the late 19th Century; specifically one that imposed a penalty on a postal officer who delayed or intercepted a postal article.[7] This law guided the drafting of the Indian Telegraph Act in 1885 that legitimised interception of communications by the state. The expression “public emergency” appeared in the original Telegraph Act of 1885 and has been adopted in that form in all subsequent renderings of provisions relating to interception. Despite the contentious and vague nature of the expression, no consensus regarding its interpretation seems to have been arrived at. One of the first post-independence analyses of this provision was undertaken by the Law Commission in 1968. The 38th Law Commission in its report on the Indian Post Office Act, raised concerns about the constitutionality of the expression. The Law Commission was of the opinion that the term not having been defined in the constitution cannot serve as a reasonable ground for suspension of Fundamental Rights.[8] It further urged that a state of public emergency must be of such a nature that it is not secretive and is apparent to a reasonable man.[9] It thus challenged the operation of the act in its then current form where the determination of public emergency is the discretion of a delegated administrative official. The Commission, in conclusion, implored the legislature to amend the laws relating to interception to bring them in line with the Constitution. This led to the Telegraph (Amendment) Act of 1981. Questions regarding the true meaning of the expression and its potential misuse were brought up in both houses of the Parliament during passing of the amendment. The Law Ministry, however, did not issue any additional clarifications regarding the terms used in the Act. Instead, the Government claimed that the expressions used in the Act are “exactly those that are used in the Constitution.” [10] It may be of interest to note here that the Constitution of India, neither uses nor defines the term “public emergency.” Naturally, it is not contemplated as a ground for reasonably restricting Fundamental Rights provided under Article 19(1). [11] Similarly, concerns regarding the potential misuse of the powers were defended with the logically incompatible and factually inaccurate position that the law had not been misused in the past.[12]

Locating “Public Emergency” within a Proclamation of Emergency under the Constitution (?)

Public emergency in not equivalent to a proclamation of emergency under Article 352 of the Constitution simply because it was first used in legislations over six decades before the drafting of the Indian Constitution began. Besides, orders for interception of communications have also been passed when the state was not under a proclamation of emergency. Moreover, public emergency is not the only prerequisite prescribed under the Act. §5(2) states that an order for interception can be passed either on the occurrence of public emergency or in the interest of public safety. Therefore, the thresholds for the satisfaction of both have to be similar or comparable. If the threshold for the satisfaction of public emergency is understood to be as high as a proclamation of emergency then any order for interception can be passed easily under the guise of public safety. The public emergency condition will then be rendered redundant. Public emergency is therefore a condition that is separate from a proclamation of emergency.

In a similar vein the Supreme Court has also clarified[13] that terms like “public emergency” and “any emergency,” when used as statutory prerequisites, refer to the occurrence of different kinds of events. These terms cannot be equated with one another merely on the basis of the commonality of one word.

The Supreme Court in Hukam Chand v. Union of India,[14] correctly stated that the terms public emergency and public safety must “take colour from each other.” However, the court erred in defining public emergency as a situation that “raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.” This cyclic definition does not lend any clarity to the interpretive murk surrounding the term. The Act envisages public emergency as a sine qua non that must exist prior to a determination that there is a threat to public order and sovereignty and integrity of the state. The court’s interpretation on the other hand would suggest that a state of public emergency can be said to exist only when public order, sovereignty and integrity of the state are already threatened. Therefore, while conditions precedent exist for the exercise of powers under §5(2) of the Act, there are no objective standards against which they are to be tested.

Interpretation of Threshold Requirements

A similar question arose before the House of Lords in Liversidge v. Anderson.[15] The case examined the vires of an Act that vested an administrative authority with the conditional power to detain a person if there was reasonable cause to believe that the person was of hostile origin. Therein, Lord Atkin dissenting with the majority opinion stated in no unclear terms that power vested in the secretary of state was conditional and not absolute. When a conditional authority is vested in an administrative official but there aren’t any prescriptive guidelines for the determination of the preconditions, then the statute has the effect of vesting an absolute power in a delegated official. This view was also upheld by the Supreme Court in State of Madhya Pradesh v. Baldeo Prasad.[16] The court was of the opinion that a statute must not only provide adequate safeguards for the protection of innocent citizens but also require the administrative authority to be satisfied as to the existence of the conditions precedent laid down in the statute before making an order. If the statute failed to do so in respect of any condition precedent then the law suffered from an infirmity and was liable to be struck down as invalid.[17] The question of the existence of public emergency, therefore being left to the sole determination of an administrative official is an absolute and arbitrary power and is ultra vires the Constitution

Interestingly, in its original unamended form, §5 contained a provisio stating that a determination of public emergency was the sole authority of the secretary of state and such a finding could not be challenged before a court of law. It is this provision that the government repealed through the Telegraph (Amendment) Act of 1981 to bring it in line with Constitutional principles. The preceding discussion shows that the amendment did not have the effect of rectifying the law’s constitutional infirmities. Nonetheless, the original Telegraph Act and its subsequent amendment are vital for understanding the compatibility of surveillance standards with the Constitutional principles. The draconian provisio in the original act vesting absolute powers in an administrative official illustrates that the legislative intent behind the drafting of a 130 year law cannot be relied on in today’s context. Vague terms like public emergency that have been thoughtlessly adopted from a draconian law find no place in a state that seeks to guarantee to its citizens rights of free speech and expression.

Conclusion

Interception of communications under the Telegraph Act and the Indian Post office act violate not only one’s privacy but also one’s freedom of speech and expression. Besides, orders for the tapping of telephones violate not only the privacy of the individual in question but also that of the person he/she is communicating with. Considering the serious nature of this breach it is absolutely necessary that the powers enabling such interception are not only constitutionally authorised but also adequately safeguarded. The Fundamental Rights declared by Article 19(1) cannot be curtailed on any ground outside the relevant provisions of Cls. 2-6.[18] The restrictive clauses in Cls. (2)-(6) of Article 19 are exhaustive and are to be strictly construed.[19] Public emergency is not one of the conditions enumerated under Article 19 for curtailing fundamental freedoms. Moreover, it lacks adequate safeguards by vesting absolute discretionary power in a non-judicial administrative authority. Even if one were to ignore the massive potential for misuse of these powers, it is difficult to conceive that the interception provisions would stand a scrutiny of constitutionality.

Over the course of the last few years, India has been dangerously toeing the line that keeps it from turning into a totalitarian surveillance state. [20] In 2011, India was the third most intrusive state[21] with 1,699 requests for removal made to Google; in 2012 that number increased to 2529[22]. The media is abuzz with reports about the Intelligence Bureau wanting Internet Service Providers to log all customer details [23] and random citizens being videotaped by the Delhi Police for “looking suspicious.” It becomes essential under these circumstances to question where the state’s power ends and a citizens’ privacy begins. Most of the information regarding projects like the CMS and the CCTNS is murky and unconfirmed. But under the pretext of national security, government officials have refused to divulge any information regarding the kind of information included within these systems and whether any accountability measures exist. For instance, there have been conflicting opinions from various ministers regarding whether the internet would also be under the supervision of the CMS [24]. Even more importantly, citizens are unaware of what rights and remedies are available to them in instances of violation of their privacy.

The intelligence agencies that have been tasked with handling information collected under these systems have not been created under any legislation and therefore not subject to any parliamentary oversight. Attempts like the Intelligence Services (Powers and Regulation) Bill, 2011 have been shelved and not revisited since their introduction. The intelligence agencies that have been created through executive orders enjoy vast and unbridled powers that make them accountable to no one[25]. Before, vesting the Indian law enforcement agencies with sensitive information that can be so readily misused it is essential to ensure that a mechanism to check the use and misuse of that power exists. A three judge bench of the Supreme Court has recently decided to entertain a Public Interest Litigation aimed at subjecting the intelligence agencies to auditing by the Comptroller and Auditor General of India. But the PIL even if successful will still only manage to scratch the surface of all the wide and unbridled powers enjoyed by the Indian intelligence agencies. The question of the constitutionality of interception powers, however, has not been subjected to as much scrutiny as is necessary. Especially at a time when the government has been rumoured to have already obtained the capability for mass dragnet surveillance such a determination by the Indian courts cannot come soon enough.

[1] Indian Post Office Act, 1898, § 26

[2] Indian Telegraph Act, 1885 § 5(2)

[3] PUCL v. Union of India, AIR 1997 SC 568

[4] Govind vs. State of Madhya Pradesh, (1975) 2 SCC 148

[5] Malak Singh vs. State Of Punjab & Haryana, AIR 1981 SC 760

[6] Supra note 3

[7] Law Commission, Indian Post Office Act, 1898 (38^th Law Commission Report) para 84

[8] ibid

[9] id

[10] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[11] The Constitution of India, Article 358- Suspension of provisions of Article 19 during emergencies

[12] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[13] Hukam Chand v. Union of India, AIR 1976 SC 789

[14] ibid

[15] Liversidge v. Anderson [1942] A.C. 206

[16] State of M.P. v. Baldeo Prasad, AIR 1961 (SC) 293 (296)

[17] ibid

[18] Ghosh O.K. v. Joseph E.X. Air 1963 SC 812; 1963 Supp. (1) SCR 789

[19] Sakal Papers (P) Ltd. v. Union of India, AIR 1962 SC 305 (315); 1962 (3) SCR 842

[20] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[21] Willis Wee, Google Transparency Report: India Ranks as Third ‘Snoopiest’ Country, July 6, 2011 available at http://www.techinasia.com/google-transparency-report-india/ (last visited on July 2, 2014)

[22] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[23] Joji Thomas Philip, Intelligence Bureau wants ISPs to log all customer details, December 30, 2010 http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps (last visited on July 2, 2014)

[24] Deepa Kurup, In the dark about ‘India’s Prism’ June 16, 2013 available at http://www.thehindu.com/sci-tech/technology/in-the-dark-about-indias-prism/article4817903.ece

[25] Saikat Dutta, We, The Eavesdropped May 3, 2010 available at http://www.outlookindia.com/article.aspx?265191 (last visited on July 2, 2014)

For more details visit https://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law

Cyber crimes shoot up 52% in India over last year

praskrishna — 2014-07-03T10:14:26Z

There has been a sharp increase in the incidence of cyber crime in the country. The number of cases registered in 2013 under the IT Act has gone up by 52 per cent to 4,192 as against 2,761 in the previous year.

The article by K.V.Kurmanath was published in the Hindu Businessline on July 2, 2014. Bhairav Acharya gave his inputs.

If you add the cases registered under the IPC, the total number of cyber crime cases crosses the 5,500-mark. Police across the country arrested 3,301 persons in connection with these cases.

Maharashtra and Andhra Pradesh (undivided) have topped the list with 681 and 635 cases respectively under the IT Act, both showing an almost 50 per cent growth in cyber crimes over the previous year. In the previous year, Maharashtra had registered 471 and Andhra Pradesh 429.

Cyber security experts have been cautioning people to be careful while using the Internet. Besides increasing the security of the networks they are using, users must be careful while engaging with strangers.

A recent Microsoft report said many customer infections involve users tricked to install secondary offers, indicating a shift in malware proliferation. According to the latest data provided by the National Crime Records Bureau, the official chronicler of crime in the country, cyber crime registered under the Indian Penal Code (IPC) has shown a much higher growth rate of 122 per cent in 2013 over the previous year’s figure. IPC cases went up to 1,316 in 2013 from 595 in the previous year. Maharashtra topped the list here too with the cops booking 226 cases in this category.

Wrong nomenclature?

Bhairav Acharya of the Centre for Internet and Society feels that the term cyber crime has not been defined well. “It is time we do away with the practice of calling any crime a ‘cyber crime’ just because the person who does it uses a computer,” he said.

“Instead, I think the term ‘cyber crime’ should only be used in relation to offences that can only be committed by using information and communications technology (ICT) such as the internet (which is comprised of the world wide web, email protocols, file transfer protocols, and more) as well as network infrastructure that is not the internet,” he said.

Hence, only if there is a direct causal link between the crime and ICT and network technology should a crime be called a cyber crime, Acharya says.

Other States with a high number of cases booked under the IT Act include Karnataka (513), Kerala (349), Madhya Pradesh (282) and Rajasthan (239). Gujarat showed a decline with the number coming down to 61 from 68 in the previous year.

For more details visit https://cis-india.org/news/the-hindu-business-line-july-2-2014-kv-kurmanath-cyber-crimes-shoot-up-in-india-over-last-year