We are anonymous, we are legion

Digital divide: Why Irom Sharmila can’t do an Anna

praskrishna — 2011-09-01T05:55:13Z

Irom Sharmila has been on hunger strike for 10 years to protest against military abuses, force-fed by tubes through her nose. But the tragedy for the world’s longest hunger strike is that she is on the wrong side of India’s digital divide.

Twitter, Facebook and aggressive private TV have helped rally India’s biggest protests in decades to support civil activist Anna Hazare, a digital groundswell of a wired middle class that echoes the Arab Spring and has taken a Congress party-led government of elderly politicians by surprise.

But Sharmila, who has been on a hunger strike in the northeastern Manipur state to demand an end to the army’s sweeping emergency powers there, has only managed a small following, a footnote in media coverage.

“We also once tried to take our fight to New Delhi … but we did not get support from the rest of the nation,” Sharmila told Tehelka magazine.

She must be frustrated. The Hazare phenomenon has rallied Indians from the start with social media. Hazare’s India Against Corruption website says it has had 13 million phone calls of support. Its Facebook page has nearly 500,000 “likes”.

Its leaders have tweeted each step of the whirlwind crisis, whether describing their arrests in real time or negotiations with the government, outmanoeuvring Prime Minister Manmohan Singh and his ministers at every step.

“Protest at PM’s residence: 35 people detained, taken to Tughlaq Rd. PS, hundreds still there, come if you can #Janlokpal,” twitter user @janlokpal sent its followers in just one example of how the movement was rallying support.

Cases like Sharmila expose the digital divide of Asia’s third-largest economy and underscore how a growing urban middle class may be getting its political voice heard while millions of poor remain off the digital protest map.

In response to Anna’s invitiation to join the anti-corruption movement, Sharmila said "Please try to reach the concerned legislators (read authorities) to let me get free, like yours, to join your amazing crusade to root out corruption."

She added that ” I cannot get the advantage of exercising my non-violent protest for justice against my concerned authority as a democratic citizen of a democratic country, unlike your environment. This is the problem I cannot understand.”

"This is the first time digital social media has resonated with such a large number of people," said Nishant Shah, head of research at the Centre for Internet and Society think-tank.

"But this is far more of a middle class, urban movement, than a national movement. Many people in India are excluded from it."

Twitter and Facebook are barely used in many of India’s social causes, including battles over land rights that are one of India’s most pressing problems involving millions of farmers.

Huge social issues in India, from caste discrimination to high food prices, from the building of dams to protests by farmers against nuclear power plants, have failed to create the kind of digital mobilisation that Hazare enjoys.

Digital Divide

India’s internet users have grown 1,400 percent between 2000 and 2010, behind only China and Vietnam among Asian countries, according to a report by Burson-Marsteller, a consulting firm. But that masks India’s low base. Internet penetration is around 8 percent in India, the lowest among major Asian countries.

That compares with nearly 40 percent in China. Out of a population of 1.2 billion, there are only 29 million people active in digital social networks. A report by Maplecroft consultancy warned that India was lagging other BRICs, Brazil, China and Russia in “digital inclusion”.

"India, for example, the wealthier, more affluent segment of the population, primarily based in urban areas, has embraced the use of modern communications technology,” the report said. “The vast majority of the population has, however, been excluded from this process."

Those statistics highlight that while the middle class has found a voice, electorally the centre-left Congress party will still need to pander to its traditional vote base of millions of farmers and poor Indians ahead of a 2014 general election.

Congress, in power for most of the life of independent India, has failed to use social media tools. One minister lost his job for tweeting too frankly, in a sign of government unease over the web, and the party lags behind an opposition that has embraced Twitter.

Libya overshadowed

So far, private TV channels have provided 24-hour coverage of the protests— the news from Libya is hardly to be seen. Urban Indians with mobile phones in hand have dominated rallies in the open grounds where Hazare was on his second week of fasting.

Small protests across the country, from demonstrations outside ministers’ houses to rallies outside metro stations, have been organised through Twitter and Facebook.

An app that can be downloaded on to smartphones running the Android operating system gives users the latest news on the campaign for a tough “Jan lokpal”, or anti-corruption bill, and details of the latest meetings.

Watch video: A group of people who came together on facebook reached the Ramlila Maidan to show solidarity with Anna Hazare.

"Social media has been huge for us, it has a life of its own," said Shazia Ilmi, in charge of Hazare media strategy.

Even before Hazare was arrested last week, organisers had prepared a pre-recorded video from him that went on YouTube.

The movement does have deep roots and social media has widened the protests, if not caused them. Many of Hazare’s protests have also been through word of mouth. Corruption also affects the poor more than middle classes with endemic bribes, whether permission for street food stands or driving licences.

"It’s not an up and down, national movement. It is largely a middle class cause," said Sagarika Ghose, a novelist and journalist at the CNN-IBN news television channel. "But it’s hugely important one. For a younger generation, corruption has become a catch-all phrase for the failure of development."

Some activists are already criticising Hazare as a hype of an elitist social media.

"Those thronging the Ramlila grounds or marching in support of Anna in the metros are not necessarily 'the people' of the country, and it is dangerous to take the two as identical," academic Prabhat Patnaik wrote in The Hindu newspaper.

You can view Irom Sharmila’s reply to Anna’s invitation below

Irom Sharmila Letter to Anna Hazare

This article was published in FirstPost.Ideas on 25 August 2011. The original story can be read here.

For more details visit https://cis-india.org/news/digital-divide

When revolutions go viral

praskrishna — 2011-09-01T04:46:38Z

Thanks to Facebook and Twitter, the urban Indian youth, famously detached from the goings-on in the country, came out on the streets to support the anti-corruption movement - not only here but abroad as well. TOI-Crest looks at the anatomy of a modern protest movement.

I try to change my display picture, update my BBM status and send out a tweet as often as possible. I feel like I really need to do my bit for the country, " a college student was overheard saying outside Mumbai's Azad Maidan where protests against the anti-corruption movement are still under way. Once used to reconnect with long-lost school friends or to post vacation pictures, social networking sites have surfaced as the new forum for political activism. The world's attention is now on the potential of the digital sphere in historical revolutions as witnessed in Egypt and Tunisia. Though set in a vastly different political context, and used to different ends, the power of social media to drive citizen action in India has become apparent as Team Anna's call to action resonates through the Internet.

From earlier this year at Jantar Mantar to the culmination of the protests when Anna Hazare became a household name, the anti-corruption movement has harnessed technology and social media tools to engineer large-scale protests. Not only has the movement deviated from traditional methods of mass mobilisation, but it has also brought young urban India into the fold of political activism. Ritesh Singh, a third-year computer science student at IIT Khargapur, created the 'India Against Corruption' Facebook page in December last year. Since then, the page has gathered more than four lakh supporters. There are also several regional chapters and over 150 unofficial Facebook pages devoted to Anna Hazare and India Against Corruption.

The 'Students Against Corruption' group has been encouraging students to use social media for the cause by sending out messages such as "Students should share and promote this page for the goodness (sic) of the nation . . . This is the thing dat we can do for our nation. . . This is wat India needs. . . Promote it, share it, blog it, discuss it . . . then feel the change. " Petitions, calls to action and encouragement to join Hazare's fast also became commonplace in the last three months. The blog post '10 Ways to Support Anna Hazare on Social Media' by social media manager Sorav Jain has been shared 256 times on Facebook.

Relying on symbolism such as Gandhian photographs and references to the freedom struggle, Team Anna has created a media phenomenon. Text messages such as 'Behri sarkar ko janta ki aawaz sunai nahi de rahi hain! Lets show ppls anger!' and 'ANNA ki aag shuru ho gayi hai, Inquilab Zindabad' have helped in creating mass support. Meanwhile twitter has been abuzz with dialogue, support and reactions to the protests, as Anna Hazare's campaign became the top trending topic in India over the past few weeks. While the image of Hazare meditating at Raj Ghat became iconic on August 15, 2011, Team Anna's voice was heard on the TV, on mobile phones, YouTube and even on T-shirts. Developers are in the process of launching an India Against Corruption game, India Against Corruption mobile applications, India Against Corruption browser toolbars and more.

Though digital activism is often criticised as passive armchair activism or slacktivism, the use of technology in organising social protests has brought a different kind of activist on the street: young, urban India. "It's not as if what is happening is new, but it is happening on an unprecedented scale, " says Nishant Shah, research director for the Centre for Internet and Society, Bangalore. "Traditional media has also done this in different ways, but in the past the protesters have been the disenfranchised. The use of social media has mobilised a new constituency - it has brought the urban middle class to the street. However, the use of such tools is producing a different kind of exclusion. There is a noticeable lack of poor urban people in the protests. This is not the representation of 1. 2 billion Indians as it is being made out to be. "

The use of social media has garnered support for Team Anna from the unlikeliest parts, catapulting 'India Against Corruption' (IAC) into a global phenomenon. Young Indians living in places like New York, Singapore, London and Hong Kong are tweeting, facebooking, organising and gathering to talk about Hazare and his cause. Some young professionals have even taken time off from their careers to fly down to India and physically support the cause.

Sunil Khaitan, an investment banker working with Deutsche Bank in Hong Kong flew down last Friday to attend the protests at the Ramlila ground and address the crowd at Mumbai's Azad Maidan. Khaitan, 28, is originally from Kolkata and graduated from IIM Bangalore in 2006. "I was involved in the Right to Information movement in 2005, have been in touch with Professor Trilochan Sastry at IIM Bangalore, and have been tracking this movement from the days of Jantar Mantar, " he says.

Khaitan is also active in the Hong Kong chapter of IAC, which organised a meeting on August 21, 2011, attended by over 300 people. "There is a clearly outlined process on the IAC website which tells you how to conduct a meeting, " says Khaitan. "As the news channels are not available in HK, so many people are not aware of the real cause. So we talked about the points of contention and showed videos with Arvind Kejriwal, Kiran Bedi and Hazare addressing the crowd. " He argues that harnessing social media has helped get people from different walks of life involved with the Hazare movement.

Social networking sites have also helped create a close-knit Indian community in Hong Kong. "Anna has also made a big point about the youth being present in the protests, and it is easier to connect with the youth through social media, " says Khaitan.

"Peer pressure also comes into the picture in that age group - people want to get involved to appear impressive to their friends. " But though technology has brought a new demographic of Indians into the realm of protest, it manifests its power through the oldest form of networking - word of mouth.

This article was published in the Times of India (Crescent Edition) on 27 August 2011, read the original story here

For more details visit https://cis-india.org/news/revolutions-viral

Net Gain

praskrishna — 2011-08-29T11:52:54Z

The draft Electronic Service Delivery Bill, 2011, is aimed at making government services available online. But there are many hurdles to bringing in effective e-governance, says Hemchhaya De

At a time when India is hotly debating the Lokpal Bill, another significant piece of legislation is about to make its way to Parliament this monsoon session. The government has mooted the draft Electronic Service Delivery Bill, 2011, to ensure that all ministries and government departments provide their services to citizens online.

The bill, drafted by the department of information technology (DIT) under the ministry of communication and information technology, could have far-reaching benefits for citizens. If implemented, one would no longer have to stand in long queues, make frequent trips to government offices and deal with red tape in order to procure even such basic documents as driving licences or land record copies.

Of course, the key question is whether the necessary infrastructure will be in place to allow citizens to access these services via the electronic mode. In a country where active Internet user penetration in rural areas is as low as 2.13 per cent, the feasibility of e-governance depends on the state providing enough number of access centres.

E-governance is not a completely new concept in India. The Centre laid down an ambitious National e-Governance Plan (NeGP) in 2006 and roped in industry bodies like Nasscom to facilitate the delivery of e-services. According to a Nasscom report, there has been substantial progress in NeGP. Of the 1,100 services targeted under the plan, over 600 services in both government-to-citizen (G2C) and government-to-business (G2B) domains across central ministries and state departments can now be accessed electronically.

However, many experts feel that the NeGP has not lived up to its promise. "Progress in NeGP has been slow," says Subhash Bhatnagar, honorary adjunct professor at IIM, Ahmedabad, and member of the steering committee of the 12th Five Year Plan (2012-17) for the communication and IT and information sector.

That said, some states have been running successful e-government projects. “Take Karnataka’s online delivery and management of land records,” says Bhatnagar. “The online system offers services to ordinary people on a first-come, first-served basis without subjecting them to the whims and fancies of babus.”

However, Karnataka is an exception rather than the rule and many states are lagging behind when it comes to extending e-governance. “IIM, Ahmedabad, carried out an e-governance impact assessment study in 12 states. West Bengal is one state which hasn’t fared well and it figures in the bottom half of the list,” reveals Bhatnagar.

The draft Electronic Service Delivery Bill aims to exert pressure on states and government departments to fully automate or computerise their services to citizens. Crucially, it sets a clear time limit for delivering online services. The bill says, “every competent authority of the appropriate Government” is required to publish or specify the services that will be digitised within six months from the commencement of the law. “If there’s any delay, departments have to explain it in writing,” says a senior official of the DIT who does not wish to be named.

The bill further mandates that all public services should be delivered in electronic modes within five years from the commencement of the law. This period may be extended by not more than three years.

In addition to a grievance redressal mechanism, the bill proposes setting up a Central Electronic Service Delivery Commission to enforce the provisions of the law. The commission should comprise a central chief commissioner and not more than two central commissioners — all of whom shall have “worked as secretary or equivalent level… either in the central government or in the state government”.

Many experts feel that the proposed legislation is a step in the right direction. “The bill will reduce red tape and promote efficient services in various government departments,” says Payal Chawla, partner, Hemant Sahai Associates, a Delhi-based law firm. “The time limit of five years with an extension of a maximum of three years to bring all the services in the purview of the legislation is well-intended.”

Agrees Sunil Abraham, executive director, Centre for Internet and Society (CIS), a Bangalore-based organisation which carries out research in IT. “The bill ensures that government departments publicly commit to Service Level Agreements (SLAs) and demonstrate compliance to these SLAs,” he says. “Like the RTI Act, there is an office of the central chief commissioner which can penalise officials who don’t provide electronic services or comply with their own SLAs.”

But others argue that the bill is too open-ended. “I’d have liked to see the services specified clearly,” says Neel Ratan, executive director, PricewaterhouseCoopers. “Just starting an e-service isn’t enough — the quality or level of performance of the service needs to be ascertained as well. The bill seems to be silent on how quality can be ensured.”

Bhatnagar too feels that the draft bill should have first clearly defined what “electronic service delivery” is all about. All it says is “electronic service delivery means the delivery of services through electronic mode including, inter alia, the receipt of forms and applications, issue or grant of any licence, permit, certificate, sanction or approval and the receipt or payment of money”.

However, electronic delivery of services should encompass all end-to-end steps necessary for delivering the service, points out Bhatnagar. “Receiving an application, receiving supporting documents, receiving payment of various fees, issue of licence/receipts/certificates/ documents such as ration cards and passports and payment of dues to citizens should be web enabled. Citizens who wish to carry out the transaction through a portal without having to visit a government office should be able to do so,” he says.

Furthermore, says Bhatnagar, government agencies should ensure that every citizen has access to a public service delivery centre (government owned or private) from where he or she can access such services. And a person shouldn’t have to travel more than 10km to access these services.

Experts say there are several hurdles to e-governance in India. “The domestic IT industry has not focussed on this important market and services have been decentralised without ensuring common standards. So different states may be using different software, which can make the whole system messy and lead to uneven and poor quality projects,” says Abraham of CIS. “We are still very far away from the sophistication of G2C and G2B systems currently deployed in many Western countries.”

In sum, enacting a law to bring in complete e-governance may not be enough. Without the necessary investment in the country’s technology infrastructure, the initiative, however well-intended, may never truly get off the ground.

Graphic by Mantashir Iqbal Shaikh

This article by Hemchhaya De was published in the Telegraph on 24 August 2011. The original can be read here

For more details visit https://cis-india.org/news/net-gain

Prime Security: The Mathematics of RSA Encryption

elonnai hickok — 2011-09-22T07:13:19Z

Based on simple properties of prime numbers, RSA encryption protects our money and digital identity. But how does it actually work? The Centre for Internet and Society invites you to a one-day workshop by Rohit Gupta on 9 September 2011.

Workshop

As remarked by one of its inventors, RSA is the scheme that "protects 95 per cent of the electronic commerce in the world". The recent breach of 40 million RSA Secure ID tokens ( widely used in Bangalore ) makes this an urgent issue. Apart from the proposed use of 2048-bit RSA keys in the UIDAI project by the government of India, we unknowingly use this algorithm every time we use a credit card, ATM or provide any kind of digital authentication.

Surprisingly enough, to understand the basic mechanism one need not have any more mathematical background than high school - the concept of prime numbers. From that basic knowledge this hands-on workshop will show the way RSA works in reality, under the hood in most networks, computers and smart devices. We will focus on the core mathematical idea rather than any specific software implementations.

For more information, please click here.

Convener:

Rohit Gupta is a mathematician working in the area of 'group theory' which is a fundamental part of physics, puzzles and cryptography. He is also a columnist for the Sunday Guardian and tweets as @fadesingh.

Registration:

The fees for the workshop ( Rs. 1500/- per person, cash only) is to be paid on arrival at the venue. No prior registration is required but the seats are limited to 15-20 people. Everyone who is interested is welcome.

Workshop Schedule:

Session I:

11.30 a.m. to 1:00 p.m.

Lunch:

1:00 p.m. to 2.30 p.m.

Session II:

2.30 p.m. to 4.00 p.m.

VIDEO

For more details visit https://cis-india.org/internet-governance/events/workshop-rsa-encryption

August 2011 Bulletin

praskrishna — 2012-08-13T05:13:23Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage:

Researchers@Work

RAW is a multidisciplinary research initiative. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Five monographs: Re: Wiring Bodies by Asha Achuthan, Archive and Access by Aparna Balachandran and Rochelle Pinto, Porn: Law, Video, Technology by Namita Malhotra, The Last Cultural Mile by Ashish Rajadhyaksha and Internet, Society and Space in Indian Cities by Pratyush Shankar were officially launched at the Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop in Ahmedabad.

Workshop organised in CEPT, Ahmedabad

Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop: Call for Participation [19 to 22 August 2011]

Digital Natives with a Cause?

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

Featured Research

Between the Stirrup and the Ground: Relocating Digital Activism (This paper by Nishant Shah and Fieke Jansen was published in Democracy & Society, a publication of the Center for Democracy and Civil Society, Volume 8, Issue 2, Summer 2011).

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

Interview

An Interview with David Baines (Maureen Agena interviewed David Baines of Mada Centre for Assistive Technology in Khattar).

Access to Knowledge

New Blog Entry

Govt for Legalising Parallel Import of Copyright Works; Publishers Oppose

Openness

CIS believes that innovation and creativity should be fostered through openness and collaboration and is committed towards promotion of open standards, open access, and free/libre/open source software.

Featured Research

Call for Comments on Draft Report on Open Government Data in India (v2) (Nisha Thompson has updated the Open Government Data Report prepared by CIS last year including additional case studies and the National Data Sharing and Accessibility Policy).
Open Access to Scholarly Literature in India: A Status Report: Call for Comments (The report has been prepared by Prof. Subbiah Arunachalam and Madhan Muthu. It surveys the field of scholarly and scientific publication in India and provides a detailed history of the open access movement in India).

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Its latest endeavour has resulted into these:

New Blog Post

Bye Bye email? (Email might be the default method of communication for most of us, but could it be going the telegram way, writes Nishant Shah. The article was published in the Indian Express on August 21, 2011).

Public Lecture

The Mirror in the Enigma: How Germany lost World War II to a Mathematical Theorem (Rohit Gupta gave a lecture at CIS on August 12, 2011).

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

Featured Research

IP Addresses and Expeditious Disclosure of Identity in India (Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India and provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes).

New Blog Entries

Whole Body Imaging and Privacy Concerns that Follow (by Elonnai Hickok)
Financial Inclusion and the UID (by Elonnai Hickok)
CCTV in Universities (by Merlin Oommen)
Re-thinking Key Escrow (by Natasha Vaz)

Event Report

Privacy Matters, Chennai – the event was organised by IDRC, Society in Action Group, Madras Institute of Development Studies, Consumer and Civic Action Group, Privacy India and CIS on August 6, 2011.

News & Media Coverage

Net Gain [The Telegraph, 24 August 2011]
IISc students boycott UID, don’t want Big Brother to keep watch [Bangalore Mirror, 23 August 2011]
In the Right Circle [Indian Express, 24 July 2011]
The Siege of Android: How Google Lost The OS War [Business.in, 17 August 2011]
The Unsocial Network [Mail Today, 14 August 2011]
Hazare 'clicks' with city techies [India, 18 August 2011]
Govt wants to monitor Facebook, Twitter [Times of India, 8 August 2011]
Nothing unique about this identity [Deccan Chronicle, 5 August 2011]
Tired of tele-marketing calls? Act on privacy right: Experts [Times of India, 7 August 2011]
When Knowledge Isn’t Written, Does It Still Count? [New York Times, 7 August 2011]
Indian super-cops now patrol the www highway [Hindustan Times, 6 August 2011]
Better Understanding of the Idea of Privacy Sought [Hindu, 7 August 2011]
Converting Indian Slacktivists Takes (Offline) Time [Wall Street Journal, 2 August 2011]

Follow us elsewhere

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/august-2011-bulletin

IISc students boycott UID, don’t want Big Brother to keep watch

praskrishna — 2011-08-23T08:24:14Z

The programme doesn’t have statutory backing. It is still in parliament

Nandan Nilekani may be Bangalore’s blue-eyed boy making waves at the national level with his Unique Identification Number (UID), but there’s one part of the city that’s not impressed: A section of students and faculty of Indian Institute of Science (IISc).

While many Bangaloreans have started enrolling for UID, the students are in boycott mode and say they will never do so.

Professor Shiv Sethi, astrophysics department, Raman Research Institute, said, “They (the authorities) have moved faster than us by starting the enrolment. It was during the discussion phase that we tried to impress upon them the loopholes of UID. Now that they have started the enrolment, it’s our turn to protest. We will meet and discuss with other like-minded people.”

IIScians say they don’t want to be under surveillance and that they are not comfortable with giving away their personal details since studies have proved how unsafe electronic data can be. The programme has been scrapped in the UK, they said.

In fact, when Nilekani visited IISc a few months back to deliver a lecture, the anti-UID group protested with placards and banners that read, ‘Beware, Big Brother is watching you’ and ‘Secure electronic archive is a myth’.

And now, apart from not signing up, some students are even considering burning copies of UID forms, a la team Anna burning copies of the draft Lokpal bill.

Prathamesh, a scholar, said: “UID is not going to solve problems of leakages. The government should universalise the PDS system to control misuse of subsidised foodgrain that find their way to restaurants. The project is fraught with loopholes and doesn’t have statutory backing. I will burn copies of the forms.”

Prathamesh added that the UID project was the brainwave of software companies who do not have a regular stream of revenue.

Even IISc alumni are putting up a fight. One of them who participated in the protest said, “I will not register. The programme does not have statutory backing. It is still in parliament. First, they said it was voluntary. Now, they are trying to link it to banks, LPG connections and other utilities.”

Sethi added, “A few people have approached the court. We will decide the next course of action.”

There are others who have doubts. Consumer activist Chandrasekhar of Malle-swaram feels that he needs to clarify all his doubts before enrolling. “I spoke with the officials. They told me it was voluntary. But now, it looks like they are linking it with other utilities.”

Nishant Shah, director, research, Centre for Internet Society, said, "We need to check for three issues: data retention, data protection and data privacy. Only after these issues are resolved can we have a UID for every citizen."

This article by Sameer Ranjan Bakshi was published in the Bangalore Mirror on August 23, 2011. The original story can be read here.

For more details visit https://cis-india.org/news/iisc-students-boycott-uid

In the Right Circle

praskrishna — 2011-08-23T07:40:57Z

I’ve been on Google Plus for a few weeks now. In the beginning, it felt like showing up early at a much-talked-up party. There was a small scatter of people, poking around, examining the place, making preliminary conversation with the few others they knew. Most of the talk was, unsurprisingly, about Google Plus.

Unlike the crash-bang disaster of Google Buzz, its awkward attempt at social networking that alienated most users by publicly exposing their contact list, and then proceeded from error to error, Google Plus has been a low-key, careful affair.

In the first two weeks, Google calibrated entry, depending on its capacity — letting early adopters and "power users" examine the platform and tell them what’s missing, and what works.

Google Plus mimics the real world, where people interact in clusters, and relate outwards in concentric circles of trust, rather than Facebook’s megaphone model. You drag and drop people into different circles, and can either mark individual posts to specific circles and combinations (‘family’ ‘college buddies’, ‘artsy types’), or make them public to everyone. You can catch up on these circles separately, and toggle between your many worlds, or choose to read the great river of updates on your “public" stream. Google Plus shows you a civilised way of arranging your acquaintances, avoiding that playground-level, plaintive, Facebook question: "why am I in your limited profile?"

In concept, Facebook also lets you slice your social world with friend lists, but it’s a tedious labour that few have undertaken. Design is everything — and Facebook was clearly not built for such fine-grained customisation, because everything about its default settings pointed the other way. In fact, its young CEO Mark Zuckerberg seemed to think an attachment to privacy was some faintly embarrassing, vestigial trait — the sooner we accept its obsolescence, the better.

Facebook has a remarkably flat view of friendship. If your Facebook friends are too wide and various, it can make you clam up, conscious of what a few people might think. Most people, as social media scholar danah boyd has noted, tend to focus on a part of their network, mentally blocking out the rest.

"I’d like to have separate interactions with my mother, my friends, my students and my university colleagues without bombarding my colleagues with my vacation pictures or boring my mother with research chatter," says Mallesh Pai, an academic who works on the economics of the internet. "Plus actually lets me do that."

Facebook works with the fiction that there is a single self you present to the world – while, in fact, you are a posse of selves. You might be the naïve seeker in some contexts, the voice of authority in others. In the real world, you read others by their voice and expression, factor in their situations, and modulate your own speech accordingly. But in Facebookland, you talk at an invisible audience. The problem of “collapsed contexts”, and the anxiety of audience is Facebook’s most obvious flaw, and Google Plus has focused squarely on that aspect. It obviously works best for those who are acutely aware of social role-play and judgment. Many people may claim not to care about finessing their personalities to different audiences, or see the point of migrating to a new platform —but once you wrap your head around the rich, real-world aspect of Google Plus, it’s hard to imagine why you’d want to stay on Facebook.

But it’s not just Facebook that Plus directly takes on — Twitter could also take a direct hit. The “following” circle lets you add people you don’t know personally, and see all their public posts. “Sometimes, it’s weird to realise you’re being followed by so many people you don’t know, but like on Twitter, it seems like too much effort to edit the list. Thankfully, there aren’t any spambots on Plus yet,” says Pranesh Prakash, a lawyer and policy advocate at the Bangalore-based Centre for Internet and Society. There’s no arbitrary 140-character limit, and there are coherent threads of conversation — in fact, the level of visible engagement on Plus makes Twitter look like “a boring RSS reader”, as someone observed.

Apart from the Facebook and Twitter-type uses, Google Plus comes with a standout feature that’s all its own: Hangouts, spontaneous video chatting with up to 10 people. You start a hangout, and anyone may drop in to talk for a bit. “It’s trying to replicate the sort of gathering you have in a coffee shop, just drop in and chat about the news or whatever,” says Pai. It’s so obviously useful that Dell is reportedly considering dropping traditional customer service calls and choosing to hang out with Google instead. Yes, Facebook has recently teamed up with Skype in a self-declared "awesome" move — but Skype still makes you pay for multi-way video conferencing, and doesn’t offer the serendipitous pleasures of Hangout yet.

Then there is Sparks, Google Plus’s attempt to push the right content at you – you pick from a variety of interests, and Google supplies a steady scroll of interesting links. Given how much info the company has on people, Sparks could become eerily spot-on.

In fact, the chief problem with Google Plus may be that it tries to cram in too much, leaving users overwhelmed. The bewildering array of buttons and options may put off some, and right now, it’s difficult to control the signal-to-noise ratio. “It’s definitely not as over-complicated as Google Wave, which nobody could really figure out” says Pai. “And honestly, it would be difficult to imagine the kind of functionality that Plus provides being delivered in any other way.” Then there are some who are sceptical of Circles — saying that greater granularity isn’t going to take away the dilemmas of talking to a group. They predict that once the novelty wears off and Google Plus expands, you’ll be struggling to edit and divide your circles, and to pitch yourself right.

So will Google Plus lure 750 million-plus Facebook and Twitter users away? "Don’t underestimate Facebook’s network benefits," says Prakash. “When I first went online in 1996, the first thing to do was to create an email address. Now the first thing that people do to mark an online entry is to create a Facebook account”.

Besides, Google may not want to supplant Facebook as much as master an arena it has so far sucked at – the social world. As Pranesh Prakash says, “it’s not about competition with Facebook, as much as trying to improve Google’s own services, bring them together into a seamless whole and better understand its users.” Making social life machine-readable would obviously be the next big jackpot for Google, and it appears determined to invest the time, resources and effort to getting it exactly right. As Shimrit Ben-Yair, product manager of the social graph at Google told Wired magazine’s Stephen Levy, Google Plus could be a revolutionary service if it hits the sweet spot between Facebook oversharing and Twitter undersharing.

Besides, most would agree that a spot of vigorous competition would be good for Facebook, which has played fast and loose with privacy policy — changing its defaults, and then reacting to the outcry that follows. "For too long, it was the only game in town. Facebook has innovated more in the three weeks that Plus has been around, than in a lon time," says Pai.

So far, Google Plus has been extra-solicitous of privacy, and adjusted on the fly to field testers’ feedback. It has jumped to attend to mistakes – like responding to complaints that a user’s gender should not be publicly available. When someone pointed out that even limited posts could be reshared by others, that technical hole was immediately plugged. "It’s very heartening to see that they’ve learnt from the mistakes of Facebook and Buzz," says Prakash. Unlike Facebook’s possessiveness about your information and pictures, Google’s Data Liberation policy is explicitly committed to letting you erase all personal traces whenever you want, and free yourself from any product.

But as Prakash cautions, "Google may not have a coherent view of privacy across all its products — for all Google Plus’s delicacy and tact, Google Street View may have different ideas about what is acceptable." There are many who find it unnerving that a revenue-driven, publicly traded company should be the master switch of our information economy. Given Google’s girth and dominance, competitors can’t realistically wrest attention away, after a certain point.

"Google is bigger because it’s better and better because it’s bigger", writes Siva Vaidyanathan in The Googlization of Everything. Google Plus, then, marks another large advance in the company’s stated mission to organise the world’s information. Even Pai admits that “if a new mail application came along, it would have to offer so much more than Google for me to consider shifting – given how Gmail does everything, syncs my calendar, knows my friends." But then again, he says, “Let’s judge Google not on what we think it is, but what it does. Everything that’s too big in a bad way, even those considered invincible, gets stopped eventually. Right now, I’m reading about Murdoch’s undoing with great glee – a few weeks back, who would have imagined that?"

This article by Amulya Gopalakrishnan was published in the Indian Express on July 24, 2011. The original story can be read here

For more details visit https://cis-india.org/news/right-circle

Bye Bye email?

nishant — 2011-08-23T07:31:51Z

Email might be the default method of communication for most of us, but could it be going the telegram way.

I grew up with the internet in India. I remember the first time I heard the strange and harsh sounds of a dial-up modem back in 1996 and my friend helping me create an email account. It was my first digital identity online — a name and an address to call my own. Cost of internet access was prohibitive and email time was limited to 15 minutes a day. One logged in, downloaded all the emails and immediately disconnected. After reading through the emails off-line, I would write down the replies to all the mails, go online again, send all the mails and then wait for the next day, so that I could see what was in store for me in my inbox.

The World Wide Web has changed a lot since those first interactions with email, on black-and-white monitors. Speed, portability, access and costs have changed the nature of the Net, which is slowly becoming ubiquitous. Trends and fashions of social interaction and information exchange have changed drastically. From social media to professional networking, from discussion boards to micro-blogs, from geo-tagged services to mobile phone-based apps, the topography of the internet has undergone drastic revisions. However, the one thing that has remained constant is the email.

Sure, the email in itself has changed in texture and volume. The emailing services from the early days of AOL to the current trends of Gmail and Facebook messages, have been the backbone of Web 2.0. You needed an email as the primary identity to remain connected with social media, blogs, news services and indeed, with other friends and peers using emails. Notification on the email, for me, is still the primary gateway to the many digital worlds that I occupy, including gaming, digital networks, reading lists et al. For most people who grew up with me, email was here forever.

This faith in the email as the spine of the internet received a rude jolt when I was recently in Mumbai, working with undergraduate students, exploring relationships between digital technologies and social justice. The workshops spanned six days, and looked at how young people from socially and economically disadvantaged classes and communities could use the powers of digital and participatory technologies to effect a change in their environments. Our role as facilitators was to introduce them to new usages of their existing practices and show them the potential for social transformation and civic action in their everyday use of technology. We began, like Maria, in The Sound of Music, at the very beginning — with the email. Which is when the world started unravelling, because, as the participants in the workshop pointed out, email is a thing of the past.

I was suddenly faced with a group of urban youngsters who are all a part of the digital revolution, using Facebook, writing blogs, searching for information online, and keeping in touch through Voice over IP services and Instant Messenger. Their access is through shared public access in college libraries and cybercafés, and for many, also on their smartphones. They log in regularly into their various social media networks and use them for playing games, sending messages, chatting and updating their statuses. And yet, when it came to using the email, they were noobs, some of them didn’t remember their passwords, some had never sent an email, attachments were things they don’t understand and they logged in to their email only when necessary.

This behaviour perplexed me because I had always imagined that the otherwise ethereal world of the cyberspace was held together by the strong and dependable emails. But evidently, for the new kids on the block, email is something that belonged to the world before it went mobile. They do not understand the communication patterns that emails are structured around. The narrative expectations, waiting for replies, accessing it via services, archiving information through attachments are things that don’t make sense to this generation that is growing up with cloud computing. They use emails only as the first source of authentication for different services that demand it. And even there, as one of the students said, "You just need email to open your Facebook account. After that, you just F-connect".

As the interface between mobile phones and the internet strengthens, more and more users seem to be depending on phone-based communication methods. They accept the newer ways of messaging, like IMing, texting. But for digital dinosaurs like me, who were there at the beginning of (digital) time, the world is beginning to look slightly blurred. I shudder to think that in two decades, email might be obsolete because though I complain of information overload, I still cannot imagine what a world without email would look like.

This article by Nishant Shah was published in the Indian Express on August 21, 2011. The original story can be read here

For more details visit https://cis-india.org/internet-governance/bye-bye-email

Whole Body Imaging and Privacy Concerns that Follow

Srishti Goyal — 2011-09-29T05:38:00Z

Law student at the National University of Juridical Sciences, and intern for Privacy India, Srishti Goyal compares, contrasts, and critiques the Whole Body Imaging practices found in the US, the UK, and Australia, and makes recommendations for an Indian regime.

Introduction

Whole Body Imaging has been introduced in many countries in light of growing security concerns, two examples in particular being the attack on the twin towers in USA, and what is commonly known as the Christmas Bomb (A man by the name of Umar Farouk Abdulmutallab tried to detonate a bomb on a flight from Amsterdam as it was about to land in Detroit.) Despite the security concerns that have motivated the implementation of Whole Body Imaging, there are also many concerns that have prevented the full fledged application of this technology. Opponents to the technology have stated that the full body scanner would expose travelers to harmful radiation and is thus a health hazard. Others have stated that these digital strip searches (as they are popularly known) will violate child pornography laws. Some, who are trying to encourage the use of full body scanners, are of the opinion that it is better to opt for a whole body scan as the “pat down” searches are more invasive in nature. There are also the concerns that persons may be singled out on the basis of their color and ethnicity. The scope of research for this particular paper is limited to the extent of the privacy concerns that have arisen in light of the use of the technology in order to achieve better security. The question that forms the crux of the debate is: should ones personal privacy be compromised in order to ensure security for one and all? The primary reason why whole body scanners are said to breach privacy is because of the invasive nature of the images produced, which can be detailed enough to show genitalia of the person being scanned.
Learning from the experience of other nations that have already implemented the use of Whole Body Imaging” we can decide what policies India should have in place and most importantly whether or not India realistically has a use for this technology.
Adequate privacy, it is said, is obtained when the restriction on access to persons and personal information allows a person not to be subjected to intrusion and public exposure [1]. Full body scanners can be called intrusive because in effect they allow the government to carry out strip searches by using technology to remove clothes instead of physically doing the same. Apart from this there are other concerns. For instance there have been instances when these images have been saved and have been uploaded on the internet [2]. In Lagos these images have been used as pornographic material. There is also a cause of concern amongst transgender who do not feel comfortable in revealing their gender which is different from the gender that they portray[3] and they are of the opinion that this information could lead to harassment. Since the scanners can detect medical equipment people who use colostomy bags and catheters which are otherwise hidden may find these scans embarrassing [4].

USA

In the U.S, Whole Body Imaging was introduced in light of the growing concerns with regard to security at airports and terrorist attacks. The Transportation Security Administration is responsible for monitoring security at the airport. The TSA has thus introduced Full Body Scanners at airports. In order to address the privacy concerns that have been raised the TSA has taken the following steps:

Ensuring that the Security officer who is privy to the scan is not the same as the officer interacting with the person who is being scanned.
The TSA has also stated that personally identifiable information will not be stored and distributed.[5]
Another step towards safeguarding the privacy of the passengers has been to blur the faces of the person being scanned.[6]

Though the TSA has taken various steps to ensure the privacy of individuals, one can argue that these measures are not without loopholes. The fact that the Security Officer looking at the scan and the Security officer handling the passenger are different does not do away with this invasion of privacy. There is also the added concern that these images may be uploaded on the internet, which in fact has already been done. The release and collection of these images is in contravention of the Privacy Act of 1974 that governs the collection, maintenance, use and dissemination of personal identifiable information about individuals which in the possession of the federal agencies. The TSA assures that the images will not be retained, but the fact is that the machines have been programmed such as to enable retention of images, if the same has been disable, it can be tampered with. Lastly, on the point of blurring of faces, it is a software fix and can be undone as easily as the application of the software. The TSA in its Privacy impact Assessment report had listed down that full body scanning would initially be a secondary screening measure. What this means is that everyone goes through one level of security screening and if one is randomly selected or the security has reason to suspect a passenger, the passenger can be called for a second level of screening. At which point the passengers will undergo full body scanning.
A federal judge in California, in 1976 said that the laws of privacy “encompass the individual's regard for his own dignity; his resistance to humiliation and embarrassment; his privilege against unwanted exposure of his nude body and bodily functions." As already stated, these body scanners lead to situations that can be embarrassing, do lead to unwanted exposure of body, and can lead to situation where the person scanned could be humiliated (as in the case of transgender and other persons with catheters and colostomy bags). The Electronic Privacy Information Center is a non-profit group that was established to focus attention on civil liberties issue. EPIC challenged the constitutional validity of full body scanning, claiming that the same violated the fourth amendment [9]. The amendment guards against unlawful searches and seizures. In the case of whole body imaging, travelers are subjected to “invasive searches” without any suspicion that they did anything wrong, and without being informed of the reason he/she is being subjected to a search of such a nature. [10] The latest is the use of this technology in courthouses in Florida and at train stations.

UK

In the UK if a passenger is selected for full body scanning, the passenger must comply [11]. The passenger is forbidden from flying if he or she refuses to the scanning process and cannot ask for an alternate screening process [12] Unlike the US in the UK the option of a pat-down search is not available. The steps taken to protect the privacy of the passengers are the same as practiced in the US.

The images of the passengers are not retained
The images are produce in such a manner that the Security officer cannot recognize the person.

A major concern in UK is the violation of child pornography laws that do not allow the creation of indecent images of a child. However, a rule that would have exempted persons under the age of 18 from full body scans was overturned by the government in the UK [13]. Gordon Brown the Prime Minister of UK in 2010 gave permission for the use of full body scanners at the airports. BAA Ltd, which operates six airports in UK (including the Heathrow Airport) has undertaken the installation of these scanners at its airports. In general, the security at the airports comes under the ambit of the Homeland Security and the department will be supervising the installation of the machines. Lord Adonis, the Transport Secretary, confirmed the new policy in a written parliamentary statement, saying that the scanners would help security staff to detect explosives or other dangerous items [14].

One of the major opponents of Whole Body Imaging has been the Equality and Human Right Commission (EHRC), which is of the opinion that the use of this technology would breach the privacy rules under the Human Rights Act [15]. The move to use this technology has raised concerns about the excessive collection of personal data. Big Brother Watch, a campaign that fights intrusion on privacy and protects liberties of people, started an online movement that opposes and raises concerns with full body scanning. It has also listed down all the airports around the world that are using (or are going to be using) this technology [16]. The only group that has openly welcomed this move of the government has been the Liberal Democrats [17]. The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators.

The privacy policy should include as a minimum:

rules regarding the location of the equipment;
A process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
A process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
Prohibition on copying or transferring the images in any way;
Instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
A process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The BodyScanner Task Force was established by the European Commission to publish an impact assessment report and to advise the commission, but the task force has yet to publish its report with specific legislative proposals [18].

Concerns in the UK also arose in light of a response of a judge to a complaint by the Electronic Privacy Information Centre (based in Washington). The judge stated that the Department of Homeland Security (USA) would be allowed to keep images of individuals screened at the airport [19]. This raises concerns amongst activists as to which images can and which images cannot be saved by the airport authorities.

Australia

Post the attempted attack on Christmas Day, pressure on countries such as Australia increased to make use of whole body imaging technology. However, the Association of Asia Pacific Airliners, an association of the international carriers servicing in Australia, criticised the use of full body scanners [20]. Apart from the privacy concerns, that people all over the world share, another aspect that is cause for concern in Australia is the increase in traveling cost. The machines used for whole body imaging is extremely expensive, and thus the question posed time and again in Australia is if it will be economically viable to make use of this technology?[21] The Queensland Council for civil liberties has opposed the use of this Advance Imaging Technology (AIT) and has stated that passengers should be allowed to refuse being scanned and should be allowed to opt for a pat down. Kevin Rudd (the Prime Minister of Australia at the time of implementation of this technology) had taken note of the privacy concerns and assured that such measure would be undertaken that would mitigate these concerns. Currently, Body scanners are installed at the international airports in Australia. The transport minister has said that the images produced would be stick figures and not naked images [22]. This move has been taken in light of the back clash that body scanners faced in the USA. Changes regarding whole body imaging have been referred to the Privacy Commissioner in order to ensure that privacy is not intruded. Namely, Full Body screening will not be applied to all the passengers - instead passengers will either be randomly selected or will be selected on the basis of their profiles [23].

India

Currently in India whole body scanners can be found at the Delhi International Airport [24]. Thus, debate and discussion about the use of these scanners has not gained much momentum in India. It would be advisable that when framing legislation or guidelines to govern full body scanners, India incorporates the experiences of other nations who have already started the use of this technology.

Generally speaking it seems as though the use of a full body scanner would not be recommendable for the Indian scenario. It has already been seen that these scans are not very effective in detecting plastic and fluids [25]. Additionally the scanner only shows objects that are on the body and not in the body. Thus, the effectiveness of these scanners is questionable (especially considering it cannot detect plastics and light fluids) [26]. Additionally, in India the demographic using these scanners would be very different from the people using these scanners in other countries. For instance, it has been pointed out that the interest of Muslim women has not been taken into account when introducing this method of screening. Apart from personal privacy issues there are religious issues that arise, and though the instances of the same maybe far apart in other nations, in India the same will act as a hindrance on a daily basis. If not dealt with delicately this can be a major cause of concern that will have far reaching ramifications. Furthermore, one cannot stress enough the cost that will be involved with the implementation of these scanners. These scanners are extremely expensive and require trained Security Officers to operate them. Additionally, what the scanners seek to accomplish can be achieved by insuring that the pat-downs are carried out properly. But there is a caveat that must be mentioned here. In US, one is allowed to choose between a pat-down and a body scanner. There have been instances when these pat-downs have been more intrusive than the body scanners. Thus, there should be guidelines in place as to how these pat-downs should be carried out. The guidelines should specify actions that the Security Officials would not be allowed to carry out.

Lastly, even if India decided to adopt the full body scanners, considering it helps save time and takes only 15 seconds to complete, it should not be used as a primary screening method. Hypothetically, if body scanners are used as a secondary screening process, alternate screening processes should be available if the passenger does not wish to subject himself/ herself to the scan. But then the question is why should the government invest so much in an expensive technology which the passengers can easily avoid?

Bibliography:

[1].A Companion to Philosophy of Law and Legal Theory, Constitutional Law and Privacy, Anita. L. Allen Pg 147.

[2].http://gizmodo.com/5690749/these-are-the-first-100-leaked-body-scans.

[3]. Available at http://www.airlinereporter.com/2010/08/we-do-not-have-all-the-same-body-parts-and-body-scanners-violates-your-privacy/.

[4].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searchers.

[5].Privacy impact assessment report. Available at - http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_wbi.pdf.

[6].http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searches.

[7].http://travel.usatoday.com/flights/2010-07-13-1Abodyscans13_ST_N.htm .

[8].http://www.stopdigitalstripsearches.org/.

[9]. http://epic.org/privac/airtravel/backscatter/.

[10].http://www.dailymail.co.uk/news/article-2012249/TSA-scanners-catch-implant-bomber-admit-officials.html?ito=feeds-newsxml.

[11].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[12].http://www.bigbrotherwatch.org.uk/home/2010/03/body-scanner-refuseniks.html.

[13].http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.

[14].http://www.timesonline.co.uk/tol/news/uk/article7011224.ece.

[15].http://www.timesonline.co.uk/tol/news/politics/article6990990.ece.

[16].http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[17].http://news.bbc.co.uk/2/hi/8438355.stm.

[18].http://www.huntonprivacyblog.com/2010/02/articles/european-union-1/uk-airports-implement-compulsory-use-of-full-body-scanners/.

[19].http://www.bigbrotherwatch.org.uk/home/2011/01/judge-blocks-investigations-into-body-scanners.html.

[20].http://www.theaustralian.com.au/travel/backlash-to-airport-body-scans/story-e6frg8rf-1225817485755.

[21].http://www.sbs.com.au/news/article/1190826/full-body-scanners-to-be-introduced-at-airports.

[22].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[23].http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.

[24].List of Airports with full body scanners. Available at http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.

[25].http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html.

[26].http://www.bigbrotherwatch.org.uk/home/2010/01/invasion-of-the-body-scanners.html.

For more details visit https://cis-india.org/internet-governance/blog/privacy_wholebodyimagingcomparison

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

Cyber Crime & Privacy

merlin — 2011-09-01T09:36:11Z

India is a growing area in the field of active Internet usage with 71 million Internet users.

Introduction

India is a growing area in the field of active Internet usage with 71 million Internet users.[1] “Cyberspace is shorthand for the Web of consumer electronics; computers and communication networks that interconnect the World”. [2] The recent incidents of hacking into various popular websites of Yahoo, CNN, Sony, the CBI and the Indian Army raise the very pertinent issue of online data privacy. This blog will examine the growing instances of hacking websites and its impact on data privacy.

Cyber Crime

“Cybercrime is a criminal offence on the Web, a criminal offence regarding the Internet, a violation of law on the Internet, an illegality committed with regard to the Internet, breach of law on the Internet, computer crime, contravention through the Web, corruption regarding Internet, disrupting operations through malevolent programs on the Internet, electric crime, sale of contraband on the Internet, stalking victims on the Internet and theft of identity on the Internet.”[3]

The computer age gave rise to a new field of crime namely “cybercrime” or “computer crime”. During the 1960s and 1970s cybercrime involved physical damage to the consumer system. Gradually computers were attacked using more sophisticated modus operandi where individuals would hack into the operating system to gain access to consumer files. The 1970s - through to the present - saw cybercrimes taking different trajectories like impersonation, credit card frauds, identity theft, and virus attacks, etc.[4]

The IT Act 2000 was enacted by the government to punish such acts of cyber crime. The Act was amended in the year 2008[5].

Cybercrime — An Overview: India

The IT Act 2000 was enacted by the government in 2000 to punish acts of cyber crime. The Act was amended in the year 2008[5]. According to the National Crime Records Bureau, cyber crime is on the rise. The Bureau reported that 420 cases were reported under the IT Act in the year 2009 alone, which was a 45.8 per cent increase from the year 2008. [6] The NCRB data on cyber crime also provides a useful insight as to the growing awareness of the IT Act. The data clearly shows an increase in the number of cases reported from the years 2005 to 2009.[7]. Hacking and obscene [8] publication/transmission are the highest reported crimes with the highest rate of conviction under the IT Act 2008.

Cyber Attack: No One is Safe!!

In February 2000 the many ‘busy’ Internet websites were jammed shut by hackers causing a national upheaval in the USA with the then President Clinton calling in a high level meeting with experts from around the world. Websites like Yahoo.com were forced to shut down for three hours after they were ‘smurfed’ by hackers [9]. Many other websites like Amazon.com and CNN.com were also attacked by the same hackers. Hacking such popular websites within a span of few hours was unprecedented which left many, including the FBI, clueless. By far these are the most serious cyber attacks in the history of Internet. The attacks not only shut down important sites, but also highlighted a very disturbing growing trend. If such popular websites were shut down by unknown perpetrators then how in the world will these and similar sites be able to protect scores of personal data and credit card information of the customers they pledge to serve?

More recently cyber vandals attacked the US Senate website on the 14 June 2011, causing a huge security scare [10]. This instance again brings us to the pertinent question of the safety of our personal data held by these websites. If the personal data of the US Senators can be breached by somebody, then certainly we as consumers should be very wary of the cyberspace and its ability to protect our data.

Closer Home

On June 8, a group claiming to be “anonymous” hacked into the government’s National Information Centre to protest against the anti-graft agitation [11]. The same group was accused of hacking into the Indian Army’s website although no report of data theft was claimed by the government. Last year in December a Pakistani hacker group named Predators PK hacked into various websites including the website of the CBI.[12]

Cyber Crime: Its Implications to Privacy

Internet security has become an important issue. Recent cyber attacks on various important websites has placed many consumers at risk and vulnerable to cyber criminals. The hacking attack on the Sony website on April 16 and 17 led to the theft of 26.4 million SOE (Sony Online Enterprise) Accounts. The criminals even hacked into a 2007 database which held credit and debit card information of 23,400 customers.[13]

Attacks such as these demonstrate the vulnerability of websites, and the possibility of serious harm to a countries economy and security. Furthermore, consumers’ personal data can be used by hackers to extort and blackmail individuals.

The Internet has become a huge stakeholder in facilitating trade and e-commerce, subsequently cyberspace has become a large network of communication and commerce. We carry out a number of tasks on the Internet — from e-shopping and e-ticketing to e-banking. Though the recent attacks on the CBI website, and the Indian Army website did catch some attention from the media, and the government did make some noise about it, the issue slowly faded away. The government cannot seem to protect its own websites which houses sensitive details of national security, but seems confident about putting personal data and biometrics of a billion plus population under the AADHAR scheme [14] onto a web server which can be hacked anytime by almost anybody with a personal computer in China or Pakistan.[15]

Privacy: No More?

Data generated in cyberspace are a fingerprint of an individual which is detailed, processed, and made permanent.[16] The cyberspace generates a blue print of our whole personality as we navigate through a health site, pay our bills, or shop for books at Amazon.com. The data collected by surfing through all these domains creates a fitting profile of who we are. [17] When hackers and cyber vandals steal this very information, it becomes a gross violation of our privacy.

Conclusion

Privacy does not exist in cyber space. The various websites that offer varied services to its consumers fail to protect their personal data time and again. The Sony website including its play station and music website was hacked at least three times this year. Scores of personal data was stolen and the consumers were kept in dark regarding the breach for almost a week. Speaking as a consumer, if a large corporate company like Sony cannot protect its website from being hacked into, it is hard to imagine other websites protecting itself from attacks.

The rise of the Internet has brought with it a new dimension of crime. The IT Act 2000 has brought some reprieve to the aggrieved according to the NCRB. Despite this, the IT Act clearly will not completely deter criminals from hacking into websites, as was demonstrated in the NCRB report. The cyber criminals of the February 2000 cyber attacks have yet to be apprehended and the attacks on various websites have been increasing every year.

Despite progress being made on enacting cyber laws and implementing them, cyber crime is still not nipped in the bud. Governments can do precious little to stop it and only hope that a cyber criminal can be traced back and be punished. Hence, Internet users need to more careful of the sites they visit; know the privacy policy of these websites to protect their personal data as much as possible.

Notes

[1] According to an annual survey conducted by IMRB and Internet and Mobile Association of India for the year 2009 – 2010.

[2] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

[3] http://legal-dictionary.thefreedictionary.com/cybercrime

[4] http://www.mekabay.com/overviews/history.pdf

[5]http://www.cyberlaws.net/itamendments/index1.htm

[6] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[7] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[8] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[9] http://www.pbs.org/newshour/extra/features/jan-june00/hackers_2-17.html

[10] http://in.reuters.com/article/2011/06/14/idINIndia-57677720110614

[11] http://www.thinkdigit.com/General/Anonymous-hacks-Indian-govt-website-to-support_6933.html

[12] http://www.deccanherald.com/content/117901/pakistan-hackers-wage-cyber-war.html

[13] http://mashable.com/2011/05/03/sony-another-hacker-attack/

[14] http://uidai.gov.in/

[15] http://www.securitywatchindia.org.in/selected_Article_Cyber_warfare.aspx

[16] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

[17] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

For more details visit https://cis-india.org/internet-governance/cyber-crime-privacy

Financial Inclusion and the UID

elonnai hickok — 2011-08-23T10:36:31Z

Since 2009, when Nandan Nilekani began to envision and implement the Unique Identification Project, the UID authority has promoted the UID/Aadhaar scheme as a tool of development for India - arguing that an identity will assist in bringing benefits to the poor, promote financial inclusion in India, and allow for economic and social development. In this blog entry I will focus on the challenges and possibilities of the UID number providing the residents of India a viable method of access to financial services across the country.

Why the UID could bring financial inclusion

In their strategy document “Exclusion to Inclusion with Micro payments” the UIDAI argues that a few of many challenges to successful financial inclusion in India for the poor have been: lack of identity, lack of accessibility of financial outlets, unreliability of infrastructure, high costs of banking, and the common presence of a middle man. For Indian banks the UID sites challenges such as: the high cost of transactions for banks servicing clients in rural areas, lack of infrastructure, costly processes of cash management, and high costs of IT.(UIDAI, 2010)The UID's solution to these obstacles is a system of financial services and micro payments based off of an individuals UID number, in which an individual with a UID number would be able to: open a bank account, make a payment, withdraw money, deposit money, and send remittances. The hope is that this system will allow banks to scale up their branch less banking, and reach out to larger populations. Residents having a bank account linked to their UID number is also key to the UID's larger scheme for subsidy delivery to the poor. Until all consumers who rely on government subsidies have a bank account linked to their UID number, the UID will not be able to implement a system of direct transfer of cash subsidies.(CNBC-TV18, 2011) For example, the UIDAI has started conducting a pilot disbursement of funds under the Mahatma Gandhi National Rural Employment Guarantee Scheme (MNREGS) to Jharkhand through Union Bank, ICICI Bank and Bank of India branches.(IBN-Live, 2011)

How the UID will bring financial inclusion

In their vision, the UIDAI has designed a system that involves bank branches enrolling individuals, bank branches establishing relationships with BC organizations, the use of Micro ATM's, and the use of the UID numbers for authentication in all financial transactions. In short the system of financial inclusion would work as follows:

Step 1. Enroll and obtain UID number

An individual enrolls for a UID number. During enrollment an individual shares his/her KYC information with the UIDAI. The UIDAI verifies the individuals KYC information, along with their other information, and issues the individual a UID number. If an individual already has a bank account at the time of enrollment they have the option to link their UID number to their bank account [1]

In India every bank must verify and confirm an individuals KYC information. This is to help reduce tax evasion and fraud. In December 2011, India's Ministry of Finance recognized the Aadhaar number has an officially valid identification to satisfy the KYC norms for opening bank accounts. By verifying an individuals KYC information at the enrollment stage the UIDAI is hoping reduce the amount of paperwork and time needed for an individual to open a bank account. In addition to satisfying KYC norms, the Government of India has also recognized the Aadhaar number as an acceptable form of identity for the purpose of obtaining a mobile connection. By having the UID number accepted for establishing both mobile connections and bank accounts, financial inclusion through mobile banking is encouraged as it allows for individuals who previously had no identity, to join the financial system and mobile network – thus allowing bank accounts to be more accessible than before, and aiding banks by simplifying the process of account opening.(Akhand Tiawari, Anurodh Giri, 2011)

Step 2. Open UID Enabled Bank Account
Now that the individual has a UID number they can open a bank account by presenting their UID number and thumb print to the bank branch for authentication. Currently the one bank enrolling citizens and issuing UID numbers and UID based ATM cards is the Bank of India.(Aggarwal, 2011) Bank of Maharashtra, State Bank of India and Indian Overseas Bank are currently waiting for approval from the UIDAI.(Chavan, 2011) In this scenario the UID number will be the only form of identification needed to open a bank account.

3.Make financial transactions with UID number
Once a UID Enabled Bank Account (UEBA) is opened, individuals can begin making financial transactions using their UID number and fingerprint. Individuals can access their UEBA through BC institutions. With a UEBA individuals have the option of using four basic banking services:

Store cash for savings through electronic deposits and withdraw only small amounts of cash
Make payments
Send and receive remittances
Acquire balance and transaction history

Transactions completed through the UID-enabled bank account work similarly to a prepaid mobile system. BC organizations, or Bank Correspondents, are organizations such as SHGs, kirana stores, dairy agents that larger banks develop a business relationship with. The BC organizations handle all transactions at the local level. Using BC organizations as financial outlets is meant to increase the penetration of financial outlets and make financial services more accessible in rural areas. How the process works is: a BC institution begins by depositing a certain amount of money with a larger banking institution. This ‘ prepaid balance’ paid by the BC institution changes with every transaction the BC institution makes. For example, when an individual makes a deposit it decreases as that money is then transferred into an individuals account, and increases when an individual withdraws money, because of the transaction fee that is charged to the individual. When the individual is making a deposit, he pays physical cash to the BC, who in turn makes an electronic transfer from the BC account to the individual's account. When making a withdrawal, the electronic transfer is made from the individual's account to the BC account, and the BC hands out physical cash to the customer, (UIDAI, 2010).

The micro ATM that is to be used at BC institutions is a hand held device, in this case a mobile phone, attached to a finger print reader. The micro ATM is meant to replace larger ATM’s and reduce the cost that banks incur when establishing full fledged ATM machines. The hand held device will be remotely accessed to the central server of the bank. Currently Italian tech company Telit Communication SpA, is hoping to provide the GSM wireless M2M modules that will allow the wireless device and the wired server to communicate with each other. (Kanth, 2011) The most significant difference between the micro ATM system and the traditional ATM system is that the BC employee executes the transaction.

Though having BC employees carry out financial transactions might eliminate the possibility of a fraudulent ATM being set up, it opens many possibly corrupt doors. How will it be ensured that the transaction is completed without fraud, and how can it be ensured that the Micro-ATM is not fraudulent, or that the BC organization itself is not fraudulent. Though this scenario might sound unlikely, the UID has already experienced difficulties with fake enrollment centers being set up, such as in Pune. (Gadkari, 2011), fake UID papers being issued, as was done in Patna(Tripathi, 2011) and enrollment centers illegally outsourcing work, as the IT company Tera Software was found doing (Prajakta, 2011). If these scenarios have all been tried, it is not unreasonable to see the same being tried with financial institutions.

Challenges to a system of authentication for financial transactions with the biometric based UID number

Not withstanding the fact that financial inclusion cannot be achieved only through an identity, focusing on the identity component of financial inclusion - in the report Low Cost Secure Transaction Model for Financial Services, published by Nitin Munjal, Ashish Paliwal, and Rajat Moona, from the Indian Institute of Technology, the authors note that present challenges in India to financial inclusion through access to financial institutions include(Munjal, Nitin Paliwal, Ashish Moona, 2011):

Currently financial transactions require network connectivity to take place. For financial transactions made in rural areas this has lead to both high costs for each transaction and to high fixed IT costs.
Current financial schemes such as mobile banking depend on network connectivity, making the network indispensable, yet 70% of the Indian population is rurally located with limited or no network connectivity.
Current financial service outlets are densely located in urban areas and not rural areas. Rural populations are financially excluded, as in most cases the completion of financial transaction require the presence of financial outlets.
Currently there are no easy safeguards to protect against fake ATMS or fraud, because the current Financial Service Model is based on blind trust of the service outlet – this allows for high rates of fake ATM’s being installed and fraud.
For an individual to access financial services, an identity is required. In most cases the poor lack an identity.

Clearly there are many obstacles that the UID identity card must overcome to successfully authenticate individuals in financial transactions and facilitate financial inclusion. For the system to be successful the UID must at the minimum do the following:

Accurately generate unique numbers
Capture accurate personal information
Ensure security of the database
Ensure that the technology is secure and accurate
Ensure that only necessary information is collected
Verify BC centers
Provide a secure network that can handle large numbers of transactions

Possible ways in which the system can go wrong include:

Inaccurate authentication
Delays in authentication
Fraud at the level of the BC institution
Over collection of personal information by banks
Linking of databases by banks, or other agencies
Network failure
Down time of the database

Though UID enabled bank accounts have yet to be officially established the UID is already experiencing many of the listed difficulties. For instance, in an Indian Express article published on June 15th, it was reported that banks are issuing additional UID forms that ask if individuals have credit cards, operate mobile or internet banking accounts, own a two wheeler or four wheeler, or live in a rented or personally owned accommodation. (Indian Express, 2011) Even more alarming is a recent news item from the Deccan Herald, which details the efforts that have been taken by NATGRID to access banking clients personal information, and NATGRID's proposal to tie banking information to a linked database containing information from bank accounts, railways, airlines, stock exchanges, income tax, credit card, immigration records, and telecom service providers. (Arun, 2011)The banks
have refused to give NATGRID access to clients personal information, but the ease at which NATGRID could track and collect information about individuals with the UID is chilling – especially if the UID is linked to almost every bank account in India. Several news reports have also shared experiences of confusion, inconsistent requirements, and unorganized enrollment centers, which place doubt in the accuracy of the information collected and the accuracy of the UID numbers issued.(Tripathi, 2011).

Looking at the technology and operational design of the UEBA system, though the scheme relies on mobile networks, it fails to eliminate the need for connectivity to the central server, because authentication of individuals biometric must be done through comparison of one fingerprint to the central server of all fingerprints. This will not only complicate the effectiveness of delivery of services, as it is possible for connectivity to be limited and slow, but it will also incur large network overhead costs for each transaction that is verified. Furthermore, even though the use of BC institutions as financial service outlets is meant to increases the availability of financial outlets, a dependency is created on BC institutions – as they must be present for any financial transaction to take place.
Additionally, individuals have no way of authenticating and verifying BC institutions. As mentioned earlier this allows for possible scenarios of fraud. Additionally, the UID has not provided any alternative method of identification in the case that the network or technology fails, or if an individuals biometrics are incorrectly rejected.

Could the SCOSTA standard be an option?

Many developing countries, like Kenya and Brazil, that face similar challenges to financial inclusion have looked towards smart cards as secure methods for authenticating individuals. In 2003 India also implemented a smart card approach to identity management. The SCOSTA standard smart card was introduced with the MNIC national identification scheme. Though the scheme was eventually dropped by the Indian Government, the SCOSTA smart card standard is still a valid option for authentication of individuals in financial transactions. A SCOSTA standard based approach for financial inclusion would include:

Authentication of an individuals key, pass-phrase, and pin. This is known as public keyinfrastructure. This will allow a person to protect their password and easily replace it if stolen.
Authentication through public key infrastructure would not depend on connectivity to thenetwork. This would allow for financial inclusion of populations not connected to networks and not be fully dependent on working networks.
Authentication through public key infrastructure establishes mutual trust of user and institution. This would lower the presence of fraudulent institutions and corrupt transactions.
Connection to a central server is not required for the authentication of an individual in a financial transaction. This will lower the cost of transactions and lower IT overhead costs (ibid Munjal, Nitin Paliwal, Ashish Moona, 2011)

Conclusion

Though it is hard to say that a fool proof system of authentication can easily be made, and that system will indeed promote financial inclusion, when comparing the biometric UID number with the SCOSTA standard smart card, there are many benefits to the SCOSTA standard such as ability of individuals to verify banking institutions, no need for connectivity to the central server, and the ability to easily replace lost or stolen pins and passwords. No matter what standard is implemented though, it is important to clearly look at the current implementation, technological, and operational challenges that identification schemes face and the possible ramifications of such challenges before adapting it as a ubiquitous system.

For more details visit https://cis-india.org/internet-governance/privacy_uidfinancialinclusion

CCTV in Universities

merlin — 2011-09-01T09:50:09Z

Basic Closed Circuit Television (CCTV) Infrastructure is used to observe movements from a central room, and consists of one or more video cameras that transmit video and audio images to a set of monitors or video recorders.

A Brief History of CCTV's

Video surveillance as a means of policing gained prominence in the 1950s when the UK police installed two pan-tilt cameras on traffic lights to monitor traffic near the Parliament. Since then the United Kingdom has become the country with the most number of surveillance cameras.[1]

The proliferation of CCTVs has been attributed to the growing radicalization of human behaviour wherein organized groups terrorized entire nations and threatened their internal security. The 1985 terror attack on the then Prime Minister of Britain by the IRA and many such instances thereafter have led many countries to adopt CCTV as a means of policing. In India, terror attacks on the Mumbai stock market and successive instances have pushed the Indian Government to install CCTVs in prominent public areas so that it is possible to monitor suspicious movements.[2]

CCTVs and Public Perspective

Since the 1950'sCCTVs have become ubiquitous and ever present, monitoring our daily movements, and infringing into our personal space. Though governments believe CCTVs are essential security instruments, the public is less convinced. The early anxiety to be safe from an unseen danger has given way to a new unease amongst the people, that of constantly being watched by an unseen eye.

CCTVs in Educational Institutions

CCTVs are typically used by the government or private agencies for surveillance in areas frequented by the public that need monitoring. Recently though, universities across the length and breadth of the country have resorted to the use of CCTVs for policing campus activities and to keep the students in check and under control. Huge budgets are set to wire campuses with CCTV infrastructure, t causing students to protest as well as laud the initiative by the administration. The debate on CCTVs has gained momentum in recent years with students staging huge rallies both in support of and against it.

Example 1:

The most prominent of the agitations against CCTVs was staged by the students of Jadavpur University in Kolkata on the administration’s decision to install 16 CCTVs on the four main exit points of the campus and other strategic locations.[3] The installation cost Rs.20 lakh. The students protested loudly against the decisions and ‘gheraoed’ the office of the vice chancellor for 52 hours. The students claimed that the administration was curbing their individual freedom and robbing the campus of it’s democratic atmosphere. The administration refused to remove the cameras, and claimed that the move was necessitated for the security of the students and to prevent any unforeseen incident.

Example 2:

The girl’s residing in the Women’s Hostel of The University of Pune protested against the setting up of CCTV cameras’ in the entrances of the hostel to check for unauthorized visits from boyfriends and friends. The girl’s vandalized the camera and claimed that they were an infringement to their privacy. The hostel authorities insisted that the cameras did not infringe on the privacy of the women, and were only installed at the entrance gates to keep a tab on visitors.[4] The authorities claimed that this step was taken in congruence with the hostel’s policy of not allowing visitors to stay the night.

Example 3:

The girls of the Churchgate’s Government Law College succeeded in getting the CCTV camera removed from the Girl’s Common Room, as it was seen as an infringement to their privacy. The MNS stepped up the agitation in favor of the students which led the college administration to finally take notice and remove the camera from the common room.[5]

The Flip Side

The issue of CCTVs in campuses takes an interesting turn when the students support the move to install cameras in campuses.

Example 1:

Delhi University installed CCTV cameras in their campuses after the Delhi Police issued an advisory for the same. They claimed that the advisory issued was to monitor the instances of on campus ragging. The Delhi Police also helped fund the setting up of CCTVs in the college. This move was lauded by the students, and the colleges took instant measures to wire their campuses.[6]

Example 2:

Recently, after the murder of a Delhi University student named Radhika Tanwar in broad day light, many student union groups assembled for a candle light vigil. They demanded CCTV cameras near the Satya Niketan bus stop where Radhika was killed which is an isolated stretch of a road. The massive agitation of almost a week brought the National Commission of Women into the foray who seconded the demand put forth by the student body.[7]

Example 3:

The recent instance of an RTI exposing inflated bills for setting up CCTVs in the Punjab University Campus also throws light on an interesting facet to this debate as the students do not mind the CCTVs in their campus. The student’s union of the university demanded the authorities to look into the discrepancies of the budget, and also expressed anger as the CCTVs installed did not work. The students claimed that the rising violence in the campus is because of disinterested security men and non working CCTV cameras.[8]

Conclusion

The decisions to use CCTVs as a means of surveillance evokes mixed responses. On one side of the debate they are seen as a deterrent to crime while on the other side of the debate they are seen as beinggross infringements on privacy. CCTV surveillance remains as a bone of contention amongst students. If they feel that their personal space is being invaded by these cameras then it needs to be addressed by the administration in a manner which appeases their fear. Universities randomly adopt the policy of CCTV surveillance, disregarding any voice of dissent. Kashmir University put up CCTVs in it’s campus to shoo away lovebirds and the Aligarh Muslim University has installed 57 CCTV cameras in it’s campus to keep a check on students. The rise of the CCTVs in colleges relates to not the actual crime but to the fear of crime. Therefore, CCTVs have become a tool of re-assurance [9]which feeds a notion of safety and security to the authority in charge.

There is no black and white regarding the implementation of CCTVs in universities. A policy can only benefit both sides when decisions are taken with the students, and not on behalf of them. Indian Universities have no guidelines and policies regarding the implementation of CCTVs and students remain unaware of any decisions in this regard. The Universities should clearly spell out their take on CCTVs including:

University policy regarding CCTVs policies
The reasons for introducing CCTVs
The proposed uses of CCTV infrastructure
Which areas in the campus will be kept under surveillance
How will the data collected be stored
How long will the data be retained
How will the data be deleted[10]

The Universities should address all these issues to dispel fear from the minds of the students, and the student unions should be included in the discussions regarding the implementation of CCTVs.

Notes

[1].Webster,William; CCTV policy in the UK: Reconsidering the evidence base; sueveillanceandsociety.org.

[2].Norris, Clive;MC Cahill, Mike;Wood, David; The Growth of CCTV: A Global Perspective on the international diffusion of video surveillance in publically accessible space; surveillance-and-society.org.

[3].Timesnow.tv/jadavpuruniversity, www.haata.com.

[4].http://www.ndtv.com/article/cities/female-hostellers-damage-cctv-cameras-to-protect-privacy-83889, http://toostep.com/debate/is-it-right-to-install-a-cctv-in-girls-hostel-to-stop-unauth.

[5].http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=201101212011012104560935753ecb888, http://ibnlive.in.com/news/cctv-cameras-in-hostel-rob-pune-women-of-freedom/142681-3.html.

[6].http://www.expressindia.com/latest-news/after-delhi-police-advisory-du-to-install-cctv-cameras/761421/.

[7].http://www.indianexpress.com/news/women-constables-cctv-cameras-in-girl-stude/766083/.

[8].http://www.punjabcolleges.com/5526999-itemdisplay-Misappropriation-of-funds-on-CCTV,-RTI-exposed-it-Chandigarh.htm.

[9].www.surveillance-and-society.org/ojs/index.php/journal/article/view/prozac/prozac.

[10].www.ucl.ac.uk/estates/security/documents/cctvpolicy.doc, http://www.wustl.edu/policies/cctv-monitoring-and-recording.html.

For more details visit https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities

Govt wants to monitor Facebook, Twitter

praskrishna — 2011-08-09T09:21:55Z

The Union home ministry has written to the department of telecom asking it to "ensure effective monitoring of Twitter and Facebook".

Milind Deora, minister of state for communications and information technology, said in written reply to a question on Friday in the Rajya Sabha that DoT has received a letter from MHA to ensure monitoring of social networking websites like Facebook and Twitter in order to "strengthen cyber security paraphernalia".

He said that in cases where the data is encrypted, the department works with all concerned parties to obtain lawful access to it.

Citing security a reason, India in the recent months has sought more surveillance and monitoring from internet service providers as well as companies like Research In Motion, which sells BlackBerry phones capable of encrypted emails and messaging.

In April the government notified a new set of IT rules, virtually making intermediaries like internet service providers and web hosts and websites like Facebook and Twitter responsible for any wrongdoings on their networks. The rules were widely criticized by privacy activists.

Sunil Abraham, executive director of Centre for Internet and Society said these "blanket surveillance practices" are counterproductive.

"People advocating greater surveillance don't understand how the web works. In some cases, if there is evidence, targeted monitoring can be done but if governments wants to go through each tweet and every status update, it's just waste of money and resources. Agencies involved in monitoring can do better work by focusing on core issues. This will also save ordinary law-abiding citizens from unnecessary harassment," said Abraham.

According to their policies, Twitter and Facebook don't share any private information available on their servers without valid court order or subpoena. Twitter had said in the past that even if there was a court order, it would first inform the users in question before sharing information related to them.

This article was published in the Times of India on August 8, 2011. The original can be read here.

For more details visit https://cis-india.org/news/govt-to-monitor-facebook-twitter

Re-thinking Key Escrow

natasha — 2011-08-22T11:44:21Z

Would you make duplicates of your house keys and hand them over to the local police authority? And if so, would you feel safe? Naturally, one would protest this invasion of privacy. Similarly, would it be justified for the government to have a copy of the private key to intercept and decrypt communications? This is the idea behind key escrow; it enables government ‘wiretapping’.

The evolution of technology has allowed for increased communication and interconnectedness among people, markets and institutions all over the globe. This has increasingly facilitated the transaction and exchange of all kinds of information. However, this has raised major ethical concerns surrounding the privacy of communication and security of information. Key encryption is an important tool developed to preserve an individual’s privacy. It involves transforming information, so as to ensure that it is unreadable. The need for encryption is irrefutable.

Governments and authorities are concerned with the difficulties associated with accessing and intercepting the encrypted communication. For lawful interception a recovery key is escrowed with a trusted third party. Key escrow is controversial as it is vulnerable to lawful interception and has the potential to threaten the security of sensitive and personal data. In India, key escrow is a requirement under the Indian Internet Service Provider (ISP) license. This means that an ISP, a law enforcement agency, or other party has the potential to partake in covert surveillance and maliciously use the key, thereby compromising the data.

In a short video Jim X. Dempsey, Vice President of Public Policy at the Centre for Democracy and Technology in Washington, DC reviews the public policy battle over key escrow in the United States that took place in the 1990's. At the time the U.S government’s approach to encryption technology involved the use of key escrow in communication devices. One danger of using key escrow in this way was that it allowed for the commercial use of encryption technology, provided that a copy of the private key is held in escrow by the U.S. government. The use of key escrow also permitted the U.S. government to decrypt all data transmitted across communication networks. The risks associated with the use of key escrow led to widespread dissatisfaction from the private sector in the U.S., which ultimately led to the rejection of encryption technology by the President and Congress. In response to the strong negative feedback given by different stakeholders, the US government lifted the controls on encryption technology thereby allowing it to become widely available.

The use of key escrow in India should be seriously reconsidered. Foremost, it subverts basic constitutional practices by violating various freedoms and civil liberties guaranteed in the fundamental rights. Secondly, it threatens the security of personal information. Lastly, it could significantly hinder the growth of e-commerce, transactions, and purchases made over the Internet. The Indian government should take into consideration the failed attempt in implementing the system of key escrow in the United States when deciding on whether or not to implement the use of key escrow in India.

Please see Jim Dempsey’s account on the Short History of Key Escrow.

For more details visit https://cis-india.org/internet-governance/blog/privacy/key-escrow