We are anonymous, we are legion

Analyzing the Latest List of Blocked Sites (Communalism and Rioting Edition) Part II

snehashish — 2012-09-27T10:42:30Z

Snehashish Ghosh does a further analysis of the leaked list of the websites blocked by the Indian Government from August 18, 2012 till August 21, 2012 (“leaked list”).

Unnecessary Blocks and Mistakes:

http://hinduexistance.files.wordpress.com/..., which appears on the leaked list, does not exist because the URL is incorrect. However, the correct URL does contain an image which, in my opinion, can be considered to be capable of inciting violence. It has not been blocked due to a spelling error in the order. Instead of blocking hinduexistence.wordpress.com/... the DoT has ordered the blocking of hinduexistance.wordpress.com/..., which does not exist.
Two URLs in the block order are from the website of the High Council for Human Rights, Judiciary of the Islamic Republic of Iran. The reason for blocking these two links from this particular website is unclear.
The website of the Union of NGOs of the Islamic World was blocked. Again, the reason for blocking this website remains unclear.
URLs such as, http://farazahmed.com/..., mumblingminion.blogspot.com, were blocked. The content on these URLs was in fact debunking the fake photographs.
Certain blocked Facebook pages did not have any bearing on the North East exodus which was the main reason behind the blocks. For example, Facebook link leading to United States Institute for Peace page was blocked.

Duration of the Block

The Department of Telecommunications (DoT) did not specify the period for which the block has been implemented in its orders. As a result of which certain URLs still remain blocked while a majority of the links in the leaked list can be accessed. Lack of clear directions from the DoT has resulted in haphazard blocking and certain internet service providers (ISPs) have lifted the block on certain links whereas some other ISPs have continued with a complete block.

How have the intermediaries reacted to the block orders?

Going by the leaked list of websites blocked by DoT, it issued the block orders to ‘all internet service licensees’. Intermediaries that do not fall in the category of 'internet service licensees’ were also sent a separate set of requests for taking down third party content. However, it is unclear under which provision of the law such request was made by the Government.

Internet Service Licensees

The internet service licensee or the ISPs have not followed any uniform system to notify that a particular URL or website in the leaked list is blocked according to DoT’s orders. The lack of transparency in the implementation of the block orders, have a chilling effect on free speech.

For instance, BSNL returns the following messages:

"This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications" or “This site has been blocked as per instructions from Department of Telecom (DOT).”

However, these messages are not uniform across all the URLs/websites in the leaked list. BSNL does not generate any response for the majority of the URLs in the leaked list. This results in ‘invisible censorship’ as the person who is trying to access the blocked URL does not have any means to know whether a particular URL is unavailable or certain sites are blocked by government orders.

Lack of notification does not only infringes upon the fundamental right to freedom of speech and expression but also violates the fundamental right to a constitutional remedy guaranteed under Article 32 of our Constitution. The person aggrieved by such block orders cannot approach the Court for a remedy because there is no means to figure out:

(a) Description of the content blocked?

(b) Who has issued the block order/request?

(d) Who has implemented the block order/request? and

(e) What was the reason for the block?

The intermediaries should provide with the above notification details while implementing a block order issued by the Government.

Intermediaries hosting third party content:

More than 100 out of the 309 blocks are Facebook (http and https) URLs. Facebook has not informed its users about the reasons behind unavailability of certain pages or content. This is another instance of invisible censorship. However, YouTube, a Google service, has maintained certain level of transparency, and informs the user that the content has been blocked as per ‘government removal request’. It is interesting to note that certain YouTube user accounts were terminated as well. It is unclear whether this was as a result of the block order. Furthermore, links associated with blogger.com, which is another service provided by Google, have been removed.

This was re-posted by Medianama on September 26, 2012.

For more details visit https://cis-india.org/internet-governance/analyzing-the-latest-list-of-blocked-sites-communalism-and-rioting-edition-part-ii

Analyzing the Draft Human DNA Profiling Bill 2012

praskrishna — 2013-02-25T09:56:19Z

The Centre for Internet & Society invites you to a workshop on analyzing the Draft Human DNA Profiling Bill on March 1, 2013 in its Bangalore office, from 2.00 p.m. to 5.00 p.m.

The Draft Human DNA Profiling Bill seeks to establish DNA databases at the state, regional, and national level for the purposes of establishing identity in criminal and civil proceedings. The Draft Human DNA Profiling Bill has been critiqued by the committee chaired by Justice AP Shah in the “Report of Group of Experts on Privacy” for a lack of adequate privacy safeguards.

In Fall 2012 the Centre for Internet and Society held a series of public meetings to raise awareness about the Bill and submitted feedback to the Department of Biotechnology. This workshop is in response to an April 2012 draft of the Bill and seeks to analyze the text of the Bill, look at technical aspects of the Bill and DNA profiling, and compare the current draft of the Bill with previous drafts.

For more details visit https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

Analytics to help govt read public mood online

praskrishna — 2015-03-09T16:57:14Z

The Union government is in the process of commissioning a project to analyse public sentiment about it on various online platforms.

The article by Surabhi Talwar published in the Business Standard quotes Pranesh Prakash.

The project will cover state-owned MyGov.in, social media portals such as Facebook and Twitter, and the top 10 news websites in the country. The analysis will also extend to Twitter and Facebook accounts of government ministries and departments, according to a document evincing interest from companies and defining scope of work that has been posted on the website of the electronics and information technology department. The Centre expects the platform to be ready in two months.

This is the first time that the Centre is deploying a tool to 'officially' listen in on social media conversations and monitor media reports as well as subsequent public reaction. The idea is not to see which journalist is saying what and tell the government "inhe ad dena band kar do" (don't give them ads), said a government official familiar with the plans. It has also got "nothing to do with politics or elections", the official added.

The stated objective is to gauge public opinion related to policy matters and get a "comprehensive picture of the larger issues concerning the people", the official said. According to the mandate, the company will analyse comments posted on MyGov.in, which sees about 50,000 responses every week. It will also scan through social media sites, articles posted on news portals and the comments section, and categorise these into three "tag clouds" - negative, positive and neutral.

"Analytics are not strong if you are looking at it with a tunnel vision," said the government official, adding they needed to be comprehensive and corroborated across different platforms. The idea behind extending the mandate to social media websites and news organisations, according to the official, is to make sure the government's policies and initiatives are in sync with the people's wishes.

However, the government claimed it would only study posts that are "public" and not build backend access into the network of social media companies to get a look at all content.

According to the official, the Centre was not interested in "listening to everything that people are talking about", rather it will restrict its queries that relate to its business of policymaking. "Anything beyond that is not our mandate," the official clarified.

According to Mahesh Murthy, founder of digital media firm Pinstorm, these kinds of sentiment-analysis tools have become quite popular lately with both companies and political parties, who use these to gauge public mood before elections.

"They can cost anywhere between Rs 2 lakh and Rs 10 lakh a month," he said, adding there were hardly any privacy implications since the data being analysed was in public domain.

Pranesh Prakash of the Centre for Internet and Society said, "Privacy concerns aren't as acute if there is no profiling that is happening." Prakash added the concept might be worrisome if algorithms became the determining factor for policymaking, as they could be dangerous for democratic functioning. "They are like black boxes and you don't how they function."

Launched about six months ago, MyGov.in is the National Democratic Alliance government's citizen-engagement platform through which it solicits ideas and inputs from the public on government business.

Once the sentiment-analysis project is implemented, the government will be able to automate the process of providing summary of inputs on discussion topics to the government agencies concerned.

The volume of comments received on the platform is making it difficult for the Centre to manually sift through these for the most relevant ones.

"The solution would display two sets of dashboards. One would be in public domain. The other would be restricted through the multi-level role-based access system provisioned by the solution," said the document evincing expression of interest from companies.

Those interested will have to provide a proof of concept before being selected.

For more details visit https://cis-india.org/internet-governance/news/business-standard-february-20-2015-surabhi-agarwal-analytics-to-help-govt-read-public-mood-online

Analysis: Data Protection in India - Getting It Right

praskrishna — 2017-04-28T01:42:42Z

Indian Government Plans Ambitious Data Protection Legislation Rollout by October

The blog post by Suparna Goswami and Varun Haran was published by Info Risk Today on April 26, 2017. Pranesh Prakash was quoted.

The government of India recently informed the Supreme Court of India that it expects to put in place a comprehensive data protection framework by October. The Telecom Regulatory Authority of India will be heading up the initiative and has already started consultations for preparing a draft framework.

The government on April 5 acknowledged that there was no proper regulatory framework to deal with privacy concerns of citizens arising out of "over-the-top" popular messaging services such as Whatsapp, Facebook and Skype. Consequently, the Department of Telecommunications is exploring creating a "regulatory framework" through legislation to address data protection and citizens' privacy concerns.

With the European Union already preparing to enforce its General Data Protection Regulation next year, India may be late to the party. But the need for a data protection and privacy law in India is pressing. And when it's enacted, it will define provisions for protecting sensitive personally identifiable information and spell out liabilities in the event PII gets breached.

Many security practitioners, however, say the government's goal of having a law by October seems aggressive.

Shivangi Nadkarni, co-founder & CEO at Arrka Consulting, points out that once the government publishes a draft regulation for public comment, it must allow two months for gathering feedback. "It has to align with the schedule of the Monsoon Session of Parliament if it has to meet the October deadline," Nadkarni says (see: It's Time to get Serious About Privacy).

Existing Provisions

India already has some data protection and privacy provisions in the Information Technology Act 2000, amended in 2008 and the subsequent IT rules defined in 2011. But the IT Act 2000/8 doesn't define sensitive personal information directly and only provides guidance for reasonable security practice and due diligence - the actual implementation standards have not been explicitly prescribed, says Bengaluru-based Na. Vijayashankar, a cyber law expert and information risk consultant.

The current data protection regime is under section 43A of the IT Act 2000/8, and the regulations made thereunder, says Pranesh Prakash, policy director at Bengaluru-based research think tank the Center for Internet and Society. He contends those regulations are weak, do not specify any governmental agency, and do not lay out penalties for violations. Other relevant provisions, such as section 72A, are also far too onerous and aren't ever applied in practice to such cases, he says (see: Pavan Duggal on Why India's Cyberlaw Must Rapidly Evolve).

"Section 43A and the 'reasonable security rules' didn't change much, given the lack of teeth in the regulations, and the onerous job of proving "wrongful gain or wrongful loss" of property due to data breaches," Prakash says. In addition, as a complement to a strong, yet flexible, data protection/data security regime, the government also needs to put in a privacy regime that covers both the private and public sectors, he adds.

Right to Privacy

India lacks a clear framework that categorically recognizes the sanctity of privacy, says J. Sai Deepak, an independent cyber law expert and arguing counsel at the Delhi High Court. Because the status of the fundamental right to privacy is yet to be adjudicated upon by the Supreme Court, Sai Deepak is uncertain of the basis on which the regulatory mechanism that the government is developing, would function (see: Why India Needs Comprehensive Privacy Law).

"This is important because if you treat privacy as a fundamental right, then the mechanism has to take into account the constitutional obligations and limitations that come with such treatment," Sai Deepak says. A telecom-centric or a single sector-centric approach to privacy as a reaction to a particular litigation may do more harm than good, he adds (see: Re-Evaluating Privacy in India).

"I hope the government goes beyond this context and addresses privacy comprehensively. It is for this reason that I am not sure TRAI is the best entity to vest this mandate with," he says. "After all, we are looking at safeguarding privacy even outside the telecom sphere" he adds.

The government needs to clearly spell out all principles and rights of individuals in the context of privacy as a foundation, experts say.

"Declare that privacy is a right of an Indian citizen and is protected by law," Vijayashankar says. The law should apply to protection of data in any form and require appropriate security measures to be adopted by anyone who collects, processes and manages PII, he adds (see: Privacy: Why India Inc. Needs It).

Viable Roadmap

Vinayak Godse, senior director at Data Security Council of India, says Indian companies, including IT services and outsourcing firms, are losing in European markets because of the high data protection standards followed in those countries.

"We have already been struggling in some markets as our data protection mechanisms don't match to the evolving global expectations for privacy," Godse says. "Questions have been raised by several geographies especially EU on India's regulatory posture in terms of data protection." (See: India's 2015 Data Privacy Agenda)

Vijayashankar says India needs to immediately appoint a data commissioner to efficiently address data privacy violations, which are currently being judged under ITA 2000/8. This will also help Indian enterprises that conduct business with the EU when the GDPR is enforced starting May 25, 2018 (see: How Will Europe's GDPR Affect Businesses Worldwide?).

Nadkarni of Arrka says the framework should:

Clearly define and articulate what qualifies a personal information.
Clearly spell out all principles and rights of individuals in the context of privacy and elaborate on specific aspects as required within each principle/ right.

The Justice AP Shah committee report of 2012 which proposed comprehensive set of data privacy principles and measures had a wide acceptance by various stakeholders, and should be a good starting point to draft an omnibus data privacy law in India, says Srinivas Poosarla, vice president and head (global), privacy & data protection at Infosys.

While the way the enforcement of any such law enacted, would differ at the center and at state level, some of the areas that Poosarla contends need attention are:

Mandating that organizations appoint data privacy officers;
Providing platforms to report grievances and receive compensation from organizations in a timely manner;
Ensuring accountability of organizations for data privacy and to have them promptly report any data breach to affected individuals where there is likely to be material impact;
Identifying and empowering a body at national or state level to enforce implementation of the law.

GDPR as a Model

Nadkarni suggests that the EU's GDPR would be a good benchmark for India. Poosarla and others also agree that the EU GDPR is a good template to draw from. Most importantly, the government should involve all stakeholders, especially privacy and data security advocates, in the drafting of the law, they say.

The best practices and principles from GDPR should be adopted, keeping the cultural and demographic needs of Indian society in mind, Vijayshankar adds.

Prakash of CIS notes: "Any law must keep the evolution of technology in mind. The law can't be so rigid that technological developments are prevented, nor can it be so flexible that technology defeats the basic guarantees provided by the law. For instance, the role of "consent" in a world where indefinite consent is easily obtained by inserting a clause in a long standard-form contract that no one reads, must be taken into account."

For more details visit https://cis-india.org/internet-governance/news/inforisk-today-april-26-2017-suparna-goswami-varun-haran-analysis-data-protection-in-india-getting-it-right

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

Elonnai Hickok and Vipul Kharbanda — 2016-08-11T09:58:59Z

This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

Denying or cause the denial of access to computer resource; or
Attempting to penetrate a computer resource; or
Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

S. No.	Article of the Budapest Convention	Provisions of the IT Act which cover the same
1	Article 2 - Illegal Access	Section 43(a) read with Section 66
2	Article 3 - Illegal Interception	Section 69 of the IT Act read with section 45 as well as Section 24 of the Telegraph Act, 1885
3	Article 4 - Data interference	Sections 43(d) and 43(f) read with section 66
4	Article 5 - System interference	Sections 43(d), (e) and (f) read with section 66
5	Article 6 - Misuse of devices	Not specifically covered
6	Article 7 - Computer related forgery	Computer related forgery is not specifically covered, but it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
7	Article 8 - Computer related fraud	While not specifically covered by the IT Act, it is possible that when such a case comes to light, the provisions of Section 43 read with section 66 as well as provisions of the Indian Penal Code, 1860 would be pressed into service to cover such crimes
8	Article 9 - Offences relating to child pornography	Section 67B

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial ~~and punishment~~ or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

i. Kharak Singh v. Union of India¸[14] (1962)

a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

ii. Govind v. State of M.P.,[15] (1975)

a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

iii. R. Rajagopal v. Union of India,[16] (1994)

a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

a. Extended the right to privacy to include communications privacy..

b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

b. The rRight to privacy deals with persons and not places.

c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

vi. Selvi and others v. State of Karnataka and others,[19] (2010)

a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy
Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.
It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.
This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]
The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
Information Security Awareness Programme
Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
Status appraisal and gap analysis against ISO 27001 based best information security practices
Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
Implementation of information security control measures (Managerial, Technical and& operational)
Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
Keeping requisite records of operations in the network;
Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.

Mandate technical standards in the interest of public health and safety.

Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.

Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.

Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.

Create awareness amongst consumers against sub-standard and spurious electronic products.

Build capacity within the Government and public sector for developing and mandating standards.

Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

Collection, analysis and dissemination of information on cyber incidents;
Forecasting and alerts of cyber security incidents;
Emergency measures for handling cyber security incidents;
Coordination of cyber incidents response activities;
Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

[1] The terms "cyberspace" has been defined in the Oxford English Dictionary as the notional environment in which communication over computer networks occurs. Although the scope of this paper is not to discuss the meaning of this term, it was felt that a simple definition of the term would be useful to better define the parameters of the discussion.

[2] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf

[3] https://www.justsecurity.org/29203/british-searches-america-tremendous-opportunity/

[4] http://deity.gov.in/content/country-wise-status

[5] Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bona fide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[6] http://deity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf

[7] List of the countries is available at http://cbi.nic.in/interpol/mlats.php

[8] https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society

[9] Peter Swire& Justin D. Hemmings, "Re-Engineering the Mutual Legal Assistance Treaty Process", http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx, cf. https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society .

[10] MLATS and International Cooperation for Law Enforcement Purposes, available at http://cis-india.org/internet-governance/blog/presentation-on-mlats.pdf

[11] The full list of the countries with which India has agreed an MLAT is available at http://cbi.nic.in/interpol/extradition.php

[12] http://cbi.nic.in/interpol/assist.php

[13] http://www.firstpost.com/india/how-the-police-tracked-and-arrested-im-founder-yasin-bhatkal-1071755.html

[14] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641

[15] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014

[16] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212

[17] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=14584

[18] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=26571

[19] http://dspace.judis.nic.in/bitstream/123456789/26592/1/36303.pdf

[20] AIR 1954 SC 300. In para 18 of the Judgment it was held: "A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction."

[21] AIR 1963 SC 1295. In para 20 of the judgment it was held: "… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III."

[22] (1975) 2 SCC 148.

[23] (1994) 6 SCC 632.

[24] (1997) 1 SCC 301.

[25] http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[26] http://cis-india.org/internet-governance/news/hindustan-times-august-20-2015-aloke-tikku-stats-from-2014-reveal-horror-of-scrapped-section-66-a-of-it-act

[27] http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf

[28] http://deity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[29]

[30] http://deity.gov.in/sites/upload_files/dit/files/GSR_19(E).pdf

[31] Rule 4 of the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.

[32] Since these Guidelines were not publicly released they are not available on any government website. In this paper we have relied on a version available on a private website at http://perry4law.org/cecsrdi/wp-content/uploads/2013/12/Guidelines-For-Protection-Of-National-Critical-Information-Infrastructure.pdf

[33] Available at http://www.cert-in.org.in/

[34] http://www.cert-in.org.in/

List of Acronyms

ICTs – Information Communication Technologies
GGE – Group of Experts
EU – European Union
DLC-ICT – India-Belarus Digital Learning Center
IT Act – Information Technology Act, 2000
UL - Unified License
DEITY – Department of Electronics and Information Technology
IT – Information Technology
ISO – International Organization for Standardisation
CERT – Computer Emergency Response Team
CERT-In - Computer Emergency Response Team, India
MLAT – Mutual Legal Assistance Treaty
CII – Critical Information Infrastructure
NCIIPC - National Critical Information Infrastructure Protection Centre
NTRO - National Technical Research Organisation
NPIT - National Policy on Information Technology
CISO - Chief Information Security Officer

For more details visit https://cis-india.org/internet-governance/blog/analysis-report-experts-information-telecommunications-security-implications-india

Analysis of Key Provisions of the Aadhaar Act Regulations

amber — 2017-04-03T14:05:01Z

In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations.

This blog post was edited by Elonnai Hickok

Introduction

At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.

Provision: Sub-Regulation 3.

Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months

Observations:

The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times^{^[2]} and six times^{^[3]} in a year respectively.

Provision: Sub-Regulation 8 (5)

Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.

Observations:

The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.

Provision: Sub-Regulation 14 (4)

Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.

Observations:

The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.

Provisions:

Sub-Regulation 8 (2), (3) and (4)

The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.

All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.

The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.

Sub-Regulation 3 (2)

The standards for collecting the biometric information shall be as specified by the Authority for this purpose.

Sub-Regulation 4 (5)

The standards of the above demographic information shall be as may be specified by the Authority for this purpose.

Sub-Regulation 6 (2)

For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.

Sub-Regulation 14 (2)

In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.

Observations:

Though in February 2017, the UIDAI published technical specifications for registered devices^{^[5]}, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.

Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.

Provision: Sub-Regulation 32

The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.

(2) The contact centre shall:

Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;
Provide regional language support to the extent possible;
Ensure safety of any information received from residents in relation to their identity information;
Comply with the procedures and processes as may be specified by the Authority for this purpose.

(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.

Observations:

While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.

Aadhaar (Authentication) Regulations, 2016^{^[6]}

These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.

Provisions:

Sub-Regulation 5 (1)

At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—

(a) the nature of information that will be shared by the Authority upon authentication;

(b) the uses to which the information received during authentication may be put; and

Sub-Regulation 6 (2)

A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.

Observations:

Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.

Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.

Sub-Regulation 11 (1) and (4)

The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.

Observations:

A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.

Provision: Sub-Regulation 18 (2), (3) and (4)

The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.

Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.

Observations:

While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}

Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections

(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.

Provision: Sub-Regulation 6 (1)

All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.

Observations:

The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.

Conclusion

In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.

^{^[1]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[2]} https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1

^{^[3]} http://www.sebi.gov.in/acts/boardregu.html

^{^[4]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[5]} Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf

^{^[6]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[7]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations

Analysis of ICANN revenue shows ambiguity in their records

Sunil Abraham, Arjun Venkatraman and Akriti Bopanna — 2018-04-27T10:01:26Z

We, The Centre for Internet and Society, have been instrumental in having ICANN become transparent about their revenue with our persistent requests for their sources of revenue.

Click to download a PDF of the Analysis

In 2014, CIS' Sunil Abraham demanded greater financial transparency of ICANN at both the Asia Pacific IGF and the ICANN Open Forum at the IGF. Later that year, CIS was provided with a list of ICANN's sources of revenue for the financial year 2014, including payments from registries, registrars, sponsors, among others, by ICANN India Head Mr. Samiran Gupta.This was a big step for CIS and the Internet community, as before this, no details on granular income had ever been publicly divulged by ICANN on request.¹ Our efforts have resulted in this information now being publicly available from the years 2012 onwards. We then decided to analyze all these years of financial data collaborating with Ashoka fellow Arjun Venkatraman and following are our observations:

To get a clear picture of ICANN's revenue, it can be seen that over the years it has been growing steadily. In 2016 it was 1.7 times the revenue it made in 2012.

A breakdown by country reveals that a significantly higher proportion of their revenue is from sources registered in the United States.

It is also interesting to note that revenue from China has seen a spike in the past 2 years, especially in the period of 2015-2016. Verisign CEO, James Bidzos confirmed in an interview to analysts that Chinese activity had surprised them as well though they expected the activity to slow down in the second quarter of 2016.²

Verisign also happens to be the top paying customer for ICANN every year, running the .com/.net names. Their payments are orders of magnitude greater than payments made by any other single entity or even several collective entities.

ICANN differentiates its sources of revenues by each class of entity which stand for the following:

RYN - Registry
OTH - Other
RYG - Registry
RIR - Regional Internet Registry
RYC - ccTLD (Top Level Domains)
IDN - Internationalized Domain Names
RAR - Registrar
SPN - Sponsor

It is evident that the Registries and Registrars contribute the most to revenue however the classification of these groups in itself is ambiguous. RYG and RYN both stand for registry but we do not find any explanation given for the double entry for a single group. Secondly, Sponsors are included yet it is unclear how they have sponsored ICANN, whether through travel and accommodation of personnel or any other mode of institutional sponsorship. The Regional Internet Registries are clubbed under one heading and as a consequence it is not possible to determine individual RIR contribution such as how much did APNIC pay for the Asia and Pacific region. The total payment made by RIRs is a small fraction of the payments made by many other entities and they all pay through the Numbers Resources Organization (NRO), who is listed as paying from Uruguay however the MOU creating the NRO does not specify their location as being there. The NRO website states that " RIRs may be audited by external parties with regards to their financial activities or their operations. RIRs may also allow third parties to report security incidents with regards to their services." ³ Their records show that financial disclosure is done in an inconsistent manner with the last publication from AFRINIC being for the year 2013 ⁴ while the RIPE NCC who coordinates the area of Central Europe, Middle East and Russia last published an annual report for the year 2016 but had no financial information in it. ⁵

The most frequently found words in their sources which can give us an idea of the structure of the contributing entity yields the following result.

Several clients have registered multiple corporate entities to increase their payments to ICANN such as DropCatch, Everest and Camelot. ⁶ The first of them, DropCatch, is a domain drop catcher, essentially selling expired domain names to the highest bidder. By the end of 2016, about 43% of all ICANN-accredited registrars were controlled by them. ⁷

Many clients have reported themselves from different countries over the years as well such as 'Verisign Sarl' which has been reported as originating from Switzerland and in a different year from the United States. ⁸ Another curious case is of the entity, 'Afilias plc', which when categorized as a sponsor (SPN) is reported from Ireland however as a registry (both RYG and RYN) is reported from the United States. Some entities have originated from one place such as the United Arab Emirates and then moved to other countries such as India.

To summarize, the key takeaways from the information we have dissected so far are:

- ICANN's revenue has been steadily increasing with the 2016 seeing a 1.6 times increase of its revenue generated in 2012.

- United States is the country that most of the revenue originates from.

- After the US, China is now the largest contribution to ICANN revenue, significantly increase their contributions from 2015.

- Verisign is the top contributing entity, their contribution much greater than other entities.

- Registries and Registrars are the main sources of revenue though there is ambiguity as to the classifications provided by ICANN such as the difference between RYG and RYN. The mode of contribution of sponsors exactly is not highlighted either.

- Several entities have been listed from different places in different years, sometimes depending on the role they have played such as whether they are a sponsor or registry. Registering multiple corporate entities to acquire more registrars has occurred as well.

1. Venkataraman, P. (2017). CIS' Efforts Towards Greater Financial Disclosure by ICANN . [online] The Centre for Internet and Society.[Accessed 14 Mar. 2018].

2. Murphy, K. (2016). Verisign has great quarter but sees China growth slowing | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite. [Accessed 14 Mar. 2018].

3. Nro.net. (2018). RIR Accountability Questions and Answers | The Number Resource Organization . [online] [Accessed 11 Mar. 2018].

4. African Network Information Centre - Annual Report

5. RIPE Network Coordination Centre Annual Report 2016

6. Murphy, K. (2016). DropCatch spends millions to buy FIVE HUNDRED more registrars | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite.[Accessed 13 Mar. 2018].

7. Id

8. Detailed list is available on request

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-icann-financials-from-2012-2016

Analysis of DIT's Response to Second RTI on Website Blocking

pranesh — 2011-12-02T09:26:11Z

In this blog post, Pranesh Prakash briefly analyses the DIT's response to an RTI request on website blocking alongside the most recent edition of Google's Transparency Report, and what it tells us about the online censorship regime in India.

What the DIT's Response Tells Us, and What It Doesn't

We at the Centre for Internet and Society had sent in a right to information request to the Department of Information Technology (DIT) asking for more information about website blocking in India. The response we got from the DIT was illuminating in many ways. The following are the noteworthy points, in brief:

Six government officials, and one politician have so far made requests for 'disabling access' to certain online content under s.69A of the Information Technology (IT) Act.
68 individual items have been requested to be blocked, those being 64 websites (domain-level blocking), 1 sub-domain, and 3 specific web pages. Seemingly, none of these requests have been accepted.
The data provided by the government seemingly conflicts with the data released by the likes of Google (via its Transparency Report).
India's law enforcement agencies are circumventing the IT Act, the Indian Penal Code (IPC), and ultimately the Constitution, by not following proper procedure for removal of online content.
Either the DIT is not providing us all the relevant information on blocking, or is not following the law.

Conflicting Data on Censorship Requests

The latest Google Transparency Report, released on October 25, 2011, shows that there were 68 written requests (imaginably taking the form of forceful requests/orders) from Indian law enforcement agencies for removal of 358 items from Google's various. If you take the figures since January 2010, it adds up to over 765.

However, the official government statistics show only eight separate requests having been made to the DIT (which, under the IT Act, is the only authority that can order the blocking of online content), adding up to a total of 64 websites (domain-level), 1 sub-domain, and 3 specific web pages. Of these only 3 are for Google's services (2 for Blogger, and 1 for YouTube).

If classified according to presumable reason for seeking of the block, that would be 61 domains hosting adult content; 1 domain (tamil.net.in), 1 sub-domain (ulaginazhagiyamuthalpenn.blogspot.com), and 2 specific pages (video of a speech by Bal Thackeray on YouTube and Wikipedia page for Sukhbir Singh Badal) for political content; 1 for religious content (a blog post titled "Insults against Islam" in Malay); and 1 domain hosting online gambling (betfair.com). It is unclear for why one of the requests was made (topix.net).¹

Content Removal vs. Content Blocking

Section 69A of the IT Act provides the Central Government the power to "direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource". The only person through whom this power can be exercised is the 'Designated Officer' (currently Dr. Gulshan Rai of the DIT), who in turn has to follow the procedure laid down in the rules drafted under s.69A ("Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009", the 'Blocking Rules').

Because of this, we see everyone from the Secretary of the Public Law and Order Department of Tamil Nadu to the Joint Commissioner of Police of Mumbai and the State President of the Bharatiya Janata Minority Morcha approaching the Designated Officer for blocking of websites.

However, as the data from Google shows, there are many times more requests being sent to remove content. The only explanation for this is that an order to 'block for access... or cause to be blocked for access by the public' is taken to be different from an order for removal of content. Nothing in the IT Act, nor in the Blocking Rules actually address this issue.²

Thus, there is a possibility that the forcible removal of content is treated separately from blocking of content. That would mean that while blocking is regulated by the IT Act, forcible removal of content is not. Thus, it would seem that forcible removal of online content is happening without clear regulation or limits.³

Role of the Indian Penal Code and Code of Criminal Procedure

There are existing provisions in the Indian Penal Code that provide the government the power to censor book, pamphlets, and other material on varied grounds, including obscenity, causing of enmity between communities, etc. The police is provided powers to enforce such governmental orders. Section 95 of the Code of Criminal Procedure allows the State Government to declare (through an official notification) certain publications which seem to violate the Indian Penal Code as 'forfeited to the Government' and to issue search warrants for the same. After this the police can enforce that notification.

It is clear that this is not the case for any of the content removal requests that were sent to Google.

Police Are Defeating the Constitution and the IT Act

Therefore, it would seem that law enforcement agencies are operating outside the bounds set up under the Indian Penal Code, the Code of Criminal Procedure, as also the Information Technology Act, when they send requests for removal of content to companies like Google. While a company might comply with it because it appears to them to violate their own terms of service (which generally include a wide clause about content being in accordance with all local laws), community guidelines, etc., it would appear that it is not required under the law to do so if the order itself is not legal.

However, anecdotal evidence has it that most companies comply with such 'requests' even when they are not under any legal obligation to do so.

This way the intention of Parliament in enacting s.69A of the IT Act—to regulate government censorship of the Internet and bring it within the bounds laid down in the Constitution—is defeated.

DIT Either Evasive or Not Following Rules

The DIT did not provide answers on:

Whether any block ordered by the DIT has ever been revoked
On what basis DIT decides which intermediary (web host, ISP, etc.) to send the order of blocking to

It also provided the minutes for only one meeting⁴ of the committee that decides whether to carry out a block, when we had requested for minutes of all the meetings it has ever held. That committee (the Committee for Examination of Requests, constituted under Rule 8(4) of the Blocking Rules) has to consider every single item in every single request forwarded to the Designated Officer, and 68 items were sent to the Designated Officer in 6 requests. Quite clearly something doesn't add up. Either the Committee is not following the Blocking Rules or the DIT is not providing a full reply under the RTI Act.

A request was made to block http://www.topix.net, by the 'Commmissioner, Maharashtra State, Colaba, Mumbai—400001', presumably the Commissioner of State Intelligence Department of Maharashtra, whose office is located in Colaba. ↩
However, the Blocking Rules require the person or the hosting intermediary being contacted for a response. This provides the person/intermediary the opportunity to remove the content voluntarily or to oppose the request for blocking.

"Rule 8. Examination of request: (1) On receipt of request under rule 6, the Designated Officer shall make all reasonable efforts to identify the person or intermediary who has hosted the information or part thereof as well as the computer resource on which such information or part thereof is being hosted and where he is able to identify such person or intermediary and the computer resource hosting the information or part thereof which have been requested to be blocked for public access, he shall issue a notice by way of letters or fax or e-mail signed with electronic signatures to such person or intermediary in control of such computer resource to appear and submit their reply and clarifications if any, before the committee referred to in rule 7, at a specified date and time, which shall not be less than forty-eight hours from the time of receipt of such notice by such person or intermediary." ↩
While it is possible to imagine that the Indian Penal Code and the Code of Criminal Procedure lay down limits, it is clear from the Google Transparency Report that the requests from removal are not coming based only on court orders, but from the executive and the police. The police have no powers under the IPC or the CrPC to request removal of content without either a public notification issued by the State Government or a court order. ↩
The minutes of the meeting held on August 24, 2010, on the request for blocking of www.betfair.com were sent as 'Annexure III' of the DIT response. This request was not granted. ↩

For more details visit https://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-rti-blocking

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Analysing Latest List of Blocked Sites (Communalism & Rioting Edition)

pranesh — 2012-09-06T11:52:47Z

Pranesh Prakash does preliminary analysis on a leaked list of the websites blocked from August 18, 2012 till August 21, 2012 by the Indian government.

Note: This post will be updated as more analysis is done. Last update: 23:59 on August 22, 2012. This is being shared under a Creative Commons Attribution-NonCommercial licence.

How many items have been blocked?

There are a total of 309 specific items (those being URLs, Twitter accounts, img tags, blog posts, blogs, and a handful of websites) that have been blocked. This number is meaningless at one level, given that it doesn't differentiate between the blocking of an entire website (with dozens or hundreds of web pages) from the blocking of a single webpage. However, given that very few websites have been blocked at the domain-level, that number is still reasonably useful.

Please also note, we currently only have information related to what telecom companies and Internet Service Providers (ISPs) were asked to block till August 21, 2012. We do not have information on what individual web services have been asked to remove. That might take the total count much higher.

Why have these been blocked?

As far as I could determine, all of the blocked items have content (mostly videos and images have been targeted, but also some writings) that are related to communal issues and rioting. (Please note: I am not calling the content itself "communal" or "incitement to rioting", just that the content relates to communal issues and rioting.) This has been done in the context of the recent riots in Assam, Mumbai, UP, and the mass movement of people from Bangalore.

There were reports of parody Twitter accounts having been blocked. Preliminary analysis on the basis of available data show that parody Twitter accounts and satire sites have not been targetted solely for being satirical. For instance, very popular parody Twitter accounts, such as @DrYumYumSingh are not on any of the four orders circulated by the Department of Telecom. (I have no information on whether such parody accounts are being taken up directly with Twitter or not: just that they aren't being blocked at the ISP-level. Media reports indicate six accounts have been taken up with Twitter for being similar to the Prime Minister's Office's account.)

Are the blocks legitimate?

The goodness of the government's intentions seem, quite clearly in my estimation, to be unquestionable. Yet, even with the best intentions, there might be procedural illegalities and over-censorship.

There are circumstances in which freedom of speech and expression may legitimately be limited. The circumstances that existed in Bangalore could justifiably result in legitimate limitations on freedom of speech. For instance, I believe that temporary curbs — such as temporarily limiting SMSes & MMSes to a maximum of five each fifteen minutes for a period of two days — would have been helpful.

However it is unclear whether the government has exercised its powers responsibly in this circumstance. The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed.

If the government has blocked these sites under s.69A of the Information Technology Act ("Power to Issue Directions for Blocking for Public Access of Any Information through any Computer Resource"), the persons and intermediaries hosting the content should have been notified provided 48 hours to respond (under Rule 8 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009). Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (i.e., within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Importantly, even though many of the items on that list are repugnant and do deserve (in my opinion) to be removed, ordering ISPs to block them is largely ineffectual. The people and companies hosting the material should have been asked to remove it, instead of ordering Internet service providers (ISPs) to block them. All larger sites have clear content removal policies, and encouraging communal tensions and hate speech generally wouldn't be tolerated. That this can be done without resort to the dreadful Intermediary Guidelines Rules (which were passed last year) shows that those Rules are unnecessary. It is our belief that those Rules are also unconstitutional.

Are there any egregious mistakes?

Yes, there are numerous such examples of egregious mistakes.

Most importantly, some even people and posts debunking rumours have been blocked.
Some of the Twitter accounts are of prominent people who write for the mainstream media, and who have written similar content offline. If their online content is being complained about, their offline content should be complained about too.
Quite a number of the links include articles published and reports broadcast in the mainstream media (including a Times Now report, a Telegraph picture gallery, etc.), and in print, making the blocks suspect. Only the online content seems to have been targeted for censorship.

There are numerous mistakes and inconsistencies that make blocking pointless and ineffectual.

Some of the items are not even web addresses (e.g., a few HTML img tags were included).
Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
For some Facebook pages, the secure version (https://facebook.com/...) is listed, for others the non-secure version (http://facebook.com/...) is listed.
For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

All in all, it is clear that the list was not compiled with sufficient care.

Despite a clear warning by the DIT that "above URLs only" should be blocked, and not "the main websites like www.facebook.com, www.youtube.com, www.twitter.com, etc.", it has been seen that some ISPs (like Airtel) have gone overboard in their blocking.

Why haven't you put up the whole list?

Given the sensitivity of the issue, we felt it would be premature to share the whole list. However, we strongly believe that transparency should be an integral part of all censorship. Hence, this analysis is an attempt to provide some much-needed transparency. We intend to make the entire list public soon, though. (Given how porous such information is, it is likely that someone else will procure the list, and release it sooner than us.)

Why can I still access many items that are supposed to be blocked?

One must keep in mind that fresh orders have been issued on a day-by-day basis, that there are numerous mistakes in the list making it difficult to apply (some of these mistakes have been mentioned above), and the fact that that this order has to be implemented by hundreds of ISPs.

Your ISP probably has not have got around to enforcing the blocks yet. At the time of this writing, most ISPs don't seem to be blocking yet. This analysis is based on the orders sent around to ISPs, and not on the basis of actual testing of how many of these have actually been blocked by Airtel, BSNL, Tata, etc.

Additionally, if you are using Twitter through a client (on your desktop, mobile, etc.) instead of the web interface, you will not notice any of the Twitter-related blocks.

So you are fine with censorship?

No. I believe that in some cases, the government has the legal authority to censor. Yet, exercising that legal authority is usually not productive, and in fact there are other, better ways of limiting the harms caused by speech and information than censorship. Limiting speech might even prove harmful in situations like these, if it ends up restricting people's ability to debunk false rumours. In a separate blog post (to be put up soon), I am examining how all of the government's responses have been flawed both legally and from the perspective of achieving the desired end.

So what should the government have done?

Given that the majority of the information it is targeting is on Facebook, Youtube, and Twitter, the government could have chosen to fight alongside those services to get content removed expeditiously, rather than fight against them. (There are some indications that the government might be working with these services, but it certainly isn't doing enough.)

For instance, it could have asked all of them to expedite their complaints mechanism for a few days, by ensuring that the complaints mechanism is run 24x7 and that they respond quickly to any complaint submitted about communal incitement, spreading of panic, etc. This does not need the passing of an order under any law, but requires good public relations skills and a desire not to treat internet services as enemies. The government could have encouraged regular users to flag false rumours and hate speech on these sites. On such occasions, social networking sites should step up and provide all lawful assistance that the government may require. They should also be more communicative in terms of the help they are providing to the government to curtail panic-inducing rumours and hate speech. (Such measures should largely be reactive, not proactive, to ensure legitimate speech doesn't get curtailed.)

The best antidote for the rumours that spread far and wide and caused a mass movement of people from Bangalore to the North-Eastern states would have been clear debunking of those rumours. Mass outreach to people in the North-East (very often the worried parents) and in Bangalore using SMSes and social media, debunking the very specific allegations and rumours that were floating around, would have been welcome. However, almost no government officials actually used social media platforms to reach out to people to debunk false information and reassure them. Even a Canadian interning in our organization got a reassuring SMS from the Canadian government.

It is indeed a pity that the government notified a social media engagement policy today, when the need for it was so very apparent all of the past week.

And what of all this talk of cybersecurity failure and cyber-wars?

Cybersecurity is indeed a cause of concern for India, but only charlatans and the ignorant would make any connection between India's cybersecurity and recent events. The role of Pakistan deserves a few words. Not many Pakistani websites / webpages have been blocked by the Indian government. Two of the Pakistani webpages that have been blocked are actually pages that debunk the fake images that have been doing the rounds in Pakistan for at least the past month. Even Indian websites like Kafila have noted these fake images long ago, and Ayesha Siddiqa wrote about this on August 5, 2012, and Yousuf Saeed wrote about it on August 13, 2012. Even while material that may have been uploaded from Pakistan, it seems highly unlikely they were targeted at an Indian audience, rather than a Pakistani or global one.

Domain	Total Number of Entries	Tuesday, August 21, 2012	Monday, August 20, 2012	Sunday, August 19, 2012	Saturday, August 18, 2012
ABC.net.au	1				1
AlJazeera.com	4		4
AllVoices.com	1				1
WN.com	1				1
AtjehCyber.net	1				1
BDCBurma.org	1	1
Bhaskar.com	1			1
Blogspot.com	4			3	1
Blogspot.in	7	1	3		3
Catholic.org	1			1
CentreRight.in	2	2
ColumnPK.com	1			1
Defence.pk	4		2	1	1
EthioMuslimsMedia.com	1				1
Facebook.com (HTTP)	75	36	7	18	14
Facebook.com (HTTPS)	27		3	23	1
Farazahmed.com	5	1			4
Firstpost.com	2		1	1
HaindavaKerelam.com	1			1
HiddenHarmonies.org	1		1
HinduJagruti.org	2		1	1
Hotklix.com	1			1
HumanRights-Iran.ir	2				2
Intichat.com	1	1
Irrawady.org	1			1
IslamabadTimesOnline.com	1				1
Issuu.com	1				1
JafriaNews.com	1				1
JihadWatch.org	2		2
KavkazCenter	1			1
MwmJawan.com	1				1
My.Opera.com	1	1
Njuice.com	1		1
OnIslam.net	1				1
PakAlertPress.com	1	1
Plus.Google.com	4				4
Reddit.com	1		1
Rina.in	1				1
SandeepWeb.com	1		1
SEAYouthSaySo.com	1				1
Sheikyermami.com	1				1
StormFront.org	1				1
Telegraph.co.uk	1				1
TheDailyNewsEgypt.com	1				1
TheFaultLines.com	1				1
ThePetitionSite.com	1	1
TheUnity.org	1				1
TimesofIndia.Indiatimes.com	1		1
TimesOfUmmah.com	1				1
Tribune.com.pk	1	1
Twitter.com (HTTP)	1			1
Twitter.com (HTTPS)	11			1	10
Twitter account	18		16	2
TwoCircles.net	2			2
Typepad.com	1		1
Vidiov.info	1		1
Wikipedia.org	3			3
Wordpress.com	8	1	3	2	2
YouTube.com	85	18	39	14	14
YouTu.be	1			1
Totals	309	65	88	80	75

The analysis has been cross-posted/quoted in the following places:

LiveMint (September 4, 2012)
The Hindu (August 26, 2012)
Wall Street Journal (August 25, 2012)
tech 2 (August 25, 2012)
China Post (August 25, 2012)
The Hindu (August 24, 2012)
LiveMint (August 24, 2012)
Global Voices (August 24, 2012)
Reuters (August 24, 2012)
Outlook (August 23, 2012)
FirstPost.India (August 23, 2012)
IBN Live (August 23, 2012)
News Click (August 23, 2012)
Medianama (August 23, 2012)
KAFILA (August 23, 2012)
CIOL (August 23, 2012)

For more details visit https://cis-india.org/internet-governance/blog/analysing-blocked-sites-riots-communalism

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

An Overview of DNA Labs in India

shilpa — 2016-02-02T13:11:31Z

DNA fingerprinting has become the most precise and technologically advanced method for identifying crimes such as murder, kidnapping, robbery and rape. Police and judicial authorities and in some cases even private parties retain this in their records, writes Shilpa in this blog post.

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts but if the Parliament of India passes the DNA Profiling Bill,[1] 2007, India will soon join countries such as the US and UK in creating a national DNA database.[2] Government, CBI and organizations connected with the investigation process argue that data retention is necessary to combat terrorism and crime. According to Google Transparency Report [3] for the first half of 2010, India had 1,430 data requests, which made it one of the top nations in generating government inquiries for information.

In this blog I am citing my interviews with DNA labs, Issues regarding lab samples and data, and DNA Profiling Bill 2007 on lab practices. I am thankful to Anthony Jackson and Dr. Helen Wallace, Executive Director from Gene watch UK who helped me with the questionnaire for survey interview.

Interviews with DNA labs

I interviewed few government as well as private labs to find out how DNA practices are being carried out. This was to highlight ways in which DNA testing raises privacy concerns.

In public labs, DNA testing is used for the forensic purposes only. These labs are funded by the government whereas private labs deal with legal as well as private purposes. DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited are some leading private firms involved in DNA testing.

Dr. Madhusudan Reddy Nandineni, who is the Scientist and In-charge of the Centre for DNA Fingerprinting and Diagnostics (CDFD) talked about the working of DNA practise and services provided by their laboratory. “CDFD located in Hyderabad is an autonomous institution supported by the Department of Biotechnology and Ministry of Science. CDFD provides services for DNA testing for establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapists in rape cases, and murderers in murder cases. CDFD assists police personnel, forensic scientists, lawyers and the judiciary”, says Dr. Madhusudan Nandineni over a telephonic interview.

The ND Tiwari Case (Published in the Deccan Herald, 24 July 2011)
Eighty-five-year-old leader ND Tiwari was asked to undergo a DNA test in the paternity suit filed by Rohit Shekhar who claims to be his biological son. The high court asked the Centre for DNA Fingerprinting and Diagontics (CDFD) at Hyderabad to conduct a DNA test on Tiwari.[4] Also refusing to grant any relief to Tiwari, the court said that considering the age of the leader, it is necessary to have a DNA test so that the Rohit Shekhar is not left without any remedy if something happens to Tiwari. The court said that it is the right of a child to know his or her biological father.[5]

Dr. BK Mahapatra, Assistant Director, Biology & DNA Finger printing Unit at Central Forensic Science Laboratory, Delhi says “CFSL undertakes cases referred by CBI, Delhi police, judiciary, vigilance department of ministries, public undertakings and state/central government departments. We don’t contract with private laboratory to do a DNA testing. We accept all type of DNA cases submissions like criminal, known, unknown, etc. CFSL saves DNA samples for re-testing, however, for this we do have a privacy policy followed by National Accreditation Board for Testing and Calibration Laboratories (NABL). It is an autonomous body under the aegis of the Department of Science and Technology, Government of India and is registered under the Societies Act”, he clarified.

In a telephonic interview with Ravi Kiran Reddy, DNA expert, DLI a, tells us about the services provided and security supervise by the laboratory. “DLI provides services for paternity testing, forensic testing, prenatal testing, and genetic testing. DLI contracted with a private laboratory to do DNA testing. We accept all DNA cases like suicide attempts, cases from Indian Army, etc. DLI saves DNA samples for re-testing for six months and if necessary for life time and a database is also maintained. He further said that to protect and secure database, bar coding is being prepared and therefore, no identity is revealed.

Some of the labs refused to participate in the research exercise like the truth labs. Truth Labs is a private lab that provides legal services directly, without a court or police order.[6] Another private laboratory which provides DNA testing is Bio-Axis DNA Research Centre. It also provide various DNA Identification services for private purposes, legal purposes, peace of mind, confidential purposes, immigration purposes, crime investigation and human identification purposes.[7]

Issues Regarding Lab Samples and Data

Readers may have heard of rapists being caught because of a match between a suspect's DNA and sperm left behind in a victim. Or, as often the case, an innocent person may be released because the DNA of that person does not match that found in a crime scene.[8]

Possibility of Framing Innocents: Kshitij Urs, an Action Aid said, “There can be some problems if one were to rely too much on DNA databases in the criminal justice system as DNA evidence can be planted in a crime scene intentionally”, in an event organised by CIS.
Insecurity of Centralised Storage: With DNA tests, a patient's medical file will contain information they would prefer to be confidential. But the whole idea of general DNA testing will only be effective if the data is stored in a single electronic database, which makes the confidentiality problem extremely pressing. For example, the results of DNA testing might reveal that a person who is legally a child's father isn't really his biological father.[9]
Other Privacy Concerns: DNA contains information that raises a much broader privacy and other civil liberties concerns. It can tell investigators about ourselves, our family members, diseases we may have inherited our physical attributes and broad ancestry. Genetic information can be used in all sorts of discriminatory ways.[10]

What can be done?
There should be a DNA retention policy to protect an individual. It will identify personal data which has to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.[11] In the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations. DNA profiling Bill 2007 will regulate the use of DNA profiles which is pending in the Parliament.

DNA Profiling Bill 2007 on Lab Practices

According to the DNA Profiling Bill there are certain rules for the DNA laboratories which are followed by these labs.

Prohibition for undertaking DNA procedures: It states that DNA laboratories have to take prior permission from the DNA Profiling Board to undertake any DNA procedures.
Security and minimize contamination: There should be proper facility of security and minimize contamination of DNA samples.
Confidentiality, Access to DNA Profiles, Samples and Records: DNA Profiling Bill states that all DNA profiles, samples and records forwarded to the DNA laboratory or any authority of the lab has to be kept confidential.
Use of DNA profiles, samples and records: All DNA profiles, samples and records should be used only for facilitating identification of the perpetrator(s) of a specified offence and also to identify victims of accidents, disasters or missing persons or for such other purposes.
Authorised Access: It also says that information stored on the DNA database system may be accessed by the authorized persons for the purposes of forensic comparison permitted under this Act, administering the DNA database system, accessing any information contained in it by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force, inquest or inquiry.
Restrictions on use of information on DNA profiles, samples and data identification records: Laboratory cannot use the information for any purpose other than the purpose for which the communication or access is permitted.
Destruction, alterations, contamination, tampering with biological evidence: The Bill states that whoever knowingly or intentionally destroys alters, contaminates or tampers with biological evidence will be punishable with imprisonment for a term which may extend to five years, or with fine not exceeding twenty thousand rupees, or with both.[12]

Conclusion

Currently the Bill allows for the complete storage of DNA of criminals, suspects, victims, offenders and volunteers.
There are no standard practices for data retention across lab. Thereby there is an increased risk that data might fall in wrong hands and information may also be misused. Therefore, DNA databases should be restricted to be stored for not more than a limited time period. Such indefinite retention of the DNA profiles of innocent individuals is a disproportionate and unnecessary interference with an individual’s right to privacy.
DNA labs in India have numerous constraints and operating in different level. Therefore, India has to be having even more carefully designed laws.

List of Laboratories

Central Forensic Science Laboratory, Delhi
Dr. BK Mahapatra
Associate Biology Division
Ph: 9312523536, 24360095
Mail: ssofs_dfs@dfs.gov.in

Centre For Fingerprinting and Diagnostics (CDFD), Hyderabad
Dr. Madhusudan Nandineni
Scientist and In-charge
Ph: 24749331, 24749330
Mail: dsp@cdfd.org.in

DNA Labs India, Hyderabad
Ravi Kiran Reddy
Ph: 9395142800
Mail: info@dnalabsindia.org

Bio-Axis DNA Research Centre
Ph: 9246338983
Mail: drc@dnares.in

Truth Labs, Hyderabad
Ph: 9490690222, 04023390999
Mail: gandhi@truthlabs.org

Notes

[1]http://timesofindia.indiatimes.com/topic/DNA-Profiling-Bill

[2]http://www.gene-watch.org/blog/post/India-May-Soon-Have-a-National-DNA-Database.aspx

[3]Amy Miller, “Google’s new tool shows which countries are censoring the internet” http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202472346375

[4]Paternity case: No relief for N D Tiwari as Supreme Court allows DNA test http://www.indianexpress.com/news/paternity-case-no-relief-for-n-d-tiwari-as/762146/

[5]Paternity case: ND Tiwari to provide blood sample for DNA test http://www.deccanherald.com/content/165408/paternity-case-nd-tiwari-provide.html

[6]http://www.truthlabs.org/

[7]Bio-Axis Research Centre, http://www.dnatestinginindia.ewebsite.com

[8]Sujatha Byravan , A public, private database http://www.indiatogether.org/2009/sep/hrt-dnadb.htm

[9]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances http://www.legalserviceindia.com/article/l428-Data-Retention-Policies.html

[10]Andrei Kislyakov , DNA testing: pros & cons http://en.rian.ru/analysis/20090104/119294260.html

[11]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances

[12]DNA Profiling Bill http://dbtindia.nic.in/DNA_Bill.pdf

Click here for the Survey Questions

Deoxyribonucleic acid (DNA) is the main constituent of the chromosomes of all organisms, and is found in the form of a double helix within the nucleus of every somatic cell. Consequently, a small sample of human body cells can be decoded to reveal a pattern that is shared only by a genetically identical twin. The DNA of each individual does not change during his lifetime. This technique is commonly used in police investigations and is termed ‘DNA fingerprinting. For more see the Wikipedia definition of DNA.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-overview

An Open Digital Global South: Risks and Rewards

praskrishna — 2017-04-12T14:25:39Z

Pranesh Prakash will be speaking at a conference to be organized by UC Davis Law School on May 25 and 26, 2017, in California, USA.

The event is open to the public. Please register here.

This conference explores the promises and risks of openness in scholarship in relationship to the Global South. Scholars increasingly are under pressure to make their work “open” through sharing their research as reusable open data and open source software, and making their publications open access. Scholarly “openness”—for example, open data, open access, open source—is intended to facilitate the free flow of information, to address barriers to access, and to foster global intellectual conversations. Do attempts at promoting openness in scholarship create new forms of exclusion or hierarchy? How are Southern scholars and publishers’ experiences with open access and open data taken into account within conversations on developing standards and models for open access and open data in the Global North? What are the unanticipated risks created through the implementation of models for open data or open access?

For more info click here

For more details visit https://cis-india.org/internet-governance/news/an-open-digital-global-south-risks-and-rewards

An Introduction to the Issues in Internet Governance

smarika — 2014-04-22T02:47:04Z

That the internet cannot be governed was a central conviction of the early architects of the internet. In many ways it proved true when a majority of nation-States were kept off interference with the functioning of the internet. However with growing popularity of the internet, countries of the world are increasingly vying for control over it. This has become especially significant with the involvement of developing nations into the power struggle.

With the proposal by India at the UNGA to form a Committee for Internet-Related Policies, there has emerged the widespread fear of “UN overtake of the internet,” and internet governance has become a major focus for internet users in the third world.

The present blog post is a humble attempt to canvass the controversies in the arena of internet governance (IG). These controversies broadly focus around the institutional structures to govern the internet. Here, I first discuss the evolution of these models against the historical background of IG and then proceed to present criticisms of each of these models, with an emphasis on the interests of the regular internet user.

Where It All Started: The World Summit on Information Society

Discussions on IG took an international flavor with the convening of the World Summit on Information Society (WSIS) in Geneva in mid-2002. The Summit originally had an agenda to construct better telecommunications infrastructure in developing nations to erase the digital divide, as reflected in the self-declared purpose of WSIS as “ to harness the potential of knowledge and technology to promote the development Goals of the Millenium Declaration.” But this agenda was modified in two important ways as WSIS progressed. First, the focus was expanded from mere improvement of infrastructure to a variety of human rights issues involving communications, like freedom of speech and privacy, which came to be known as internet public policy issues. Second, a new dominant agenda of technical governance of the internet emerged.

A New Mode of Governance: multi-stakeholderism on the Internet

Subsequent to the first WSIS phase in Geneva, the Working Group on Internet Governance (WGIG) Report confirmed the larger policy issues concerning the internet rather than mere improvement of telecommunications infrastructure, as an aspect of IG by choosing a broad definition of IG, which included both creation of public policy and technical governance. The Geneva Declaration of 2003, which resulted from the 2002 WSIS process, held that internet governance “should involve all stakeholders and relevant intergovernmental and international organizations.” This multi-stakeholder model for governance with involvement of nation-State participants was reflective of the largely networked management of the internet till the time, and hence pretty revolutionary. The Geneva Declaration however did tone down its revolutionary flavor by dividing the areas of governance concerns between the different multi-stakeholders such that the public policy role was assigned to the nation-States. It said, at para 49:

a. “Policy authority for Internet-related public policy issues is the sovereign right of States. They have rights and responsibilities for international Internet-related public policy issues;
b. The private sector has had and should continue to have an important role in the development of the Internet, both in the technical and economic fields;
c. Civil society has also played an important role on Internet matters, especially at community level, and should continue to play such a role;
d. Intergovernmental organizations have had and should continue to have a facilitating role in the coordination of Internet-related public policy issues;
e. International organizations have also had and should continue to have an important role in the development of Internet-related technical standards and relevant policies.”

This was reaffirmed in 2005 by the Tunis Agenda at para 35. Thus a sectorally-defined multi-stakeholderism for internet governance was agreed upon with traditional forms of State security being protected from large-scale erosion.

Enhanced Co-operation to Govern the Internet

The Tunis Agenda further called for a process called “enhanced co-operation” to enable governments frame international public policy issues related to the internet, but not in the day-to-day technical and operational matters, as follows:

“69. We further recognize the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.”

The scope of enhanced co-operation however, was not strictly limited to framing of public policy issues of socio-cultural nature, like privacy and freedom of expression on the internet. The Tunis Agenda, in fact, recognizes that enhanced co-operation should include framing of principles on public policy issues related to the CIRs. Such principles are proposed to be global in scope:

“70. Using relevant international organizations, such cooperation should include the development of globally-applicable principles on public policy issues associated with the coordination and management of critical Internet resources. In this regard, we call upon the organizations responsible for essential tasks associated with the Internet to contribute to creating an environment that facilitates this development of public policy principles.”

What about the ICANN? : The Problem of US Oversight

As mentioned earlier, during the WSIS process technical governance emerged as an important part of internet governance. And a major feature of technical governance comprised of the control of the organization which administers significant technical aspects of the internet, which was the ICANN.

ICANN is the body largely understood to manage what later came to be known as Critical Internet Resources (CIRs); in other words the basic internet infrastructure. ICANN is a non-profit corporation with a multi-stakeholder model, incorporated under Californian laws in 1998 upon the directive of the US Department of Commerce. Its main functions include the allocation of address blocks to the Regional Internet Registries, coordinating assignment of unique protocol numbers, the management of DNS root zone file.

These functions however are performed under US political oversight under the IANA contract which ICANN has with the U.S. Government. Consequently all edits made to the root zone file must be audited and approved by the U.S. Department of Commerce (DoC). This means that any addition or removal of a top-level domain (TLD) must have the approval of DoC. It includes the addition or removal of country-code top level domains (ccTLDs) like .in or .uk. Next there is the DoC contract with Verisign, the US- based corporation which owns the master root server and owns the .com and .net TLDs. This contract requires Verisign to implement all the technical coordination decisions made through ICANN and follow the US Executive directives regarding the root zone file.

The problem is that this political oversight by the US government is not taken very well by the other countries. Why should a single State exercise unilateral power over such important resources which seemingly have the potential to blackout the internet in any part of the world? We all want a share in control over the CIRs, the other States argue. US unilaterism makes functioning of ICANN too arbitrary and it is in US State interests to keep ICANN least accountable, others argue. Add to it the empirical evidence of abuse of its oversight function by the US government, and the legitimacy of the argument is enhanced enormously. However resolving the question of how ICANN should be managed, is a matter of great controversy and none too easy.

Nonetheless it is very important to note that it would be rather naïve to equate the problem of internet governance to the issue of ICANN oversight. Internet governance comprises of both issues: of freedom, privacy, access to knowledge and other aspects of the internet affecting human rights- what is known as internet public policy, as well as technical governance, one of whose aspects is the management of CIRs, and of which ICANN oversight is an important part.

The Oversight-Policy Connection: He Who Manages the CIRs Controls Policy on the Internet

It is fine to say that States will make public policy while sticking to a form of multi-stakeholder model, but none of it holds much ground unless models for implementation of such policy are secured. This is where the issues of technical governance, like ICANN oversight and the framing of public policy on the internet get linked. A procedure to allocate address blocks or separation of registries or registrars raises questions of competition policy. Editing of root zone files can have impact on national economies over the world and be tied with problems of digital divide like multilingualism on the internet. Issue of new TLDs brings forth considerations about trademark law and policy. New DNS securitization regimes have the potential to hamper national security! In the words of Milton Mueller, “To enforce public policy upon the Internet is to regulate technical and operational matters (and vice-versa).”

In such a scenario, every step to further enhanced co-operation ultimately gets focused upon the ICANN oversight issue, as the latter, with its authority over the management of CIRs, lies at the core of any attempt to frame public policy for the internet. And so in the subsequent post the focus will be on the various models proposed for ICANN oversight and their respective criticisms. Not least because all of the models proposed for ICANN oversight tie up with one or the other model proposed to further enhanced co-operation.

“Democratise the Internet”: Involve All Nation-States and Only Nation-States

In the last post, I discussed how enhanced co-operation to achieve a mechanism for internet governance under the Tunis Agenda can be classified into two broad portions: development of public policy and a mechanism for technical governance; and how ICANN oversight constitutes an important part of technical governance. I further discussed the relationship between internet public policy and technical governance and how it is impossible to frame or implement relevant public policy without an understanding and control over technical aspects constituting the internet.

In the present post, I embark upon an analysis of the various governance models which are suggested for the management of ICANN. Even though ICANN management is only a small segment of enhanced co-operation, I think there exist a number of parallels between models suggested for the accountability of ICANN and models for furthering the broader process of enhanced co-operation. Therefore an understanding of governance models for ICANN can also significantly enhance one’s understanding of models for enhanced co-operation, and it is to this end that the following exercise is undertaken. Here, I have also tried to link broader models for enhanced co-operation to models for ICANN oversight to aid this understanding; however yet again I do strongly warn against equating enhanced co-operation to the administration of ICANN.

Though multiplicity of proposed governance mechanisms abound, four broad models are popularly debated with regard to oversight upon ICANN. The basic idea behind each of these models is to remove the arbitrariness associated with the ICANN (currently in the form of US unilateral oversight), which as discussed earlier is the central problem with it. Consequently each model offers some rationale about how it can reduce power sans accountability of the ICANN over the CIRs. However none of these models seems to offer the common ground for negotiations for all the stakeholders involved in IG due to various issues with each of them.

I discuss the first model along with its pros and cons in the present post.

Model I: Oversight by an Intergovernmental Organisation

Parallel Enhanced Co-operation Model: International Telecommunications Union (ITU)

This model proposes that the oversight function over ICANN by the US Government be replaced by an organization composed of the nation-State representatives from countries all around the world.

Pros

The following arguments are usually advanced in favour of such a model.

Democratising the oversight mechanism: It is argued that such a model would be helpful in making the oversight function democratic, as all the governments of the world would now be represented in the oversight regime.
Giving nation-States power to enforce public policy: It is argued that by having an intergovernmental oversight mechanism, the governments of the world would be adequately able to exercise their sovereign right as per the Geneva Declaration, i.e. making public policy for the internet.
Curtailing the power of non-State actors to make policy decisions: It is argued that by having an intergovernmental oversight mechanism, non-State actors would be prevented from making public policy decisions via technical governance, which private interests and unelected representatives should not have the power to do.
Making use of international law to produce accountability: The current ICANN regime functions in US and is subject to US laws, which those outside the US, deem to be not a great situation. It is obvious that such dissatisfaction arises from the fact that US laws are subject to change by the US Congress, which non-US nationals have no representation in. The argument therefore is to use international law, which is global in scope in order to govern ICANN, rather than a country-specific law.

The ITU is an enhanced co-operation model in this regard, as it provides the intergovernmental mechanism which the above model for ICANN oversight envisions. It is supported by the more countries like China and Russia, which lay store by Statist institutions. Though no formal takeover of the ICANN by the ITU has been agreed to, or even the use of ITU as such, to make public policy for the internet, in pursuance of enhanced co-operation, the Temporary Document-64, containing proposals for the amendment of ITRs to expand ITU’s scope to the internet at the upcoming World Congress on Information Technology in November 2012, seems to advocate for such a mechanism. Although it is to be noted that there are no comments regarding ITU’s role social policy issues on the web, like censorship.

Cons

The intergovernmental oversight/enhanced co-operation model is however criticized on the following grounds.

Erosion of bottom-up processes: It is argued that the intergovernmental model of oversight is a stark degradation of the bottom-up processes on which the internet has been built and flourished. In other words, intergovernmental oversight is likely to hamper democratic management of CIRs, as on the international arena, States represent their interest as States (interests like national security and defence concerns) and not the interests of their citizens. Add to this the fact that not all States of the world are democratically elected, and one begins to see a major anti-democracy stance in this model. In such a scenario it is likely that the CIR management process would be used to further geopolitical rivalries between nation-States rather than promote public interest.
International law is not carved in citizens’ interests: This is an extension of the previous argument as it says that international law has been structured to serve the interests of sovereign powers and not that of individual citizens, a.k.a. internet users. Institutions under international law for protecting human rights are not strong and the relevant processes are slow and ineffective. Additionally, it is argued that in case ICANN is internationalized, it will be subject purely to the whims of the governments of the world and will have even less accountability.
Intergovernmental oversight will slow down technical processes: From the viewpoint of the technical community, intergovernmental oversight will slow down technical functioning and decision-making by miring it in layers of bureaucracy. Such a structure would be in stark contrast with the very architectural rationale of the internet: a free and fast medium of communication realised by the end-to-end principle. It will also slow down the growth of the internet and is likely to overturn decades of hard work by the technical community with the use of Veto powers in every stage of decision-making by the oversight committee and limited understanding of the internet architecture.
Promotion of traditional communications industry at behest of internet industry: It is also largely perceived that the most nation-States in the world, with strong lobbies for traditional communications industry will use their power in ICANN oversight to retard the growth of internet communications. A recent example is the case of Ethiopia where use of VOIP services can be punished with upto 15 years in prison, in order to preserve the State-owned telephone monopoly. With ITU as the parallel enhanced-co-operation model this threat becomes even more severe as ITU is dominated by giant telecom companies which will push to no end to restrict competition from the internet sector.
Fragmentation of global internet into national internets: This is a worst-case scenario envisioned by the critics who believe that this model has the potential to fragment the one global internet into a multitude of nationally regulated internets, because of the high level of power given to nation-States, who would try to strengthen their sovereignty claims over the internet. Some steps in this direction have already been set in motion by the Chinese government, underlining that the threat of such a worst-case scenario may be very real.

The next post analyses another model for ICANN governance: a hierarchical multi-stakeholder model, and which by analogy can be extended to a model for enhanced co-operation.

Call for Multi-stakeholder Governance (With The Appropriate Regulation)

In the last post I discussed the pros and cons of an intergovernmental model for ensuring accountability of the ICANN. In this post, I analyse the second broad model of oversight of ICANN by a hierarchical multi-stakeholder organization. By analogy, a parallel model for enhanced co-operation would be the Committee On Internet Related Policies proposed by India at the UN.

Model II: Oversight by a Hierarchical multi-stakeholder Organisation

Parallel Enhanced Co-operation Model: Committee on Internet Related Policies (CIRP)

This model was developed to temper the unlimited power of nation-States in the intergovernmental oversight model. The simple idea here is add more stakeholders into the oversight mechanism process so that the national governments are held accountable to the other stakeholders and vice-versa. Although a major departure from previous governance models by allowing for the participation of all stakeholders in the governance process, this model still predicates itself upon the nation-State hegemony. This it does by assigning decision-making privileges only to the States, while the other stakeholders are relegated to a position where they can participate only in policy discussion processes.

The UN Committee on Internet-Related Policies (CIRP) proposed by the Indian government is a model which embodies the above structure of functioning in matters of enhanced co-operation. It proposes the formation of four advisory bodies involving the stakeholders identified by the Tunis Agenda i.e. the Civil Society, the Private Sector, Inter-Governmental and International Organisations, and the Technical and Academic Community. These four advisory bodies would discuss policy issues and inputs from each of these bodies would then be submitted to the CIRP which would be composed of representatives of 50 nation-States, chosen or elected on the basis of equitable geographical representation. The CIRP would report annually to the UN General Assembly to present its recommendations.

However, many aspects of the CIRP proposal still remain unclear: for example- the budgetary structure, its relationship with the ICANN and the questionable need for an advisory body composed of international and intergovernmental organisations for a committee already composed of nation-States.

However taking into account that a CIRP-like model embodying the hierarchical multi-stakeholder structure does have the potential to discharge the ICANN oversight function, a broad analysis can be made regarding its pros and cons, without going into the fine details of the CIRP proposal specifically.

Pros

In support of the hierarchical multi-stakeholder model, certain additional arguments are made apart from the arguments already made in favour of an intergovernmental model for ICANN oversight. These are as following:

Strengthening bottom-up processes: It is argued that such a model takes into account and preserves the multi-stakeholder structure upon which the internet has been built and thrived. Involvement of all stakeholders in internet governance is further deemed to be important to understand various aspects of the internet in terms of technical functioning and community impact, and to preserve the free flow of information—areas which might not be fully understood by nation-States. Hence, being informed by the relevant stakeholders in this regard would be crucial to good policy-making processes by consolidating bottom-up processes in internet governance.

Control on unlimited power of nation-States: It is argued that such a multi-stakeholder model is also important to curtail the power of nation-States to dominate the internet as has been the case with other traditional media. The potential of the internet lies in the low-cost tools of communication to a global audience that it provides an individual user. This potential however is always under the threat of erosion by Statist interests, which would typically like to control the information flowing into their jurisdiction by putting forth the argument of sovereignty. A multi-stakeholder model in such a scenario, can act as a check upon the furtherance of the interests of nation-States, which cannot always be equated to public interest, especially with concerns like freedom of expression and privacy.

Optimum model for internet governance: A pragmatist argument in favour of the present model is that it is perhaps the only model which in the present scenario, nation-States around the world would perhaps agree to, and which at the same time would optimize benefits for other stakeholders by involving them in an unprecedented international governance model. The alternative to this model in the current political scenario, it is opined, can only be strict regulations by a intergovernmental organization or the continuance of US unilateralism, both of which are undesirable options compared to the present model. The basic drift of the argument being that something is better than nothing.

Cons

The hierarchical multi-stakeholder model of internet governance however comes under criticism upon the following grounds:

Problems in recognition of stakeholders: A recurring problem with regard to any multi-stakeholder model is how to define who constitutes “a stakeholder” in internet governance. This problem was encountered even during the IGF constitution process, where the proposal for election of multi-stakeholder representatives to the MAG was swept off in favour of the nomination of the members. In a multi-stakeholder model therefore, deciding who can participate in the policy process as a “stakeholder” remains a tough task. In this context, a civil society representative may end up participating in the policy process without having the support or recognition of the civil society. Another perspective may even ask if nation-States can be deemed as stakeholders in internet governance. The problem of who defines, legitimizes and authorizes “a stakeholder” to be one then comes increasingly to fore.
Failure to provide a useful check upon Statist power: Though the present multi-stakeholder model claims to confine unlimited Statist power on the future of the internet, the question is does it really help in achieving the same? Because the ultimate policy decision making power in such a model lies with the nation-States themselves. Which implies that substantive power would still lie with nation-States who are likely to use it aggressively to further their interests. The multi-stakeholder structure then manages to be reduced to a mere symbol for bottom-up processes, but in fact fails to ensure the implementation of the same.

In the subsequent post, I discuss the advantages and disadvantages of another model for ICANN governance: an equal-footing multi-stakeholder model, and which by analogy can be extended to a model for enhanced co-operation.

Equality in Multi-stakeholderism: How Great Is That Idea?

I have discussed previously the pros and cons of an intergovernmental model and a hierarchical multi-stakeholder model for the management of ICANN, and by analogy for the furtherance of enhanced co-operation. In this post, I analyse a third broad model of oversight of ICANN by an equal-footing multi-stakeholder organization.

Model III: Oversight by a Equal-Footing Multi-stakeholder Organisation

Parallel Enhanced Co-operation Model: Internet Governance Forum (IGF)

Model III is a modification of Model II in that it allows for the participation of all stakeholders in not just policy deliberation but also policy decision. Apart from the argument that policy decisions should be confined to nation-States who are the representatives of their citizens, it cannot be denied that a political inertia prevails for the non-involvement of other stakeholders in decision-making processes as any such move would be unprecedented. At the December 2010 UNCSTD conference, it was argued by India that the involvement of stakeholders apart from the nation-State representatives in the finalization of policy would be in contradiction to UN procedural rules. The question then arises why such a multi-stakeholder body cannot be relegated to an extra-UN forum. Pursuant to this, some critics of the hierarchical multi-stakeholder model have suggested the expansion of the mandate of the Internet Governance Forum (IGF) to decision-making processes. Though the IGF is convened by the CSTD, which is a part of the ECOSOC, it is not a body falling under UN umbrella and has flexible procedures which grant each stakeholder an equal footing in policy discussion. Private sector and civil society discuss policy with nation-State representatives on an equal status. The IGF however, is perceived to be a largely dying forum as it does not presently have the power to further enhanced co-operation, i.e. it cannot take decisions with respect to internet policy. This has heightened the sense of dissatisfaction with IGF especially among the newly developing countries, who have come to view the IGF as a mechanism to foster the status quo which is favourable to the developed nations, particularly the US. Expansion of IGF mandate to policy decision-making could however mean that an enhanced co-operation mechanism including an oversight body for ICANN is put into place within an equal-footing multi-stakeholder model.

Pros

Arguments in favour of such model build up as following:

True multi-stakeholder participation: The present model seems to offer what the hierarchical multi-stakeholder model couldn’t—that is, the participation of all stakeholders at all levels of policy making.
Effective checks on nation-State power: By ensuring the participation of all stakeholders in policy discussion and decision processes, the equal-footing multi-stakeholder model effectively checks the power of each stakeholder in unilaterally advancing its own interests.

Cons

But all is not pink and perfect even here. The criticisms of this model run as following:

Use of unelected representatives in decision-making: The problem of recognition of stakeholder representatives has already been outlined earlier. The equal-footing multi-stakeholder model seems to compound this problem by additionally giving the stakeholders whose legitimacy is questionable, a say in the decision-making process. This has been criticized as undemocratic. The involvement of the private sector in decision-making further aggravates those who have seen liberalisation and globalization deepening the economic divide and enabling covert violations of human rights in the garb of “development.”

Allocation of votes: If all stakeholders are indeed involved in the decision-making process, it remains an issue whether each of them should be granted an equal vote. Should private interests be granted the same voting power as the civil society which purports to act in public benefit? Should both of these be granted equal voting power as nation-States, which traditionally have had exclusivity over governance at international settings? These questions remain unresolved.
Failure of consensual decision-making: An alternative to policy decision-making by voting in Model III can be policy decision-making by consensus. It is however argued that involvement of all stakeholders with largely polar interests in decision-making will never produce a consensus, and forestall decision-making altogether: The inability of the IGF, an equal footing multi-stakeholder body, to reach agreement on governance issues, which has led to reduced faith and participation in such a model is often cited in this regard. It is argued that in such instances the use of the nation-State as a mediator between these contradictory interests is essential—a suggestion which relegates one back to Model II. However it is important to note that such an argument naively assumes nation-States to be too benign entities with their agenda being public interest exclusively. It cannot be forgotten that many nation-States of the world have not even been born out of democratic processes like universal adult franchise; and even the most liberal of democratic States do enact questionable laws repressive of basic human rights and freedoms.

A subsequent post analyses the last broad model for ICANN governance: the replacement of oversight function by participatory accountability mechanisms.

Governance by Participatory Accountability Mechanisms

In the last few posts, I have analysed the advantages and disadvantages of an intergovernmental model, a hierarchical multi-stakeholder model, and an equal-footing multi-stakeholder model for the management of ICANN. The last post in this series discusses the fourth and last model in this respect- a model which proposes the replacement of ICANN oversight by participatory accountability mechanisms. It is important to note that at present it cannot be said that a parallel enhanced co-operation model has been formally proposed for this model of ICANN accountability. Therefore this model remains specific only to ICANN oversight, and does not by extension cover enhanced co-operation.

Model IV: Replacement of Oversight by Participatory Accountability Mechanisms

Parallel Enhanced Co-operation Model: None

Model IV envisions the complete removal of oversight function over ICANN by making it an independent body. The idea is to make ICANN self-regulating.

There are however, two variants of this model which are suggested in this regard. The first envisions slight modifications to the status quo by persuading the US government to release control over ICANN via the IANA contract and also eliminating the role of the Governmental Advisory Committee (GAC). Moreover, the reviews system under the Affirmation of Commitments (AoCs) needs to be strengthened so that ICANN keeps respecting the basic principles on internet freedom while discharging its technical functions. This proposal supports the usage of the current RIR mechanism for addressing public policy issues in technical governance. RIR refers to a Regional Internet Registry, each of which has its own technical community which considers such issues. The difference here from regular policy-making is that public policy questions would be answered keeping in mind technical feasibility. This is an approach which seems to be working for the past decade, and has led to the conclusion of policies which suit regional concerns specifically. For example in the ARIN region, residential privacy concerns cause that information be redacted from the public WHOIS directory per community developed policy. It can further be noted that good policies tend to get adapted across all RIRs.

The proponents of this first variant of Model IV exist especially within the internet technical community, which argues that the simplest solution to technical governance is to remove governmental interference in ICANN processes by any nation-State anywhere in the world, thus leaving technical governance entirely to the technical community, who are people who understand and can provide solutions for the technical structure of the internet the best. It is thought among this group that the existing internal administrative processes of ICANN are sufficient to ensure good governance

The second variant suggests the removal of oversight function by replacing it with a membership-at-large structure for the ICANN. This would mean that any interested individual from anywhere in the world could apply to be a Board member in the ICANN and participate in the decisions which it makes. It calls for dissolution of the GAC and the participation of nation-State reps via the Supporting Organisations of the ICANN. It further mandates that an international agreement be undertaken whereby nation-States agree not to interfere in the functioning of ICANN or use it for censorship purposes. Though as a negotiating point for nation-States, it proposes that the control of ccTLDs be transferred to the national governments who should be allowed to exercise complete sovereignty over them. In short, this variant seems to propose two parallel running regimes for the internet: one embodying the global internet, another comprising of a bunch of nationally-controlled internets under the ccTLD domains.

The proponents of this second variant are largely skeptical for governmental and bureaucratic forces. At the same time, they are concerned about potential corruption rising within the ICANN due to unregulated market influences and call for reforms within the ICANN administration which would make it directly accountable to people who use the internet all over the world.

Both these variants of Model IV envision governmental involvement as supportive of a shared legal framework which upholds accountability in the ICANN, and provides non-State actors a legal basis for settling important disputes, at the same time leaving larger internet policy questions out of the framework and focusing on only the technical issues.

Thus by limiting itself to technical policy issues is specific to the ICANN oversight problem, Model IV proposal does not extend to the larger internet public policy issues which come up in conjunction with enhanced co-operation. Hence there is no potential overall enhanced co-operation model parallel to it—an issue which Model IV suggests dealing with separately.

Pros

To summarise, the following arguments are put forth in favour of Model IV.

The Don’t Fix What is Not Broken Argument: This is the other pole to the purely intergovernmental oversight/enhanced co-operation model. The drift is that since the internet functions fine the way it is now without the involvement of governments, especially in the case of technical governance, why change to fix it. The problem with this argument being that it is not exactly true, and is perhaps too US-centric.

Hand-in-hand Technical and Policy Decision-making: The close involvement of the internet technical community in the policy-making process in this model would help to bring technical and public policy issues together. The problem with involvement of governments in technical policy-decision making process is that they tend to ignore the technical feasibility of their policy implications. The technical community on its part resents such political interference (that is not always internet-oriented) into technical matters which has the potential to nullify decades of hard work by the community. It is thus argued that removal of any patronizing oversight under Model IV would bring about smooth framing of technical policies by inclusion of the “technical” aspects.

Invocation of Participatory Democracy: Proponents of Model IV show little faith in the politics of representative democracy for the securitization of best interests of the citizens. This model therefore, prides itself in establishing a mechanism of participatory democracy via either the RIRs or the ICANN Board memberships-at-large variations, either of which it is believed, will help users of the internet participate directly in internet governance, while keeping in mind regional variations in concerns regarding governance issues.

Need for Principles over Redistribution of Power: Another argument which comes to the support of this model is that it intends to provide a set of principles to bring accountability to technical governance, rather than merely using multiple players to diffuse the power of the other. The argument here is that mere induction of a number of nation-States (like in Model I) or additional stakeholders (like in Models II and III) would not be of much consequence to contain unilateral power unless proper mechanisms for accountability are put into place. Rather, the addition of more stakeholders without guiding principles agreed upon by everyone is likely to make things worse for the abuse of power would then be possible by more actors.

Best Option in Absence of Globally Agreed Principles: This is a pragmatic argument for the first variation of Model IV. It entails that in the absence of any globally-acceptable principles of technical governance, this proposal is the most acceptable. The technical community especially feels that without global consensus of principles for technical governance, any talk about changing the existing mechanisms, which seems to be working decently, is an unhelpful approach.

Cons

But not everyone agrees with these arguments. The following criticisms are made with regard to Model IV.

Influence of jurisdiction of incorporation: The criticism here is that as long as ICANN is a private corporation incorporated in a particular jurisdiction, the laws and the executive policies of that jurisdiction would be enforced against ICANN, thus providing the relevant State a unilateral power to influence ICANN’s technical decisions. A counter-proposal in this regard however suggests that ICANN be protected from such jurisdictional interference via immunities under an international agreement.
Inadequacy of an Affirmation of Commitments structure: The AoCs structure particularly does not find much support with developing nations, because it seems to be a unilateral declaration without much force of law in the international scenario. It is demanded that something more than an agreement between the government of a particular country and a private corporation incorporated in that country be sought to protect the interests of internet users worldwide.
Excessive power to the technical community: Some of the critics view the present model to be excessively favorable to the internet technical community, which has strong bonds with the private sector in the internet industry. They see the involvement of the technical community in policy decisions as unnecessary and as a leeway for potential abuse by monopolization of such functions.

The four models discussed above present a very broad view of the conflicts present in the entire project of internet governance. There are infinitesimal other details associated with the task of governance which have an impact on how we are able to use the internet, but which could not be presented here in all their detail. As an unprecedented transnational medium of communication, the internet challenges the very idea of modern governance, which is enmeshed in the hierarchical nation-State framework. How we rise to this challenge will be consequential in determining whether a new technology with the potential of completely free flow of information across any boundaries can be preserved, or whether traditional boundaries of regulation succeed in moulding the internet to its form. Or whether in the process, both the technology and our idea of governance will be transformed in ways hitherto unknown.

For more details visit https://cis-india.org/internet-governance/issues-in-internet-governance

An Introduction to Bitfilm and Bitcoin – A Discussion by Aaron Koenig

praskrishna — 2013-02-05T10:14:54Z

The Centre for Internet & Society, Bangalore invites you to a talk by Aaron Koenig, Managing Director, Bitfilm Networks of Hamburg, Germany on January 23, 2013, from 7.00 p.m. to 9.00 p.m.

The Talk

Aaron Koenig will give a talk on the creation and use of Bitcoin, a new digital currency and payment system designed for the voting process of the Bitfilm Festival for Digital Film. Since the year 2000, the Bitfilm Festival has been showcasing films that use digital technology in a creative and innovative way. It takes place on the Internet. However, physical screenings of the films will be held in Bangalore and in Hamburg. Each of the 59 nominated digital animations has its own Bitcoin account, and users worldwide may vote by donating Bitcoins to the films they like anonymously and without any transfer costs. The donated money will be divided among the most popular films (the films with the most votes/Bitcoins).

Aaron will also present an animated short about Bitcoin which he has produced with an animation team based in Bangalore. Of course, the animators were paid in Bitcoin.

More info on the Bitfilm Festival: http://www.bitfilm.com/festival
More info on Bitcoin: http://blink.li/current-issue

VIDEO

Aaron Koenig

Aaron is the Managing Director of Bitfilm. He has run the organization since 1999. He is a vibrant member of art and film societies and an Entrepreneur. Currently engaged with Bitfilm.com, Aaron also publishes a political magazine called BLINK.

For more details visit https://cis-india.org/internet-governance/events/bitfilm-and-bitcoin-a-discussion-by-aaron-koenig

We are anonymous, we are legion

Analyzing the Latest List of Blocked Sites (Communalism and Rioting Edition) Part II

Analyzing the Draft Human DNA Profiling Bill 2012

Analytics to help govt read public mood online

Analysis: Data Protection in India - Getting It Right

Existing Provisions

Right to Privacy

Viable Roadmap

GDPR as a Model

Analysis of the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and Implications for India

1. Introduction

2. Analysis of the Recommendations

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

3. Conclusion

List of Acronyms

Analysis of Key Provisions of the Aadhaar Act Regulations

Introduction

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations[1]

Provision: Sub-Regulation 3.

Observations:

Provision: Sub-Regulation 8 (5)

Observations:

Provision: Sub-Regulation 14 (4)

Observations:

Unique Identification Authority of India (Enrolment and Update) Regulations[4]

Provisions:

Observations:

Provision: Sub-Regulation 32

Observations:

Aadhaar (Authentication) Regulations, 2016[6]

Provisions:

Observations:

Sub-Regulation 11 (1) and (4)

Observations:

Provision: Sub-Regulation 18 (2), (3) and (4)

Observations:

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016[7]

Provision: Sub-Regulation 6 (1)

Observations:

Conclusion

Analysis of ICANN revenue shows ambiguity in their records

Analysis of DIT's Response to Second RTI on Website Blocking

What the DIT's Response Tells Us, and What It Doesn't

Conflicting Data on Censorship Requests

Content Removal vs. Content Blocking

Role of the Indian Penal Code and Code of Criminal Procedure

Police Are Defeating the Constitution and the IT Act

DIT Either Evasive or Not Following Rules

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Introduction

Analysis of the Aadhaar Act

Collection Limitation

Notice

Access and Correction

Disclosure

Consent

Purpose

Security

Accountability

Openness

Endnotes

Analysing Latest List of Blocked Sites (Communalism & Rioting Edition)

How many items have been blocked?

Why have these been blocked?

Are the blocks legitimate?

Are there any egregious mistakes?

Why haven't you put up the whole list?

Why can I still access many items that are supposed to be blocked?

So you are fine with censorship?

So what should the government have done?

And what of all this talk of cybersecurity failure and cyber-wars?

An Urgent Need for the Right to Privacy

Read and sign the open letter.

Text of the Open Letter

An Overview of DNA Labs in India

Interviews with DNA labs

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

Aadhaar (Authentication) Regulations, 2016^{^[6]}

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}