We are anonymous, we are legion

A Deep Dive into Content Takedown Timeframes

torsha — 2020-06-26T11:59:06Z

Since the 1990s, internet usage has seen a massive growth, facilitated in part, by growing importance of intermediaries, that act as gateways to the internet. Intermediaries such as Internet Service Providers (ISPs), web-hosting providers, social-media platforms and search engines provide key services which propel social, economic and political development. However, these developments are also offset by instances of users engaging with the platforms in an unlawful manner. The scale and openness of the internet makes regulating such behaviour challenging, and in turn pose several interrelated policy questions.

In this report, we will consider one such question by examining the appropriate time frame for an intermediary to respond to a government content removal request. The way legislations around the world choose to frame this answer has wider ramifications on issues of free speech and ease of carrying out operations for intermediaries. Through the course of our research, we found, for instance:

An one-size-fits-all model for illegal content may not be productive. The issue of regulating liability online contain several nuances, which must be considered for more holistic law-making. If regulation is made with only the tech incumbents in mind, then the ramifications of the same would become incredibly burdensome for the smaller companies in the market.
Determining an appropriate turnaround time for an intermediary must also consider the nature and impact of the content in question. For instance, the Impact Assessment on the Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online cites research that shows that one-third of all links to Daesh propaganda were disseminated within the first one-hour of its appearance, and three-fourths of these links were shared within four hours of their release. This was the basic rationale for the subsequent enactment of the EU Terrorism Regulation, which proposed an one-hour time-frame for intermediaries to remove terrorist content.
Understanding the impact of specific turnaround times on intermediaries requires the law to introduce in-built transparency reporting mechanisms. Such an exercise, performed periodically, generates useful feedback, which can be, in turn used to improve the system.

Corrigendum: Please note that in the section concerning 'Regulation on Preventing the Dissemination of Terrorist Content Online', the report mentions that the Regulation has been 'passed in 2019'. At the time of writing the report, the Regulation had only been passed in the European Parliament, and as of May 2020, is currently in the process of a trilogue.

Disclosure: CIS is a recipient of research grants from Facebook India.

Click to download the research paper by Torsha Sarkar (with research assistance from Keying Geng and Merrin Muhammed Ashraf; edited by Elonnai Hickok, Akriti Bopanna, and Gurshabad Grover; inputs from Tanaya Rajwade)

For more details visit https://cis-india.org/internet-governance/blog/torsha-sarkar-november-30-2019-a-deep-dive-into-content-takedown-timeframes

A dangerous trend: social media adds fire to Muzaffarnagar clashes

praskrishna — 2013-09-12T10:50:26Z

As access to the Internet grows, especially in small Indian towns and cities, social media has revealed a darker side as a hatred-mongering tool capable of setting off serious violence.

This article by Zia Haq was published in the Hindustan Times on September 9, 2013. Sunil Abraham is quoted.

Malicious content, such as fake YouTube videos and morphed photographs, are usually spread rapidly to trigger rioting.

In UP’s Muzzafarnagar, a video clip purportedly showing a Muslim mob lynching two boys, which police now suspect is from neighboring Pakistan or Afghanistan, was used to stir unease, deepening hatred between Muslims and Hindus.

A series of rioting in western UP district has left at least 41 dead. The circulation of the video had led to violence spreading to new areas. The fake video that escalated clashes portends a new trend in India’s discordant politics.

“From word of mouth, communal polarization, especially by Hindutva organisations, is now moving online. This is a dangerous trend since the Internet is very potent,” said Prof Badri Narayan of the GB Pant Social Science Institute, Allahabad.

Research shows social media sites, including sites like Facebook, Twitter and YouTube, are more persuasive than television ads. Nearly 100 million Indians use the Internet each day, more than Germany’s population. Of this, 40 million have assured broadband, the ones who mostly subscribe to social-media accounts.

The country also has about 87 million mobile-Internet users, according to Internet and Mobile Association of India.

UP’s police have blocked the video, invoking sections under 420 (forgery), 153-A (promoting enmity on religious grounds) and 120-B (conspiracy) of the Indian Penal Code, along with section 66 of the Information Technology Act.

Section 66, however, is the heart of a free-speech debate. Activists say section 66 has been used at the drop of a hat.

Last November, two Mumbai girls faced arrests for questioning the city’s shutdown for Shiv Sena leader Bal Thackeray’s funeral. The arrests were declared illegal after being roundly criticised, including by the Supreme Court.

“In this case, the government has a legitimate reason to censor speech. However, this requires the authorities to very focused and action should be targeted, rather than sweeping,” said Sunil Abraham of the Bangalore-based The Centre for Internet and Society.

The government’s action, Abraham said, tended to be broad-based. He said in such situations, the government could use public-service messaging to present the alternate view.

“Legal provisions could be made whereby Twitter users from India, for example, (compulsorily) see the public service message by default when they log in,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-september-9-2013-zia-haq-a-dangerous-trend

A Critique of Consent in Information Privacy

Amber Sinha and Scott Mason — 2016-01-18T02:20:10Z

The idea of informed consent in privacy law is supposed to ensure the autonomy of an individual in any exercise which involves sharing of the individual's personal information. Consent is usually taken through a document, a privacy notice, signed or otherwise agreed to by the participant.

Notice and Consent as cornerstone of privacy law
The privacy notice, which is the primary subject of this article, conveys all pertinent information, including risks and benefits to the participant, and in the possession of such knowledge, they can make an informed choice about whether to participate or not.

Most modern laws and data privacy principles seek to focus on individual control. In this context, the definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University, which characterises privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," ^{^[1]} is most apt. The idea of privacy as control is what finds articulation in data protection policies across jurisdictions beginning from the Fair Information Practice Principles (FIPP) from the United States. ^{^[2]} Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP the building blocks of modern information privacy law. ^{^[3]} These principles trace their history to a report called 'Records, Computers and Rights of Citizens'^{^[4]} prepared by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 in response to the increasing automation in data systems containing information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."^{^[5]} The most important legacy of this report was the articulation of five principles which would not only play a significant role in the privacy laws in US but also inform data protection law in most privacy regimes internationally^{^[6]} like the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India. Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, effectively summarises the import of all of these privacy regimes as follows:

"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences"^{^[7]}

This makes the individual empowered and allows them to weigh their own interests in exercising their consent. The allure of this paradigm is that in one elegant stroke, it seeks to "ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns."^{^[8]} This system was originally intended to be only one of the multiple ways in data processing would be governed, along with other substantive principles such as data quality, however, it soon became the dominant and often the only mechanism.^{^[9]} In recent years however, the emergence of Big Data and the nascent development of the Internet of Things has led many commentators to begin questioning the workability of consent as a principle of privacy. ^{^[10]} In this article we will look closely at the some of issues with the concept of informed consent, and how these notions have become more acute in recent years. Following an analysis of these issues, we will conclude by arguing that today consent, as the cornerstone of privacy law, may in fact be thought of as counter-productive and that a rethinking of a principle based approach to privacy may be necessary.

Problems with Consent

To a certain extent, there are some cognitive problems that have always existed with the issue of informed consent such as long and difficult to understand privacy notices,^{^[11]} although, in recent past with these problems have become much more aggravated. Fred Cate points out that FIPPs at their inception were broad principles which included both substantive and procedural aspects. However, as they were translated into national laws, the emphasis remained on the procedural aspect of notice and consent. From the idea of individual or societal welfare as the goals of privacy, the focus had shifted to individual control.^{^[12]} With data collection occurring with every use of online services, and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data. The thrust of Big Data technologies is that the value of data resides not in its primary purposes but in its numerous secondary purposes where data is re-used many times over. ^{^[13]} In that sense, the very idea of Big Data conflicts with the data minimization principle.^{^[14]} The idea is to retain as much data as possible for secondary uses. Since, these secondary uses are, by their nature, unanticipated, its runs counter to the the very idea of the purpose limitation principle. ^{^[15]} The notice and consent requirement has simply led to a proliferation of long and complex privacy notices which are seldom read and even more rarely understood. We will articulate some issues with privacy notices which have always existed, and have only become more exacerbated in the context of Big Data and the Internet of Things.

1. Failure to read/access privacy notices

The notice and consent principle relies on the ability of the individual to make an informed choice after reading the privacy notice. The purpose of a privacy notice is to act as a public announcement of the internal practices on collection, processing, retention and sharing of information and make the user aware of the same.^{^[16]} However, in order to do so the individual must first be able to access the privacy notices in an intelligible format and read them. Privacy notices come in various forms, ranging from documents posted as privacy policies on a website, to click through notices in a mobile app, to signs posted in public spaces informing about the presence of CCTV cameras. ^{^[17]}

In order for the principle of notice and consent to work, the privacy notices need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. However, most privacy notices online are not available in the local language in different regions.^{^[18]} Further, with the ubiquity of smartphones and advent of Internet of Things, constrained interfaces on mobile screens and wearables make the privacy notices extremely difficult to read. It must be remembered that privacy notices often run into several pages, and smaller screens effectively ensure that most users do not read through them. Further, connected wearable devices often have "little or no interfaces that readily permit choices." ^{^[19]} As more and more devices are connected, this problem will only get more pronounced. Imagine in a world where refrigerators act as the intermediary disclosing information to your doctor or supermarket, at what point does the data subject step in and exercise consent.^{^[20]}

Another aspect that needs to be understood is that unlike earlier when data collectors were far and few in between, the user could theoretically make a rational choice taking into account the purpose of data collection. However, in the world of Big Data, consent often needs to be provided while the user is trying to access services. In that context click through privacy notices such as those required to access online application, are treated simply as an impediment that must be crossed in order to get access to services. The fact that the consent need to be given in real time almost always results in disregarding what the privacy notices say.^{^[21]}

Finally, some scholars have argued that while individual control over data may be appealing in theory, it merely gives an illusion of enhanced privacy but not the reality of meaningful choice.^{^[22]} Research demonstrates that the presence of the term 'privacy policy' leads people to the false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled.^{^[23]} Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "[w]hen consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information."^{^[24]} In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. Most people tend to ignore privacy policies.^{^[25]} Cass Sunstein states that our cognitive capacity to make choices and take decisions is limited. When faced with an overwhelming number of choices to make, most of us do not read privacy notices and resort to default options.[26] The requirement to make choices, sometimes several times in a day, imposes significant burden on the consumers as well the business seeking such consent. ^{^[27]}

2. Failure to understand privacy notices

FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."^{^[28]} Privacy notices often come in the form of long legal documents much to the detriment of the readers' ability to understand them. These policies are "long, complicated, full of jargon and change frequently."^{^[29]} Kent walker list five problems that privacy notices typically suffer from - a) overkill - long and repetitive text in small print, b) irrelevance - describing situations of little concern to most consumers, c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored, d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and e) inflexibility - failure to keep pace with new business models.^{^[30]} Erik Sherman did a review of twenty three corporate privacy notices and mapped them against three indices which give approximate level of education necessary to understand text on a first read. His results show that most of policies can only be understood on the first read by people of a grade level of 15 or above. ^{^[31]} FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." ^{^[32]}

Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. It "involves a knowing understanding of what one is doing in a context in which it is actually

possible for or to do otherwise, and an affirmative action in doing something, rather

than a merely passive acquiescence in accepting something."^{^[33]} There have been various proposals advocating a more succinct and simpler standard for privacy notices,^{^[34]} or multi-layered notices^{^[35]} or representing the information in the form of a table. ^{^[36]} However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. ^{^[37]} It has also been pointed out that it is impossible to convey complex data policies in simple and clear language.^{^[38]}

3. Failure to anticipate/comprehend the consequences of consent

Today's infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most have no understanding of what happens to their data once they have uploaded it - Where it goes? Whom it is held by? Under what conditions? For what purpose? Or how might it be used, aggregated, hacked, or leaked in the future? For the most part, the above operations are "invisible, managed at distant centers, from behind the scenes, by unmanned powers."^{^[39]}

The perceived opportunities and benefits of Big Data have led to an acceptance of the indiscriminate collection of as much data as possible as well as the retention of that data for unspecified future analysis. For many advocates, such practices are absolutely essential if Big Data is to deliver on its promises.. Experts have argued that key privacy principles particularly those of collection limitation, data minimization and purpose limitation should not be applied to Big Data processing.^{^[40]} As mentioned above, in the case of Big Data, the value of the data collected comes often not from its primary purpose but from its secondary uses. Deriving value from datasets involves amalgamating diverse datasets and executing speculative and exploratory kinds of analysis in order to discover hidden insights and correlations that might have previously gone unnoticed.^{^[41]} As such organizations are today routinely reprocessing data collected from individuals for purposes not directly related to the services they provide to the customer. These secondary uses of data are becoming increasingly valuable sources of revenue for companies as the value of data in and of itself continues to rise. ^{^[42]}

Purpose Limitation

The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". In practice however, reasons given typically include phrases such as, 'for marketing purposes' or 'to improve the user experience' that are vague and open to interpretation. ^{^[43]}

Some commentators whilst conceding the fact that purpose limitation in the era of Big Data may not be possible have instead attempted to emphasise the notion of 'compatible use' requirements. In the view of Working Party on the protection of individuals with regard to the processing of person data, for example, use of data for a purpose other than that originally stated at the point of collection should be subject to a case-by-case review of whether not further processing for different purpose is justifiable - i.e., compatible with the original purpose. Such a review may take into account for example, the context in which the data was originally collected, the nature or sensitivity of the data involved, and the existence of relevant safeguards to insure fair processing of the data and prevent undue harm to the data subject.^{^[44]}

On the other hand, Big Data advocates have argued that an assessment of legitimate interest rather than compatibility with the initial purpose is far better suited to Big Data processing.^{^[45]} They argue that today the notion of purpose limitation has become outdated. Whereas previously data was collected largely as a by-product of the purpose for which it was being collected. If for example, we opted to use a service the information we provided was for the most part necessary to enable the provision of that service. Today however, the utility of data is no longer restricted to the primary purpose for which it is collected but can be used to provide all kinds of secondary services and resources, reduce waste, increase efficiency and improve decision-making.^{^[46]} These kinds of positive externalities, Big Data advocates insist, are only made possible by the reprocessing of data.

Unfortunately for the notion of consent the nature of these secondary purposes are rarely evident at the time of collection. Instead the true value of the data can often only be revealed when it is amalgamated with other diverse datasets and subjected to various forms of analysis to help reveal hidden and non-obvious correlations and insights.^{^[47]} The uncertain and speculative value of data therefore means that it is impossible to provide "specific, explicit, and legitimate" details about how a given data set will be used or how it might be aggregated in future. Without this crucial information data subjects have no basis upon which they can make an informed decision about whether or not to provide consent. Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways. ^{^[48]} Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a

snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible." ^{^[49]}

Scale and Aggregation

Today the quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, 'creating countless new digital puddles, lakes, tributaries and oceans of information'.^{^[50]} In 2011 it was estimated that the quantity of data produced globally would surpass 1.8 zettabytes , by 2013 that had grown to 4 zettabytes , and with the nascent development of the Internet of Things gathering pace, these trends are set to continue. ^{^[51]} Big Data by its very nature requires the collection and processing of very large and very diverse data sets. Unlike other forms scientific research and analysis which utilize various sampling techniques to identify and target the types of data most useful to the research questions, Big Data instead seeks to gather as much data as possible, in order to achieve full resolution of the phenomenon being studied, a task made much easier in recent years as a result of the proliferation of internet enabled devices and the growth of the Internet of Things. This goal of attaining comprehensive coverage exists in tension however with the key privacy principles of collection limitation and data minimization which seek to limit both the quantity and variety of data collected about an individual to the absolute minimum. ^{^[52]}

The dilution of the purpose limitation principle entails that even those who understand privacy notices and are capable of making rational choices about it, cannot conceptualize how their data will be aggregated and possibly used or re-used. Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person", calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual. ^{^[53]}

4. Failure to opt-out

The traditional choice against the collection of personal data that users have had access to, at least in theory, is the option to 'opt-out' of certain services. This draws from the free market theory that individuals exercise their free will when they use services and always have the option of opting out, thus, arguing against regulation but relying on the collective wisdom of the market to weed out harms. The notion that the provision of data should be a matter of personal choice on the part of the individual and that the individual can, if they chose decide to 'opt-out' of data collection, for example by ceasing use of a particular service, is an important component of privacy and data protection frameworks. The proliferation of internet-enabled devices, their integration into the built environment and the real-time nature of data collection and analysis however are beginning to undermine this concept. For many critics of Big Data, the ubiquity of data collection points as well as the compulsory provision of data as a prerequisite for the access and use of many key online services, is making opting-out of data collection not only impractical but in some cases impossible. ^{^[54]}

Whilst sceptics may object that individuals are still free to stop using services that require data. As online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less of a genuine choice. ^{^[55]} Information flows not only from the individuals it is about but also from what other people say about them. Financial transactions made online or via debit/credit cards can be analysed to derive further information about the individual. If opting-out makes you look anti-social, criminal, or unethical, the claims that we are exercising free will seems murky and leads one to wonder whether we are dealing with coercive technologies.

Another issue with the consent and opt-out paradigm is the binary nature of the choice. This binary nature of consent makes a mockery of the notion that consent can function as an effective tool of personal data management. What it effectively means is that one can either agree with the long privacy notices, or choose to abandon the desired service. "This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." ^{^[56]}

Conclusion: 'Notice and Consent' is counter-productive

There continues to be an unwillingness amongst many privacy advocates to concede that the concept of consent is fundamentally broken, as Simon Davies, a privacy advocate based in London, comments 'to do so could be seen as giving ground to the data vultures', and risks further weakening an already dangerously fragile privacy framework.^{^[57]} Nevertheless, as we begin to transition into an era of ubiquitous data collection, evidence is becoming stronger that consent is not simply ineffective, but may in some instances might be counter-productive to the goals of privacy and data protection.

As already noted, the notion that privacy agreements produce anything like truly informed consent has long since been discredited; given this fact, one may ask for whose benefit such agreements are created? One may justifiably argue that far from being for the benefit and protection of users, privacy agreement may in fact be fundamentally to the benefit of data brokers, who having gained the consent of users can act with near impunity in their use of the data collected. Thus, an overly narrow focus on the necessity of consent at the point of collection, risks diverting our attention from the arguably more important issue of how our data is stored, analysed and distributed by data brokers following its collection. ^{^[58]}

Furthermore, given the often complicated and cumbersome processes involved in gathering consent from users, some have raised concerns that the mechanisms put in place to garner consent could themselves morph into surveillance mechanisms. Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies. Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''. Thus in many instances there exists a fundamental tension between the requirement placed on companies to gather consent and the equally important principle of data minimization. ^{^[59]}

Given the above issues with notice and informed consent in the context of information privacy, and the fact that it is counterproductive to the larger goals of privacy law, it is important to revisit the principle or rights based approach to data protection, and consider a paradigm shift where one moves to a risk based approach that takes into account the actual threats of sharing data rather than relying on what has proved to be an ineffectual system of individual control. We will be dealing with some of these issues in a follow up to this article.

^{^[1]} Alan Westin, Privacy and Freedom, Atheneum, New York, 2015.

^{^[2]} FTC Fair Information Practice Principles (FIPP) available at https://www.it.cornell.edu/policies/infoprivacy/principles.cfm.

^{^[3]} Paul M. Schwartz, "Privacy and Democracy in Cyberspace," 52 Vanderbilt Law Review 1607, 1614 (1999).

^{^[4]} US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, available at http://www.justice.gov/opcl/docs/rec-com-rights.pdf

^{^[5]} https://epic.org/privacy/ppsc1977report/c13.htm .

^{^[6]} Marc Rotenberg, "Fair Information Practices and the Architecture of Privacy: What Larry Doesn't Get," available at https://journals.law.stanford.edu/sites/default/files/stanford-technology-law-review/online/rotenberg-fair-info-practices.pdf

^{^[7]} Fred Cate, The Failure of Information Practice Principles, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972

^{^[8]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[9]} Fred Cate, Viktor Schoenberger, Notice and Consent in a world of Big Data, available at http://idpl.oxfordjournals.org/content/3/2/67.abstract

^{^[10]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[11]} Ben Campbell, Informed consent in developing countries: Myth or Reality, available at https://www.dartmouth.edu/~ethics/docs/Campbell_informedconsent.pdf ;

^{^[12]} Supra Note 7.

^{^[13]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013 at 153.

^{^[14]} The Data Minimization principle requires organizations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required.

^{^[15]} Omer Tene and Jules Polonetsky, "Big Data for All: Privacy and User Control in the Age of Analytics," SSRN Scholarly Paper, available at http://papers.ssrn.com/abstract=2149364

^{^[16]} Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[17]} Daniel Solove, The Digital Person: Technology and Privacy in the Information Age, NYU Press, 2006.

^{^[18]} http://www.ethnologue.com/statistics/size

^{^[19]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[20]} http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[21]} Supra Note 10.

^{^[22]} Supra Note 7.

^{^[23]} Chris Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand

About Privacy Online, available at http://ssrn.com/abstract=1262130

^{^[24]} Joseph Turrow, Michael Hennesy, Nora Draper, The Tradeoff Fallacy, available at https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf

^{^[25]} Saul Hansell, "Compressed Data: The Big Yahoo Privacy Storm That Wasn't," New York Times, May 13, 2002 available at http://www.nytimes.com/2002/05/13/business/compressed-data-the-big-yahoo-privacy-storm-that-wasn-t.html?_r=0

[26] Cass Sunstein, Choosing not to choose: Understanding the Value of Choice, Oxford University Press, 2015.

^{^[27]} For example, Acxiom, processes more than 50 trillion data transactions a year. http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-database-marketing.html?pagewanted=all&_r=0

^{^[28]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[29]} L. F. Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law, 10:273, 2012, available at http://jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF

^{^[30]} Kent Walker, The Costs of Privacy, 2001 available at https://www.questia.com/library/journal/1G1-84436409/the-costs-of-privacy

^{^[31]} Erik Sherman, "Privacy Policies are great - for Phds", CBS News, available at http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/

^{^[32]} Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond, available at http://www.ftc.gov/speeches/muris/privisp1002.htm

^{^[33]} Margaret Jane Radin, Humans, Computers, and Binding Commitment, 1999 available at http://www.repository.law.indiana.edu/ilj/vol75/iss4/1/

^{^[34]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[35]} The Center for Information Policy Leadership, Hunton & Williams LLP, "Ten Steps To Develop A Multi-Layered Privacy Notice" available at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf

^{^[36]} Allen Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, Interagency Notice Project, available at https://www.sec.gov/comments/s7-09-07/s70907-21-levy.pdf

^{^[37]} Patrick Gage Kelly et al., Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach available at https://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00037/544506-00037.pdf

^{^[38]} Howard Latin, "Good" Warnings, Bad Products, and Cognitive Limitations, 41 UCLA Law Review available at https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&srctype=smi&srcid=3B15&doctype=cite&docid=41+UCLA+L.+Rev.+1193&key=1c15e064a97759f3f03fb51db62a79a5

^{^[39]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[40]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013.

^{^[41]} Supra Note 15.

^{^[42]} Supra Note 40.

^{^[43]} Article 29 Working Party, (2013) Opinion 03/2013 on Purpose Limitation, Article 29, available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

^{^[44]} Ibid.

^{^[45]} It remains unclear however whose interest would be accounted, existing EU legislation would allow commercial/data broker/third party interests to trump those of the user, effectively allowing re-processing of personal data irrespective of whether that processing would be in the interest of the user.

^{^[46]} Supra Note 40.

^{^[47]} Supra Note 10.

^{^[48]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[49]} Helen Nissenbaum, A Contextual Approach to Privacy Online, available at http://www.amacad.org/publications/daedalus/11_fall_nissenbaum.pdf

^{^[50]} D Bollier, The Promise and Peril of Big Data. The Aspen Institute, 2010, available at: http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/The_Promise_and_Peril_of_Big_Data.pdf

^{^[51]} Meeker, M. & Yu, L. Internet Trends, Kleiner Perkins Caulfield Byers, (2013), http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013 .

^{^[52]} Supra Note 40.

^{^[53]} Supra Note 17.

^{^[54]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[55]} Ibid.

^{^[56]} http://www.techpolicy.com/NoticeConsent-inWorldBigData.aspx

^{^[57]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[58]} Supra Note 10.

^{^[59]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

For more details visit https://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy

A Critical Look at the Visual Representation of Cybersecurity

Paromita Bathija, Padmini Ray Murray, and Saumyaa Naidu — 2019-08-21T08:00:11Z

The Centre for Internet and Society and design collective Design Beku came together on the 15th of November for a workshop on Illustrations and Visual Representations of Cybersecurity. Images in the public sphere such as visuals in the media, Wikipedia commons, and stock images - play a vital role in the public’s perception of cybercrime and cybersecurity.

Edited by Karan Saini / Illustrations by - Paul Anthony George, and Roshan Shakeel

Download the file here

The existing imagery comprises of largely stereotypical images of silhouettes of men in hoodies, binary codes, locks, shields; all in dark tones of blue and green. The workshop aimed at identifying the concerns with these existing images and ideating on creating visuals that capture the nuanced concepts within cybersecurity as well as to contextualise them for the Global South. It began with a discussion on the various concepts within cybersecurity including disinformation, surveillance in the name of security, security researchers, regulation of big technology companies, gender and cybersecurity, etc. This was followed by a mapping of different visual elements in the existing cybersecurity imagery to infer the biases in them. Further, an ideation session was conducted to create alternate visualisations that counter these biases. A detailed report of the workshop can be read here.

The participants began by discussing the concerning impacts of present visualisations – there is a lack of representation and context of the global south. Misrepresentation of cybersecurity leads people to be susceptible to disinformation, treats cybercrime as an abstract concept that does not have a direct impact, and oversimplifies the problem and its solutions. The ecosystem in which this imagery exists also presented a larger issue. A majority of the images are created as clickbait alongside media articles. Media houses thus benefit from the oversimplification and mystification of cybersecurity in such images.

Through the mapping of existing images present online, several concerns were identified. The vague elements and unclear representation add to the mystification of cybersecurity as a concept. In present depictions, the use of technological devices and objects, leads to the lack of a human element, distancing the threat from any real impact to people using these devices. The metaphor of a physical threat is often used to depict cybersecurity using elements such as a lock and key. Recurring use of these elements gives a false idea of what is being secured or breached and how. Representations rely on tropes regarding the identity of hackers, and fail to capture the vulnerability of the system. The imagery gives the impression that systems which are breached are immensely secure to begin with and are compromised only as a result of sophisticated attacks carried out by malicious actors. The identity of hackers is commonly associated with cyber attacks and breaches, and the existing imagery reinforces this. Visuals showing a masked man or a silhouette of a man in dark background are the usual markers of a malicious hacker in conventional cybersecurity imagery. While there is a lack of representation of women in stock cybersecurity images, another trope found was that of a cheerful woman coder. There were also images of faceless women with laptops^{^[1]}. The reductive nature of these images point to deeper concerns around gender representation in cybersecurity.

The participants examined what the implications of such visual representation would be, and why there is a need to change the imagery. How can visual depictions be more representative? Can they avoid subscribing to a homogenised idea of an Indian context – specific without being reductive? Can better depiction broaden understanding of cybercrime and emphasize the proximity of those threats? With technology, concepts are often understood through metaphors – how data is explained impacts how people perceive it. Visual imagery can play a critical role in demystifying concepts when done well; illustrations can change the discourse. They must begin to incorporate intersecting aspects of gender, privacy, susceptibility of vulnerable populations, generational and cultural gaps, as well as manifestations of the described crimes to make technological laypersons more aware of the threat.

Potential new imagery would need to address aspects such as disinformation, the importance of privacy and who has a right to it, change representation of hackers, depict the cybersecurity community, explain specific concepts to both – the general user and to the people part of cybersecurity efforts in the country, the implications of cybercrime on vulnerable populations, and more in an attempt to deconstruct and disseminate what cybersecurity looks like today.

The ideation session involved rethinking specific concepts such as disinformation, and ethical hacking to create alternate imagery. For instance, disinformation was visually imagined as a distortion of an already distorted message being perceived by the viewer. In order to bring attention to the impact of devices, a phone was thought of as a central object to which different concepts of cybersecurity can be connected.

‘Fake News Cascade’ by Paul Anthony George

‘Fake News’ by Paul Anthony George

‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch is about questioning the validity of what we see online, and that every message we see is constructed in some form or the other by someone else.

‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch visualizes how the source of information ('the original') gets distorted after a certain point.

For ethical hacking, a visualisation depicting a day in the life of an ethical hacker was thought of to normalize hacking and to focus on their contribution in security research.

‘A Day in the Life of an Indian Hacker’ by Paul Anthony George

'Surveillance in the Name of Security' by Roshan Shakeel

Resources on ethical hacking (HackerOne)^[2] and hacker culture (2600.com)^[3] were also consulted as part of the exercise to gather references on the work done by hackers. This allowed a deeper understanding of how the hacker community depicts itself. Check Point Research^[4] and Kerala Police Cyberdome^[5] were also examined for further insight into cybersecurity. With regard to gender representation, sources that use visual techniques to communicate concerns and advocacy campaigns were also referred to. The Gendering Surveillance^[6] initiative by the Internet Democracy project^[7], which looks at how surveillance harms and restricts women, also offered insights on the use of illustrations supporting the case studies. Another reference was the "Visualising Women's Rights in the Arab World"^[8] project by the Tactical Technology Collective^[9]. The project aims to “strengthen the use of visual techniques by women's rights advocates in the Arab world, and to build a network of women with these skills”.^[10]

More visual explainers and animations^{^[11]} from the Tactical Technology Collective were noted for their broader engagement with digital security and privacy. A video by the Internet Democracy Project that explains the Internet through rangoli^{^[12]}, was observed specifically for setting the concept in Indian context through the use of aesthetics.

The workshop concluded with a discussion of potential visual iterations – imagery of cybersecurity that is not technology-oriented but focussed on the behavioural implications of access to such technology, illustrated public service announcements enhancing the profile of cybersecurity researchers or the everyday hacker. The impact of the discussion itself can indicate the relevance of such an effort. Artists and designers can be encouraged to create a body of imagery that shifts discourse and perception, to begin visualising for advocacy, demystify and stop the abstraction of cybercrime that can lead to a false sense of security, incorporate unique aspects of the debate within the Indian context, and generate new dialogue and understanding of cybersecurity. A potential step forward from this workshop would be to engage with the design community at large along with the domain experts to create more effective imagery for cybersecurity.

^{^[1]} https://www.hackerone.com/

^{^[2]} https://2600.com/

^{^[3]} https://research.checkpoint.com/about-us/

^{^[4]} http://www.cyberdome.kerala.gov.in/

^{^[5]} https://genderingsurveillance.internetdemocracy.in/

^{^[6]} https://internetdemocracy.in/

^{^[7]} https://visualrights.tacticaltech.org/index.html

^{^[8]} https://tacticaltech.org/

^{^[9]} https://visualrights.tacticaltech.org/content/about-website.html

^{^[10]} https://tacticaltech.org/projects/survival-in-the-digital-age-ono-robot-2012/

^{^[11]} https://internetdemocracy.in/2018/08/dots-and-connections/

^{^[12]} https://www.independent.co.uk/life-style/gadgets-and-tech/features/women-in-tech-its-time-to-drop-the-old-stereotypes-7608794.html

For more details visit https://cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu

A Compilation of Research on the PDP Bill

pranav — 2020-03-05T08:04:24Z

The most recent step in India’s initiative to create an effective and comprehensive Data Protection regime was the call for comments to the Personal Data Protection Bill, 2019, which closed last month. Leading up to the comments, CIS has published numerous research pieces with the goal of providing a comprehensive overview of how this legislation would place India within the global scheme, and how the local situation has developed, as well as analysing its impacts on citizens’ rights.

In addition to general and clause-by-clause comments and recommendations, we have compiled an annotated version of the Personal Data Protection Bill, which lays out our commentary in an easy-to-follow format.

Below, you can find our other recent research on Data Protection:

Pallavi Bedi has put together a note on the Divergence between EU’s General Data Protection Regulation (GDPR) and the Personal Data Protection Bill.

In addition, Pallavi has also contrasted the Personal Data Protection Bill with the GDPR and California Consumer Protection Act, in the contexts of jurisdiction and scope, rights of the data principal, obligations of data fiduciaries, exemptions, data protection authority, and breach of personal data.

On IAPP’s blog Privacy Perspectives, D. Shweta Reddy has assessed whether the Personal Data Protection Bill 2019 is sufficient for India to receive adequacy status from the EU.

Along with Justin Sherman, Arindrajit Basu has outlined the key global takeaways from the Personal Data Protection Bill 2019 on Lawfare.

On The Diplomat, Arindrajit has also traced the narrowing localization provisions in India, as well as Vietnam and Indonesia, and studied the actors and geopolitical tussle that has shaped these provisions.

Through a string of publicly available submissions, press statements, and other media reports, Arindrajit and Amber Sinha have tracked the political evolution of the data protection ecosystem in India, and how this has, and will continue to impact legislative and policy developments on EPW Engage.

Gurshabad Grover and Tanaya Rajwade have written on The Wire about how the Personal Data Protection Bill regulates social media.

Amber was also a guest on Suno India’s Cyber Democracy podcast, with Srinivas Kodali, to discuss how the latest version of the Personal Data Protection Bill will impact the right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/compilation-of-research-on-data-protection

A Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:32:08Z

In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.

**Draft 2007 DNA Profiling Bill vs. Draft 2012 Human DNA Profiling Bill**

1. Composition of the DNA Profiling Board

Amendment: The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.

Analysis: The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.

DNA 2007 Bill (Section 4): “The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”

DNA April 2012 Bill (Section 4):“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member (g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary”

2. Powers and functions of the Chief Executive Officer

Amendment: Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.

Analysis: The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.

DNA 2007 Bill (Section 11):“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”
DNA April 2012 Bill (Section 10): “(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”

3. Functions of the Board

Amendment: The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.

Analysis: This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.

DNA 2007 Bill (Section 13(x)): The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by law enforcement agencies;”

DNA April 2012 Bill (Section 12(j)): The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”

4. Regional DNA Data Banks

Amendment: Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.

Analysis: This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.

DNA 2007 Bill (Section 33(1)): “The Central Government shall, by a notification published in the Gazette of India, establish a National DNA Data Bank.”
DNA April 2012 Bill (Section 32(1)): “The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.

5. Data sharing

Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.

This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.

DNA 2007 Bill (Section 33(2)): “A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”
DNA April 2012 Bill (Section 32(2)):“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”

6. Data retention

Amendment: Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.

Analysis: This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.

DNA 2007 Bill (Section 33(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different laboratories in the format as may be specified by regulations.”
DNA April 2012 Bill (Section 32(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”

7. Data Bank Manager

Amendment: Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.

Analysis: All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

DNA 2012 Bill (Section 33):“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”

8. Communication of DNA profiles to foreign agencies

Amendment: The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.

Analysis: The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.

DNA 2007 Bill (Sections 35(2,3)): “(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”
DNA April 2012 Bill (Section 36(1)): “On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”

9. Data destruction

Amendment: Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.

Analysis: This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.

DNA 2007 Bill (Section 37): “The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”
DNA April 2012 Bill (Section 37):“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”

10. Use of DNA profiles and DNA samples and records

Amendment: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.

Analysis: The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify who can be authorised to use DNA data under such conditions, which raises further concerns.

DNA 2007 Bill (Section 39): “(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified offence: Provided that such records or samples may be used to identify victims of accidents, disasters or missing persons or for such other purposes. (2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information which may be used to determine the identity of any person.”
DNA April 2012 Bill (Section 39): “All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”

11. Availability of DNA profiles and DNA samples

Amendment: Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.

Analysis: ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.

DNA 2007 Bill (Section 40):“The information on DNA profiles, samples and DNA identification records shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal case; (ii) in judicial proceedings, in accordance with the rules of admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and protocol development, or for quality control provided that it does not contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”
DNA April 2012 Bill (Section 40):“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”

12. Restriction on access to information in DNA Data Banks

Amendment: Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.

Analysis: This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.

DNA April 2012 Bill (Section 43): “Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”

13. Board exemption from tax on wealth and income, profits and gains

Amendment: Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.

Analysis: Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.

DNA 2007 Bill (Section 53):“(1) The DNA Profiling Board shall furnish to the Central Government at such time and in such form and manner as may be specified by rules or as the Central Government may direct, such returns and statements as the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling Board shall, within ninety days after the end of each financial year, submit to the Central Government a report in such form, as may be prescribed, giving a true and full account of its activities, policy and programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”
DNA April 2012 Bill (Section 62): “Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills

A comparison of the 2016 Aadhaar Bill, and the 2010 NIDAI Bill

Vanya Rakesh — 2016-03-09T04:08:01Z

This blog post does a clause-by-clause comparison of the provisions of National Identification Authority of India Bill, 2010 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

Title

2010 Bill: The Bill was titled as the National Identification Authority of India Bill, 2010.

2016 Bill : The Bill has been titled as the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Purpose/Object Clause

2010 Bill: The purpose of Bill was stated to provide for the establishment of the National Identification Authority of India to issue identification numbers to residents of India as well as certain other classes of individuals , to facilitate access to benefits and services, to which they are entitled.

2016 Bill : The purpose of this Bill has been stated to ensure targeted delivery of subsidies, benefits and services to residents of India in an efficient and transparent manner by assigning unique identity numbers to such individuals.

Definitions

2010 Bill: “Authentication” was defined as the process in which the Aadhaar number, along with other attributes (including biometrics) are submitted to the Central Identities Data Repository for verification, done on the basis of information, data or documents available with the Repository.
2016 Bill : “Authentication” has been defined as the process by which the Aadhaar number, along with demographic or biometric information of an individual is submitted to the Central Identities Data Repository for the purpose of verification, done on the basis of the correctness of (or lack of) information available with it.

2010 Bill: “Authentication Record” was not defined in the previous Bill.
2016 Bill : “Authentication Record” has been defined under clause 2(d) as the record of the time of authentication, the identity of the entity requesting such record and the response provided by the Authority for this purpose.

2010 Bill: “Authority” was defined under clause 2(d) as National Identification Authority of India established under provisions of the Bill.

2016 Bill :“Authority” has been defined under clause 2(e) as Unique Identification Authority of India established under provisions of the Bill.

2010 Bill: “Benefit” was not defined in the previous Bill.
2016 Bill : “Benefit” has been defined under clause 2(f) as any advantage, gift, reward, relief, or payment (either in cash or kind), or such other benefits, which is provided to an

individual/ a group of individuals as notified by the Central Government.

2010 Bill: “Biometric Information” was defined under clause 2(e) as a set of biological attributes of an individual as may be specified by regulations.
2016 Bill : “Biometric Information” has been defined under clause 2(g) as biological attributes of an individual like photograph, fingerprint, Iris scan, or other such biological

attributes as may be specified by regulations.

2010 Bill: “Core Biometric Information” was not defined in the previous Bill.
2016 Bill : “Core Biometric Information” has been defined under clause 2(j) as biological attribute of an individual like fingerprint, Iris scan, or such other biological attribute as

may be specified by regulations.

2010 Bill: “Demographic Information” was defined under clause 2(h) as information specified in the regulations for the purpose of issuing an Aadhaar number, like information relating to the name, age, gender and address of an individual (other than race, religion, caste, tribe, ethnicity, language, income or health), and such other information.
2016 Bill : “Demographic Information” has been defined under clause 2(k) as information of an individual as may be specified by regulations for the purpose of issuing an Aadhaar number like information relating to the name, date of birth, address and other relevant information, excluding race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history of an individual.

2010 Bill: “Enrolling Agency” was defined under clause 2(i) as an agency appointed by the Authority or the Registrars for collecting information under the Act.
2016 Bill : “Enrolling Agency” has been defined under clause 2(l) as an agency appointed by the Authority or a Registrar for collecting demographic and biometric information of individuals under this Act.

2010 Bill: “Member” was defined under clause 2(l) to include the Chairperson and a part-time Member of the Authority appointed under the provisions of the Bill.
2016 Bill : “Member” has been defined under clause 2(o) to include the Chairperson and Member of the Authority appointed under the provisions of the Bill.

2010 Bill: “Records of Entitlement” was not defined under the previous Bill.
2016 Bill : “Records of Entitlement” has been defined under clause 2(r) as the records of benefits, subsidies or services provided to, or availed by, any individual under any programme.

2010 Bill: “Requesting Entity” was not defined under the previous Bill.
2016 Bill : “Requesting Entity” has been defined under clause 2(u) as an agency or person that submits information of an individual comprising of the Aadhaar number and

demographic or biometric information to the Central Identities Data Repository for the purpose of authentication.

2010 Bill: “Resident” was defined under clause 2(q) as an individual usually residing in a village, rural area, town, ward, demarcated area (demarcated by the Registrar General of Citizen Registration) within a ward in a town or urban area in India.
2016 Bill : “Resident” has been defined under clause 2(v) as an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.

2010 Bill: “Review Committee” was defined under clause 2(r) as the Identification Review Committee constituted under the provisions of the Bill.
2016 Bill : “Review Committee” has not been defined under the Bill.

2010 Bill: “Service” was not defined in the previous Bill.
2016 Bill : “Service” has been defined under clause 2 (w) as any provision, facility, utility or any other assistance provided in any form to an individual or a group of individuals as may be notified by the Central Government.

2010 Bill: “Subsidy” was not defined in the previous Bill.
2016 Bill : “Subsidy” has been defined under clause 2(x) as any form of aid, support, grant, subvention, or appropriation (either in cash or kind), as may be notified by the Central Government, given to an individual or a group of individuals.

Enrolment

Aadhaar Numbers

2016 Bill : Under clause 3(2) of the Bill, it is stated that at the time of enrolment, The enrolling agency shall inform the individual undergoing enrolment the following details:

(a) the manner in which the information so collected shall be used,

(b) the nature of recipients with whom the information is intended to be shared during authentication,and

(c) the existence of a right to access information, the procedure for making such requests for access, and details of the person/department in-charge to whom such requests can be

made.

Properties of Aadhaar Number

2010 Bill : Clause 4 (3) stated that subject to authentication, the Aadhaar number shall be accepted as a proof of identity of the Aadhaar number holder.

2016 Bill : Clause 4 (3) states that subject to authentication, the Aadhaar number (either in physical or electronic form) shall be accepted as a proof of identity of the Aadhaar

number holder.

The Explanation under this clause states that for the purpose of this provision, “electronic form” shall have the same meaning as assigned to it in section 2 (1) (r) of the Information Technology Act, 2000.

Authentication

Proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services, etc.

2016 Bill : Under clause 7 of the Bill it is provided that for the purpose of establishing an individual's identity as a condition to receipt a a subsidy, benefit or service. the Central or State Government (as the case may be), require that such individual undergo authentication, or furnish proof of possession of Aadhaar number. In case the Aadhaar number has not been assigned to an individual, such individual must make an application for enrolment.

The Proviso states that the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service, in an Aadhaar number is not assigned to an individual.

Authentication of Aadhaar number

2010 Bill: Clause 5 of the Bill stated that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees. Also, it was provided that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any demographic and biometric information).

2016 Bill : The Bill states that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees.

Clause 8 (2) provides that unless otherwise provided in the Act, the requesting entity shall—

For the purpose of authentication, obtain the consent of an individual before collecting his identity information, and
ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.

Clause 8 (3) provides that the following details shall be informed by the requesting entity to the individual submitting his identity information for the purpose of authentication:

a. the nature of information that may be shared upon authentication;

b. the uses to which the information received during authentication may be put by the requesting entity; and

c. alternatives to submission of identity information to the requesting entity.

Clause 8(4) states that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any core biometric information).

Prohibition on requiring certain information.

2010 Bill: Clause 9 of the Bill prohibited the Authority to make an individual give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health.

2016 Bill : This provision has been removed from the 2016 Bill.

Unique Identification Authority Of India

Establishment of Authority

2010 Bill: Clause 11(1) of the Bill stated that the Central Government shall establish an Authority called as the National Identification Authority of India, to exercise the powers conferred on it and to perform the functions assigned to it under this Act. Also, clause 11(3) provided that the head office of the Authority shall be in the National Capital Region, referred to in section 2(f) of the National Capital Region Planning Board Act, 1985.

2016 Bill : Clause 11(1) of the Bill states that the Central Government shall establish an Authority called as the Unique Identification Authority of India, responsible for the processes of enrolment, authentication and perform such other functions assigned to it under this Act. Also, clause 11(3) provides that the head office of the Authority shall be in New Delhi.

Composition of Authority

2010 Bill: Clause 12 provided that the Authority shall consist of a Chairperson and two part-time Members, to be appointed by the Central Government.

2016 Bill : Clause 12 of the Bill provides that the Authority shall consist of a Chairperson (appointed on part-time or full- time basis) , two part-time Members, and the chief executive officer (who shall be Member-Secretary of the Authority), to be appointed by the Central Government.

Qualifications for appointment of Chairperson and Members of Authority

2010 Bill: Clause 13 provided that the Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding calibre having experience and knowledge in the matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.

2016 Bill : Clause 13 provides that the Chairperson and Members of the Authority shall be persons of ability and integrity having experience and knowledge of at least ten years in matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.

Term of office and other conditions of service of Chairperson.

2010 Bill: Proviso to Clause 14 (1) stated that the Chairperson of the Unique Identification Authority of India, who would have been appointed before the commencement of this Act by notification A-43011/02/2009-Admn.I (Vol.II) dated the 2nd July, 2009, shall continue as a Chairperson of the Authority for the term for which he had been appointed. Clause 14(4) prohibited the Chairperson from holding any other office during the period of holding his office in the Authority. Proviso to clause 14 (5) stated the salary, allowances and the other terms and conditions of service of the Chairperson shall not be varied to his disadvantage after his appointment.

2016 Bill : These provisions have not been included in the Bill.

Removal of Chairperson and Members

2010 Bill: Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (d) or (e) of sub-section (1).

2016 Bill : Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (b), (d) or (e) of sub-section (1).

Restrictions on Chairperson or Members on employment after cessation of office

2010 Bill: Clause 16 (a) provided that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management or administration of, any person which has been associated with any work under the Act, for a period of three years from the date on which they cease to hold office, without previous approval of the Central Government.

The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in section 617 of the Companies Act, 195.

2016 Bill: Clause 16 (a) provides that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority (whether directly or indirectly), during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office, without previous approval of the Central Government.

Functions of Chairperson

2010 Bill: Clause 17 of the Bill provided that the Chairperson shall have powers of general superintendence, direction in the conduct of the affairs of the Authority, preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.

2016 Bill : Clause 17 of the Bill states that the Chairperson shall preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.

Chief Executive Officer

2010 Bill: Clause 20 (1) of the Bill stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, who shall be the Member-Secretary of the Authority,shall be appointed by the Central Government.

2016 Bill : Clause 18 (1) stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, shall be appointed by the Central Government. In the list of its responsibilities, clause 18 (2) (e) additionally provides for performing such other functions, or exercising such other powers, as may be specified by regulations.

Meetings

2010 Bill: Clause 18 (4) provided that all decisions of the Authority shall be authenticated by the signature of the Chairperson or any other Member who is authorised by the Authority for this purpose.

2016 Bill : Clause 19 (4) provided that all decisions of the Authority shall be signed by the Chairperson, any other Member or the Member-Secretary authorised by the Authority.

Vacancies, etc., not to invalidate proceedings of Authority

2010 Bill: Clause 19 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as a Member of the Authority

2016 Bill : Clause 20 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as Chairperson or Member of the Authority

Powers and functions of Authority

Clause 23 (2) (k)

2010 Bill: Clause 23 (2) (k) provided that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct, in a manner as specified by regulations.

2016 Bill : Clause 23 (2) (k) provides that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, subject to the provisions of this Act.

Clause 23 (2) (r)

2010 Bill : Clause 23 (2) (r) stated that the powers and functions of the Authority may include specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

2016 Bill : Clause 23 (2) (r) states that the powers and functions of the Authority may include evolving of, and specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

Grants, Accounts and Audit and Annual Report

2010 Bill: Clause 25 provided that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India and the entire amount so credited be transferred to the Authority.

2016 Bill : Clause 25 states that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India.

Identity Review Committee

2010 Bill: Clause 28 of the Bill provided for establishment of the Identity Review Committee, consisting of three members (including the chairperson) who are persons of eminence, ability, integrity and having knowledge and experience in the fields of technology, law, administration and governance, social service, journalism, management or social sciences. Clause 29 of the Bill enlisted several functions to be undertaken by the Review Committee so constituted.

2016 Bill: These provisions have been removed from the Bill.

Protection of Information

Security and confidentiality of information

2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.

2016 Bill : Clause 28 (3) states that the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

Restriction on sharing information

2010 Bill: The Bill did not provide for restrictions on sharing of information.

2016 Bill: This new provision under Clause 29 states that no core biometric information, collected or created under this Act, shall be—

(a) shared with anyone for any reason whatsoever; or

(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Also, the identity information, other than core biometric information, collected or created

under this Act may be shared only in accordance with the provisions of this Act as specified under Regulations.

Clause 29 (3) prohibits usage of identity information available with a requesting entity for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication, or disclosed further, except with the prior consent of the individual to whom such information relates.

Clause 29 (4) prohibits publication, displaying or publicly posting of the Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder, except for the purposes as may prescribed in Law.

Biometric information deemed to be sensitive personal information.

2010 Bill: The Bill did not contain provisions stating that the biometric information shall be deemed to be sensitive personal information for the purpose of this Act.

2016 Bill: Clause 30 states that the biometric information collected and stored in electronic form shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 and the rules made thereunder shall apply to such information,to the extent not in derogation of the provisions of this Act.

The Explanation defines

(a) “electronic form” - as defined under section 2 (1) (r) of the Information Technology Act, 2000,

(b) “electronic record” as defined under section 2 (1) (t) of the Information Technology Act, 2000

(c)“sensitive personal data or information” - as defined under clause (iii) of the

Explanation to section 43A of the Information Technology Act, 2000.

Security and confidentiality of information

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

Alteration of demographic information or biometric information.

2016 Bill : Clause 31 (4) prohibits alteration of identity information in the Central Identities Data Repository, except in the manner provided in this Act or regulations made thereof.

Access to own information and records of requests for authentication.

2016 Bill : Clause 32 (3) provides that the Authority shall not collect, keep or maintain any information about the purpose of authentication, either by itself or through any entity under its control.

Disclosure of information in certain cases

2010 Bill: The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order of a competent court; or disclosure (including identity information) made in the interests of national security in pursuance of directions issued by an officer(s) not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government.

2016 Bill : The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order not inferior to that of a District Judge (provided that the court order shall be made only after giving an opportunity of hearing to the Authority); or disclosure (including identity information or authentication records) made in the interests of national security in pursuance of directions issued by an officer not below the rank of Joint Secretary to the Government of India, authorised in this behalf by an order of the Central Government.

The proviso to Clause 33 (2) states that every direction so issued shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect.

The second proviso states that any such direction so issued shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

Offences and Penalties

Penalty for impersonation at time of enrolment.

2010 Bill: The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees.

2016 Bill : The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years, or with fine which may extend to ten thousand rupees, or both.

Penalty for unauthorised access to the Central Identities Data Repository

2010 Bill: Clause 38 (g) stated that any person not authorised by the Authority, provides any assistance to any person to do any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than one crore rupees.

2016 Bill : Clause 38 (g) stated that any person not authorised by the Authority, reveals any information in contravention of sub-section section 28 (5), or shares, uses or displays information in contravention of section 29 or assists any person in any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than ten lakh rupees. Additionally, the Explanation states that the expression “computer source code” shall have the meaning assigned to it in the Explanation to section 65 of the Information Technology Act, 2000.

Penalty for unauthorised use by requesting entity and noncompliance with intimation requirements

2010 Bill: Clause 40 of the Bill prescribed penalty for manipulating biometric information and stated that a person who gives/attempts to give any biometric information which does not pertain to him for the purpose of getting an Aadhaar number, authentication or updating his information, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or with both.

2016 Bill: Clause 40 prescribes penalty for a person, being a requesting entity, uses the identity information of an individual in contravention of clause 8(3) , to be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both. Clause 41 of the Bill states that Whoever, being an enrolling agency or a requesting entity, fails to comply with the requirements of clause 3(2)-list of details to be informed to the individual undergoing enrolment, and clause 8(3)-informing individual undergoing enrolment details for the purpose of authentication, shall be punishable with imprisonment which may extend to one year, or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

General Penalty

2010 Bill: For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to three years, or fine as prescribed.

2016 Bill : For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to one year, or fine as prescribed.

Miscellaneous

Power of Central Government to supersede Authority.

2010 Bill: Clause 47(1)(c) stated that if at any time the Central Government is of the opinion that such circumstances exist which render it necessary in the public interest to supersede the Authority, may do so in the manner prescribed under this provision.

2016 Bill : Clause 48(1)(c) states that if at any time the Central Government is of the opinion that a public emergency exists, then the Central Government may supersede the Authority, in the manner prescribed under this provision.

Power to remove difficulties.

2010 Bill: The proviso to Clause 56(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of two years from the commencement of this Act.

2016 Bill : The proviso to Clause 58(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of three years from the commencement of this Act.

Savings

2010 Bill: Clause 57 provided that any action taken by the Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, shall be deemed to have been done or taken under the corresponding provisions of this Act.

2016 Bill : Clause 59 states that any action take by Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009, or by the Department of Electronics and Information Technology under the Cabinet Secretariat Notification bearing notification number S.O. 2492(E), dated the 12th September, 2015, as the case may be, shall be deemed to have been validly done or taken under this Act.

Statement of Objects and Reasons

2010 Bill: The Bill stated that the Central Government decided to issues unique identification numbers to all residents in India, which involves collection of demographic, as well as biometric information. The Unique Identification Authority of India was constituted as an executive body by the Government, vide its notification dated the 28th January, 2009. The Bill addressed and enlisted several issues with the issuance of unique identification numbers which should be addressed by law and attract penalties, such as security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases, impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, manipulation of biometric information, investigation of certain acts constituting offence, and unauthorised disclosure of the information collected for the purposes of issuance of the numbers. To make the said Authority a statutory one, the National Identification Authority of India Bill, 2010 was proposed to establish the National Identification Authority of India to issue identification numbers and authenticate the Aadhaar number to facilitate access to benefits and services to such individuals to which they are entitled and for matters connected therewith or incidental thereto.Apart from the above mentioned purposes, The National Identification Authority of India Bill, 2010 also seeks to provide for the Authority to exercise powers and discharge functions so prescribed , ensure that the Authority does not require any individual to give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health, may engage entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations, constitute the Identity Review Committee and take measures to ensure that the information in the possession or control of the Authority is secured and protected against any loss, unauthorised access or use or unauthorised disclosure thereof.

2016 Bill: The Bill states that correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government and has proved to be a major hindrance for successful implementation of these programmes. In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries. The Unique Identification Authority of India was established by a resolution of the Government of India, Planning Commission vide notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number. Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes. With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created. It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory. For this purpose, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the Unique Identification Authority of India, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the Unique Identification Authority of India, maintenance and updating the information of individuals in the Central Identities Data Repository, state measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

elonnai — 2013-07-12T15:40:51Z

This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/

The Principles:

1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.

The Indian Telegraph Act, 1885

The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.

2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.

Below are the circumstances for which access is allowed by each Act, Rule, and License:

The TA Rules 2007: Interception is allowed in the following circumstances:

On the occurrence of any public emergency

In the interest of the public safety

In the interests of the sovereignty and integrity of India

The security of the state

Friendly relations with foreign states

Public order

Preventing incitement to the commission of an offence

ITA Interception and Monitoring Rules: Interception, monitoring, and decryption of communications is allowed in the following circumstances:

In the interest of the sovereignty or integrity of India,
Defense of India
Security of the state
Friendly relations with foreign states
Public order
Preventing incitement to the commission of any cognizable offence relating to the above
For investigation of any offence

ITA Monitoring of Traffic Data Rules: Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security:

Forecasting of imminent cyber incidents
Monitoring network application with traffic data or information on computer resources
Identification and determination of viruses or computer contaminant
Tracking cyber security breaches or cyber security incidents
Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
Any other matter relating to cyber security.

UASL License: Assistance must be provided to the government for the following reasons and times:

Reasons defined in the Telegraph Act. (Section 41.20 (xix))
National Security. (Section 41.20 (xvii))
To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
In the interests of security. (Section 41.7)
For security reasons. (Section 41.20 (iii))

ISP License: Assistance must be provided to the government for the following reasons and times:

To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
In the interests of security. (Section 34.4)
For security reasons. (Section 34.28 (iii))
Reasons defined in the Telegraph Act. (Section 35.2)

3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.

Below are summaries of the relevant provisions:

TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.

5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.

Below are summaries of relevant provisions:

The TA Rules 2007: Under the Telegraph Act the authorizing authorities are:

The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
The Secretary to the State Government in charge of the Home Department in the case of the State Government.
In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.

Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.

Below is a summary of the relevant provisions:

TA Rules 2007:

Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).

7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)

Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.

TA Rules 2007:

All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.

8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.

9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.

10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)

Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007:

A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).

11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.

Relevant provisions are summarized below:

TA Rules 2007: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. (Section 20, 20A 21, 23).

ITA Interception and Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 20).

ITA Traffic Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 5&6).

UASL License: The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. (Section 39.1, Section 39.2, Section 41.4).

ISP License: The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. (Section 32.1) The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. (Section 32.2) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. (Section 32.3).

Provisions requiring the provision of facilities, assistance, and retention:

ITA Interception and Monitoring Rules:

The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).

ITA Monitoring of Traffic Rules:

The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).

UASL License:

The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).

ISP License:

The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).

12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.

Below is a summary of the relevant provisions:

ITA 2000: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. (Section 1(2))

UASL License: The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. (section (41.20 (viii))

ISP License: For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. (Section 34.28 (iii)) ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) (Section 34.28 (viii))

13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007: The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation. (Section 20, 20A, 23, and 24 Indian Telegraph Act).

ITA Interception and Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 21).

ITA Traffic Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 6).

UASL License:

In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).

ISP License:

In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).

14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.

Below are summaries of relevant provisions:

UASL License:

Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications

A Case for Greater Privacy Paternalism?

Amber Sinha — 2016-02-20T07:28:43Z

This is the second part of a series of three articles exploring the issues with the privacy self management framework and potential alternatives.

The first part of the series can be accessed here.

Background

The current data privacy protection framework across most jurisdictions is built around a rights based approach which entrusts the individual with having the wherewithal to make informed decisions about her interests and well-being.^{^[1]} In his book, The Phantom Public, published in 1925, Walter Lippmann argues that the rights based approach is based on the idea of a sovereign and omnicompetent citizens, who can direct public affairs, however, this idea is a mere phantom or an abstraction. ^{^[2]} Jonathan Obar, Assistant Professor of Communication and Digital Media Studies in the Faculty of Social Science and Humanities at University of Ontario Institute of Technology, states that Lippmann's thesis remains equally relevant in the context of current models of self-management, particularly for privacy.^{^[3]} In the previous post, Scott Mason and I had looked at the limitations of a 'notice and consent' regime for privacy governance. Having established the deficiencies of the existing framework for data protection, I will now look at some of the alternatives proposed that may serve to address these issues.

In this article, I will look at paternalistic solutions posed as alternatives to the privacy self-management regime. I will look at theories of paternalism and libertarianism in the context of privacy and with reference to the works of some of the leading philosophers on jurisprudence and political science. The paper will attempt to clarify the main concepts and the arguments put forward by both the proponents and opponents of privacy paternalism. The first alternative solution draws on Anita Allen's thesis in her book, Unpopular Privacy,^{^[4]} which deals with the questions whether individuals have a moral obligation to protect their own privacy. Allen expands the idea of rights to protect one's own self interests and duties towards others to the notion that we may have certain duties not only towards others but also towards ourselves because of their overall impact on the society. In the next section, we will look at the idea of 'libertarian paternalism' as put forth by Cass Sunstein and Richard Thaler^{^[5]} and what its impact could be on privacy governance.

Paternalism

Gerald Dworkin, Professor Emeritus at University of California, Davis, defines paternalism as "interference of a state or an individual with another person, against their will, and defended or motivated by a claim that the person interfered with will be better off or protected from harm." ^{^[6]} Any act of paternalism will involve some limitation on the autonomy of the subject of the regulation usually without the consent of the subject, and premised on the belief that such act shall either improve the welfare of the subject or prevent it from diminishing.^{^[7]} Seana Shiffrin, Professor of Philosophy and Pete Kameron Professor of Law and Social Justice at UCLA, takes a broader view of paternalism and includes within its scope not only matters which are aimed at improving the subject's welfare, but also the replacement of the subject's judgement about matters which may otherwise have lied legitimately within the subject's control.^{^[8]} In that sense, Shiffrin's view is interesting for it dispenses with both the requirement for active interference, and such act being premised on the subject's well-being.

The central premise of John Stuart Mill's On Liberty is that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. "His own good, either physical or moral," according to Mill, "is not a sufficient warrant." However, various scholars over the years have found Mill's absolute prohibition problematic and support some degree of paternalism. John Rawls' Principle of Fairness, for instance has been argued to be inherently paternalistic. If one has to put it in a nutshell, the aspect about paternalism that makes it controversial is that it involves coercion or interference, which in any theory of normative ethics or political science needs to be justified based on certain identified criteria. Staunch opponents of paternalism believe that this justification can never be met. Most scholars however, do not argue that all forms of paternalism are untenable and the bulk of scholarship on paternalism is devoted to formulating the conditions under which this justification is satisfied.

Paternalism interferes with self-autonomy in two ways according to Peter de Marneffe, the Professor of Philosophy at the School of Historical, Philosophical and Religious Studies, Arizona State University.^{^[9]} The first is the prohibition principle, under which a person's autonomy is violated by being prohibited from making a choice. The second is the opportunity principle which undermines the autonomy of a person by reducing his opportunities to make a choice. Both the cases should be predicated upon a finding that the paternalistic act will lead to welfare or greater autonomy. According to de Marneffe, there are three conditions under which such acts of paternalism are justified - the benefits of welfare should be substantial, evident and must outweigh the benefits of self-autonomy.^{^[10]}

There are two main strands of arguments made against paternalism.^{^[11]} The first argues that interference with the choices of informed adults will always be an inferior option to letting them decide for themselves, as each person is the 'best judge' of his or her interests. The second strand does not engage with the question about whether paternalism can make better decisions about individuals, but states that any benefit derived from the paternalist act is outweighed by the harm of violation of self-autonomy. Most proponents of soft-paternalism build on this premise by trying to demonstrate that not all paternalistic acts violate self-autonomy. There are various forms of paternalism that we do not question despite them interfering with our autonomy - seat belt laws and restriction of tobacco advertising being a few of them. If we try to locate arguments for self-autonomy in the Kantian framework, it refers not just to the ability to do what one chooses, but to rational self-governance.^{^[12]} This theory automatically "opens the door for justifiable paternalism."^{^[13]} In this paper, I assume that certain forms of paternalism are justified. In the remaining two section, I will look at two different theories advocating greater paternalism in the context of privacy governance and try to examine the merits and issues with such measures.

A moral obligation to protect one's privacy

Modest Paternalism

In her book, Unpopular Privacy,^{^[14]} Anita Allen states that enough emphasis is not placed by people on the value of privacy. The right of individuals to exercise their free will and under the 'notice and consent' regime, give up their rights to privacy as they deem fit is, according to her, problematic. The data protection law in most jurisdictions, is designed to be largely value-neutral in that it does not sit on judgement on what is the nature of information that is being revealed and how the collector uses it. Its primary emphasis is on providing the data subject with information about the above and allowing him to make informed decisions. In my previous post, Scott Mason and I had discussed that with online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less and less of a genuine option.^{^[15]} Lamenting that people put little emphasis on privacy and often give away information which, upon retrospection and due consideration, they would feel, they ought not have disclosed, Allen proposes what she calls 'modest paternalism' in which regulations mandate that individuals do not waive their privacy is certain limited circumstances.

Allen acknowledges the tension between her arguments in favor of paternalism and her avowed support for the liberal ideals of autonomy and that government interference should be limited, to the extent possible. However, she tries to make a case for greater paternalism in the context of privacy. She begins by categorizing privacy as a "primary good" essential for "self respect, trusting relationships, positions of responsibility and other forms of flourishing." In another article, Allen states that this "technophilic generation appears to have made disclosure the default rule of everyday life."^{^[16]} Relying on various anecdotes and examples of individuals' disregard for privacy, she argues that privacy is so "neglected in contemporary life that democratic states, though liberal and feminist, could be justified in undertaking a rescue mission that includes enacting paternalistic privacy laws for the benefit of un-eager beneficiaries." She does state that in most cases it may be more advantageous to educate and incentivise individuals towards making choices that favor greater privacy protection. However, in exceptional cases, paternalism would be justified as a tool to ensure greater privacy.

A duty towards oneself

In an article for the Harvard Symposium on Privacy in 2013, Allen states that laws generally provide a framework built around rights of individuals that enable self-protection and duties towards others. G A Cohen describes Robert Nozick's views which represents this libertarian philosophy as follows: "The thought is that each person is the morally rightful owner of himself. He possesses over himself, as a matter of moral right, all those rights that a slaveholder has over a chattel slave as a matter of legal right, and he is entitled, morally speaking, to dispose over himself in the way such a slaveholder is entitled, legally speaking, to dispose over his slave."^{^[17]} As per the libertarian philosophy espoused by Nozick, everyone is licensed to abuse themselves in the same manner slaveholders abused their slaves.

Allen asks the question whether there is a duty towards oneself and if such a duty exists, should it be reflected in policy or law. She accepts that a range of philosophers consider the idea of duties to oneself as illogical or untenable. ^{^[18]} Allen, however relies on the works of scholars such as Lara Denis, Paul Eisenberg and Daniel Kading who have located such a duty. She develops a schematic of two kinds of duties - first order duties that requires we protect ourselves for the sake of others, and second order, derivative duties that we protect ourself. Through the essay, she relies on the Kantian framework of categorical imperative to build the moral thrust of her arguments. Kantian view of paternalism would justify those acts which interfere with an individual's autonomy in order to prevent her from exercising her autonomy irrationally, and draw her towards rational end that agree with her conception of good.^{^[19]} However, Allen goes one step further and she locates the genesis for duties to both others (perfect duties) and oneself (imperfect duties) in the categorical imperative . Her main thesis is that there are certain situations where we have a moral duty to protect our own privacy where failure to do so would have an impact on either specific others or the society, at large.

Issues

Having built this interesting and somewhat controversial premise, Allen does not sufficiently expand upon it to present a nuanced solution. She provides a number of anecdotes but does not formulate any criteria for when privacy duties could be self-regarding. Her test for what kinds of paternalistic acts are justified is also extremely broad. She argues for paternalism where is protects privacy rights that "enhance liberty, liberal ways of life, well-being and expanded opportunity." She does not clearly define the threshold for when policy should move from incentives to regulatory mandate nor does she elaborate upon what forms paternalism would both serve the purpose of protecting privacy as well as ensuring that there is no unnecessary interference with the rights of individual.^{^[20]}

Nudge and libertarian paternalism

What is nudge?

In 2006, Richard Thaler and Cass Sunstein published their book Nudge: Improving decisions about health, wealth and happiness. ^{^[21]} The central thesis of the book is that in order to make most of decisions, we rely on a menu of options made available to us and the order and structure of choices is characterised by Thaler and Sunstein as "choice architecture." According to them, the choice architecture has a significant impact on the choices that we make. The book looks at examples from a food cafeteria, the position of restrooms and how whether the choice is to opt-in or opt-out influences the retirement plans that were chosen. This choice architecture influences our behavior without coercion or a set of incentives, as conventional public policy theory would have us expect. The book draws on work done by cognitive scientists such as Daniel Kahneman^{^[22]} and Amos Tversky^{^[23]} as well as Thaler's own research in behavioral economics. ^{^[24]} The key takeaway from cognitive science and behavioral economics used in this book is that choice architecture influences our actions in anticipated ways and leads to predictably irrational behavior. Thaler and Sunstein believe that this presents a great potential for policy makers. They can tweak the choice architecture in their specific domains to influence the decisions made by its subjects and nudge them towards behavior that is beneficial to them and/or the society.

The great attraction of the argument made by Thaler and Sunstein is that it offers a compromise between forbearance and mandatory regulation. If we identify the two ends of the policy spectrum as - a) paternalists who believe in maximum interference through legal regulations that coerce behavior to meet the stated goals of the policy, and b) libertarians who believe in the free market theory that relies on the individuals making decisions in their best interests, 'nudging' falls somewhere in the middle, leading to the oxymoronic yet strangely apt phrase, "libertarian paternalism." The idea is to design choices in such as way that they influence decision-making so as to increase individual and societal welfare. In his book, The Laws of Fear, Cass Sunstein argues that the anti-paternalistic position is incoherent as "there is no way to avoid effects on behavior and choices."

The proponents of libertarian paternalism refute the commonly posed question about who decides the optimal and desirable results of choice architecture, by stating that this form of paternalism does not promote a perfectionist standard of welfare but an individualistic and subjective standard. According to them, choices are not prohibited, cordoned off or made to carry significant barriers. However, it is often difficult to conclude what it is that is better for the welfare of people, even from their own point of view. The claim that nudges lead to choices that make them better off by their own standards seems more and more untenable. What nudges do is lead people towards certain broad welfare which the choice-architects believe make the lives of people better in the longer term.^{^[25]}

How nudges could apply to privacy?

Our previous post echoes the assertion made by Thaler and Sunstein that the traditional rational choice theory that assumes that individuals will make rationally optimal choices in their self interest when provided with a set of incentives and disincentives, is largely a fiction. We have argued that this assertion holds true in the context of privacy protection principles of notice and informed consent. Daniel Solove has argued that insights from cognitive science, particularly using the theory of nudge would be an acceptable compromise between the inefficacy of privacy self-management and the dangers of paternalism.^{^[26]} His rationale is that while nudges influence choice, they are not overly paternalistic in that they still give the individual the option of making choices contrary to those sought by the choice architecture. This is an important distinction and it demonstrates that 'nudging' is less coercive than how we generally understand paternalistic policies.

One of the nudging techniques which makes a lot of sense in the context of the data protection policies is the use of defaults. It relies on the oft-mentioned status quo bias.^{^[27]} This is mentioned by Thaler and Sunstein with respect to encouraging retirement savings plans and organ donation, but would apply equally to privacy. A number of data collectors have maximum disclosure as their default settings and effort in understanding and changing these settings is rarely employed by users. A rule which mandates that data collectors set optimal defaults that ensure that the most sensitive information is subjected to least degree of disclosure unless otherwise chosen by the user, will ensure greater privacy protection.

Ryan Calo and Dr. Victoria Groom explored an alternative to the traditional notice and consent regime at the Centre of Internet and Society, Stanford University.^{^[28]} They conducted a two-phase experimental study. In the first phase, a standard privacy notice was compared with a control condition and a simplified notice to see if improving the readability impacted the response of users. In the second phase, the notice was compared with five notices strategies, out of which four were intended to enhance privacy protective behavior and one was intended to lower it. Shara Monteleone and her team used a similar approach but with a much larger sample size.^{^[29]} One of the primary behavioral insights used was that when we do repetitive activities including accepting online terms and conditions or privacy notices, we tend to use our automatic or fast thinking instead to reflective or slow thinking.^{^[30]} Changing them requires leveraging the automatic behavior of the individuals.

Alessandro Acquisti, Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University, has studied the application of methodologies from behavioral economics to investigate privacy decision-making.^{^[31]} He highlights a variety of factors that distort decision-making such as - "inconsistent preferences and frames of judgment; opposing or contradictory needs (such as the need for publicity combined with the need for privacy); incomplete information about risks, consequences, or solutions inherent to provisioning (or protecting) personal information; bounded cognitive abilities that limit our ability to consider or reflect on the consequences of privacy-relevant actions; and various systematic (and therefore predictable) deviations from the abstractly rational decision process." Acquisti looks at three kinds of policy solutions taking the example of social networking sites collecting sensitive information- a) hard paternalistic approach which ban making visible certain kind of information on the site, b) a usability approach that entails designing the system in way that is most intuitive and easy for users to decide whether to provide the information, c) a soft paternalistic approach which seeks to aid the decision-making by providing other information such as how many people would have access to the information, if provided, and set defaults such that the information is not visible to others unless explicitly set by the user. The last two approaches are typically cited as examples of nudging approaches to privacy.

Another method is to use tools that lead to decreased disclosure of information. For example, tools like Social Media Sobriety Test^{^[32]} or Mail Goggles^{^[33]} serve to block the sites during certain hours set by user during which one expects to be at their most vulnerable, and the online services are blocked unless the user can pass a dexterity examination.^{^[34]} Rebecca Belabako and her team are building privacy enhanced tools for Facebook and Twitter that will provide greater nudges in restricting who they share their location on Facebook and restricting their tweets to smaller group of people.^{^[35]} Ritu Gulia and Dr. Sapna Gambhir have suggested nudges for social networking websites that randomly select pictures of people who will have access to the information to emphasise the public or private setting of a post.^{^[36]} These approaches try to address the myopia bias where we choose immediate access to service over long term privacy harms.

The use of nudges as envisioned in the examples above is in some ways an extension of already existing research which advocates a design standard that makes the privacy notices more easily intelligible.^{^[37]} However, studies show only an insignificant improvement by using these methods. Nudging, in that sense goes one step ahead. Instead of trying to make notices more readable and enable informed consent, the design standard will be intended to simply lead to choices that the architects deem optimal.

Issues with nudging

One of the primary justifications that Thaler and Sunstein put forward for nudging is that the choice architecture is ubiquitous. The manner in which option are presented to us impact how we make decision whether it was intended to do so or not, and that there is no such thing a neutral architecture. This inevitability, according to them, makes a strong case for nudging people towards choices that will lead to their well-being. However, this assessment does not support the arguments made by them that libertarian paternalism nudges people towards choices from their own point of view. It is my contention that various examples of libertarian paternalism, as put forth by Thaler and Sunstein, do in fact interfere with our self-autonomy as the choice architecture leads us not to options that we choose for ourselves in a fictional neutral environments, but to those options that the architects believe are good for us. This substitution of judgment would satisfy the definition by Seana Shiffron. Second, the fact that there is no such things as a neutral architecture, is by itself, not justification enough for nudging. If we view the issue only from the point of view of normative ethics, assuming that coercion and interference are undesirable, intentional interference is much worse than unintentional interference.

However, there are certain nudges that rely primarily on providing information, dispensing advice and rational persuasion.^{^[38]} The freedom of choice is preserved in these circumstances. Libertarians may argue that even these circumstances the shaping of choice is problematic. This issue, J S Blumenthal-Barby argues, is adequately addressed by the publicity condition, a concept borrowed by Thaler and Sunstein from John Rawls.^{^[39]} The principle states that officials should never use a technique they would be uncomfortable defending to the public; nudging is no exception. However, this seems like a simplistic solution to a complex problem. Nudges are meant to rely on inherent psychological tendencies, leveraging the theories about automatic and subconscious thinking as described by Daniel Kahneman in his book, "Thinking Fast, Thinking Slow."^{^[40]} In that sense, while transparency is desirable it may not be very effective.

Other commentators also note that while behavioral economics can show why people make certain decisions, it may not be able to reliably predict how people will behave in different circumstances. The burden of extrapolating the observations into meaningful nudges may prove to be too heavy.^{^[41]} However, the most oft-quoted criticism of nudging is that it will rely on officials to formulate the desired goals towards which the choice architecture will lead us.^{^[42]} The judgments of these officials could be flawed and subject to influence by large corporations.^{^[43]} These concerns echo the best judge argument made against all forms of paternalism, mentioned earlier in this essay. J S Blumenthal-Barby, Assistant Professor at the Center for Medical Ethics and Health Policy, Baylor College of Medicine, also examines the claim that the choice architects will be susceptible to the same biases while designing the choice environment.^{^[44]} His first argument in response to this is that experts who extensively study decision-making may be less prone to these errors. Second, he argues that even with errors and biases, a choice architecture which attempts to the rights the wrongs of a random and unstructured choice environment is a preferable option.^{^[45]}

Conclusion

Most libertarians will find the notion that individuals are prevented from sharing some information about themselves problematic. Anita Allen's idea about self-regarding duties is at odds how we understand rights and duties in most jurisdictions. Her attempt to locate an ethical duty to protect one's privacy, while interesting, is not backed by a formulation of how such a duty would work. While she relies largely on an Kantian framework, her definition of paternalism, as can be drawn from her writing is broader than that articulated by Kant himself. On the other hand, Thaler and Sunstein's book Nudge and related writings by them do attempt to build a framework of how nudging would work and answer some questions they anticipate would be raised against the idea of libertarian paternalism.

By and large, I feel that, Thaler and Sunstein's idea of libertarian paternalism could be justified in the context of privacy and data protection governance. It would be fair to say the first two conditions of de Marneffe under which such acts of paternalism are justified ^{^[46]} are largely satisfied by nudges that ensures greater privacy protection. If nudges can ensure greater privacy protection, its benefits are both substantial and evident. However, the larger question is whether these purported benefits outweigh the costs of loss of self-autonomy. Given the numerous ways in which the 'notice and consent' framework is ineffective and leads to very little informed consent, it can be argued that there is little exercise of autonomy, to begin with, and hence, the loss of self-autonomy is not substantial. Some of the conceptual issues which doubt the ability of nudges to solve complex problems remain unanswered and we will have to wait for more analysis by both cognitive scientists and policy-makers. However, given the growing inefficacy of the existing privacy protection framework, it would be a good idea of begin using some insights from cognitive science and behavioral economics to ensure greater privacy protection.

The current value-neutrality of data protection law with respect of the kind of data collected and its use, and its complete reliance on the data subject to make an informed choice is, in my opinion, an idea that has run its course. Rather than focussing solely on the controls at the stage of data collection, I believe we need a more robust theory of how to govern the subsequent uses of data. This will is the focus of the next part of this series in which I will look at the greater use of risk-based approach to privacy protection.

^{^[1]} With invaluable inputs from Scott Mason.

^{^[2]} Walter Lippmann, The Phantom Public, Transaction Publishers, 1925.

^{^[3]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[4]} Anita Allen, Unpopular Privacy: What we must hide?, Oxford University Press USA, 2011.

^{^[5]} Richard Thaler and Cass Sunstein, Nudge, Improving decisions about health, wealth and happinessYale University Press, 2008.

^{^[6]} http://plato.stanford.edu/entries/paternalism/

^{^[7]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 29.

^{^[8]} Seana Shiffrin, Paternalism, Unconscionability Doctrine, and Accommodation, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2682745

^{^[9]} Peter de Marneffe, Self Sovereignty and Paternalism, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 58.

^{^[10]} Id .

^{^[11]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 74.

^{^[12]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 115.

^{^[13]} Ibid at 116.

^{^[14]} Anita Allen, Unpopular Privacy: What we must hide?, Oxford University Press USA, 2011.

^{^[15]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[16]} Anita Allen, Privacy Law: Positive Theory and Normative Practice, available at http://harvardlawreview.org/2013/06/privacy-law-positive-theory-and-normative-practice/ .

^{^[17]} G A Cohen, Self ownership, world ownership and equality, available at http://journals.cambridge.org/action/displayAbstract?fromPage=online&aid=3093280

^{^[18]} Marcus G. Singer, On Duties to Oneself, available at http://www.jstor.org/stable/2379349?seq=1#page_scan_tab_contents; Kurt Baier, The moral point of view: A rational basis of ethics, available at https://www.uta.edu/philosophy/faculty/burgess-jackson/Baier,%20The%20Moral%20Point%20of%20View%20%281958%29%20%28Excerpt%20on%20Ethical%20Egoism%29.pdf .

^{^[19]} Michael Cholbi, Kantian Paternalism and suicide intervention, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013.

^{^[20]} Eric Posner, Liberalism and Concealment, available at https://newrepublic.com/article/94037/unpopular-privacy-anita-allen

^{^[21]} Richard Thaler and Cass Sunstein, Nudge, Improving decisions about health, wealth and happinessYale University Press, 2008.

^{^[22]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[23]} Daniel Kahneman, Paul Slovic and Amos Tversky, Judgment under uncertainty: heuristics and biases, Cambridge University Press, 1982; Daniel Kahneman and Amos Tversky, Choices, Values and Frames, Cambridge University Press, 2000.

^{^[24]} Richard Thaler, Advances in behavioral finance, Russell Sage Foundation, 1993.

^{^[25]} Thaler, Sunstein and Balz, Choice Architecture, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1583509.

^{^[26]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[27]} Frederik Borgesius, Behavioral sciences and the regulation of privacy on the Internet, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2513771.

^{^[28]} Ryan Calo and Dr. Victoria Groom, Reversing the Privacy Paradox: An experimental study, available at http://ssrn.com/abstract=1993125

^{^[29]} Shara Monteleon et al, Nudges to Privacy Behavior: Exploring an alternative approahc to privacy notices, available at http://publications.jrc.ec.europa.eu/repository/bitstream/JRC96695/jrc96695.pdf

^{^[30]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[31]} Alessandro Acquisti, Nudging Privacy, available at http://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[32]} http://www.webroot.com/En_US/sites/sobrietytest/test.php?url=0

^{^[33]} http://google.about.com/od/m/g/mail_goggles.htm

^{^[34]} Rebecca Balebako et al, Nudging Users towards privacy on mobile devices, available at https://www.andrew.cmu.edu/user/pgl/paper6.pdf.

^{^[35]} Id .

^{^[36]} Ritu Gulia and Dr. Sapna Gambhir, Privacy and Privacy Nudges for OSNs: A Review, available at http://www.ijircce.com/upload/2014/march/14L_Privacy.pdf

^{^[37]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[38]} Daniel Hausman and Bryan Welch argue that these cases are mistakenly characterized as nudges. They believe that nudges do not try to inform the automatic system, but manipulate the inherent cognitive biases. Daniel Hausman and Bryan Welch, Debate: To Nudge or Not to Nudge, Journal of Political Philosophy 18(1).

^{^[39]} Ryan Calo, Code, Nudge or Notice, available at

^{^[40]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[41]} Evan Selinger and Kyle Powys Whyte, Nudging cannot solve complex policy problems.

^{^[42]} Mario J. Rizzo & Douglas Glen Whitman, The Knowledge Problem of New Paternalism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1310732; Pierre Schlag, Nudge, Choice Architecture, and Libertarian Paternalism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1585362.

^{^[43]} Edward L. Glaeser, Paternalism and Psychology, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=917383.

^{^[44]} J S BLumenthal-Barby, Choice Architecture: A mechanism for improving decisions

while preserving liberty?, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013.

^{^[45]} Id .

^{^[46]} According to de Marneffe, there are three conditions under which such acts of paternalism are justified - the benefits of welfare should be substantial, evident and must outweigh the benefits of self-autonomy. Peter de Marneffe, Self Sovereignty and Paternalism, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 58.

For more details visit https://cis-india.org/internet-governance/blog/a-case-for-greater-privacy-paternalism

A billion mobile users: new startup profiles and innovation insights from Mobile India 2016

praskrishna — 2016-01-17T15:13:42Z

The annual Mobile India conference, for which YourStory was the media partner, wrapped up recently in Bengaluru with a startup showcase and a wide range of insights on mobile innovation in India.

The blog post by Sneha Maselkar and Madanmohan Rao was first published in Your Story on January 14, 2016. Sunil Abraham was quoted.

Chaired by professors V. Sridhar of IIIT Bangalore and D. Manjunath of IIT Bombay, the event’s theme was ‘The App Economy.’ (See YourStory coverage of the earlier editions of this conference: 2015, 2014 and 2013).

Mobile innovators

New products were presented by innovators like Pravin Bhagwat, Founder and Chief Technology Officer, AirTight Networks. The company is creating an app store based on ‘social WiFi,’ riding on Google+ and Facebook. A number of interesting startups like IoTM2MSolutions were also at the event. Founded by Ismail Zabihullahh in 2009, the 15-member team has a range of offerings in home automation, RFID biometrics, street lighting and smart parking solutions.

Inaccel is a med-tech accelerator founded in 2014 by Siraj Dhanani, Vijayarajan and Dr. Jagish Chaturvedi. It address the needs, resource and skill gaps, and price-sensitivity of clinical markets, and helps startups conceptualise, design, engineer, and achieve regulatory certification. Its portfolio picks companies with a five-year horizon, in exchange for equity stakes.

Dataglen was formed in 2014 by Deva P. Seetharam, Tanuja Ganu, Sunil Ghai and Rajesh Kunnath. It provides Internet of Things (IoT) data collection and management services, and provides an API for users to develop applications on a variety of computing platforms. The startup charges for data management services based on the volume of transactions and for any required customisation services.

Czar Securities was founded in August 2013 by Shikhil Sharma and Ananda Krishna. Two employees Deepankar Tyagi and Nakul Gulati joined in quick succession. The cyber security solutions company secures corporate IT infrastructure from cyber attacks. Offerings include ASTRA, an intrusion prevention system, as well as penetration testing and security audit services.

Infilect was founded in April 2015 by Vijay Gabale and Anand Prabhu Subramanian. They are building an AI-enabled personalised fashion shopping assistant. The product, Photolect, helps in discovery, search and personalisation for online shoppers by parsing of photos. The product is in beta-test mode with several fashion experts evaluating its features.

Sattva Medtech was founded in 2014 by Vibhav Joshi and Sumedh Kaulgud. They are developing a next-generation fetal health monitoring device which leverages advanced sensors and algorithms. This device, called the Sattva Fetal Lite, has been designed and engineered for use in India and other low-and-mid-income countries; the team has raised an undisclosed amount in seed funding from InnAccel.

Coeo Labs was founded in October 2014 by Nitesh Kumar Jangir and Nachiket Deval. It is a medical device company, developing products in the field of emergency and critical care. Offerings include a device to reduce chances of acquiring ventilator-associated pneumonia (VAP), and a mechanical CPAP machine (mCPAP) for transport of neonates with troubled breathing, from a resource-constrained setting to a neonatal ICU.

IoT scenarios

Over a dozen experts from India and the US discussed the latest mobile trends in a day of packed panel sessions and keynotes. Interface design, usable security and systems integration are key success factors for IoT, according to Henning Schulzrinne, Professor at Columbia University, and CTO, United States Federal Communications Commission. Consumer and industrial IoT scenarios differ with respect to predictability, redundancy, energy consumption and interoperability.

He pointed out categories and uses cases of high IoT impacts: automation of manual data extraction (metering), remote maintenance (vending machines), extraction of additional information (thermostats) and software-defined mechanics (locks, switches).

“IoT networks won’t operate just on mobile carriers, but also on other networks such as Zigbee and Bluetooth,” Henning explained. The Internet itself will be transformed by IoT. “Protocols matter, programmability matters more,” he added. The Internet is becoming more than the Internet protocol; plug-and-play is becoming augmented by plug-and-programme in the IoT world.

The ‘DNA’ of apps

The proliferation of apps can lead to the rise of localised app stores in local languages, said Chinnu Senthilkumar, CTO, Exfinity Ventures, pointing to Korea as an example in this regard. “Many apps are local. How well do you know the digital literacy of your neighbourhood users,” he asked.

Most apps in India are of the ‘me-too’ type; developers need to incorporate better user experience (UX) and bring in more cross-disciplinary experience (see earlier insights from the UX India 2015 conference and NASSCOM NPC 2015). “Security is still an afterthought in app development,” cautioned Chinnu.

“You need to figure out the DNA of the mobile experience: Device, Network, App,” explained Amar Nagaram, Director, Mobile Engineering, Flipkart. The e-commerce giant classifies devices into four broad categories, and its app design factors in the app size, data stored on the device, and computational power of the device.

Battery requirements of the device and packet drop rates on mobile networks are major constraints on app performance in India. Online shopping lets users interact with catalogues as well as product experts.

“I had to unlearn a lot of things from the Internet world which may not apply in a similar manner to the app world. For example, not all older versions of apps need to be supported,” explained Amar.

“Ask yourself, what does your app do for consumers?” advised Pradeep Nair, Co-Founder and CEO, Confianzys. Developers should be looking not at product-market fit, but market-product fit. “Industries die because of their myopia; they focus on past products and not future consumer needs,” he said, urging developers to track-long term megatrends as well.

Telcos’ role in the App Economy

The telecommunications world is changing rapidly due to trends like IoT, new breeds of apps, video boom and Big Data, observed Ishwardutt Parulkar, Cisco Distinguished Engineer. Telcos are struggling to get new drivers for existing services, new revenue sources, and new sources of consumer loyalty.

“Telcos need to provide APIs to developers for embedding telco services and network analytics data. Telcos can also play a bigger role in mobile advertising, for example network-wide ad blocking, as in the case of Jamaica,” advised Ishwardutt. Telcos can exploit synergy with cloud services, and resell SaaS products bundled with telco products.

“We are witnessing major waves of disruptive innovation today: the rise from oblivion to the top is rapid – and so is the fall from the top,” said SR Raja, Associate Vice President, Persistent Systems. Many incumbents tend to suffer from ignorance, inertia, and the inability to do little more than tweak or tinker with existing offerings.

There is a Moore’s Law variant for all architecture components, including programming languages. Hence, telcos need to master new business models blending product and service, advised Raja. “Even regulated industries can be disrupted from outside – look at Uber and Tesla. Will telcos experiment with surge pricing like Uber, or become IoT solutions systems integrators,” he asked. For example, operator O2 has used mobile identity to launch its own messaging OTT app, and Vodafone is getting into IoT services.

Operators and Net Neutrality

The Mobile India conference took place with the backdrop of a heated battle over Net Neutrality between Facebook’s Free Basics and Internet activists from India, which has received a lot of media coverage in India and overseas.

This calls for the digital media community and entrepreneur ecosystem to pay attention to complex but important issues such as Internet governance. “The next billion users in India may be very different from the current billion, in terms of geography, language and access device,” observed Samiran Gupta, Head-India, Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN’s objective is to maintain inter-operability of the Internet, and there is a unique opportunity for emerging economies to play a stronger role in Internet governance, in issues such as local languages and scripts.

Regulation and digital innovation

Regulators have major challenges ahead in juggling the needs of multiple stakeholders and demands for different slices of spectrum. “There are 43 different kinds of radio-communication services competing for spectrum,” said Pavan Garg, Former Wireless Adviser, GoI, and former Member, Radio Regulations Board, ITU, Geneva.

Regulators need to become much more savvy on the kind of collusions possible between industry heavyweights, according to Sunil Abraham, Executive Director, Centre for Internet and Society.

If India gets its IP regime correct, the local language content economy can be boosted, in addition to other civic benefits. For example, giving anonymised data access to independent researchers has helped LIRNEasia come up with better transportation design in Sri Lanka.

The discussion covered a wide range of interesting possibilities. In the EU, it is mandated that all mobile phones be able to display all European languages. Can India do the same for local languages? Will regulation promote support for Indic language technology on mobiles, or should this be left purely to the market? Organisations such as the Telecommunications Standards Development Society, India (TSDSI) is working on Indian language standards in ICTs.

The app economy can indeed be accelerated with proactive government intervention, said Parnil Urdhwareshe, Research Assistant at ICRIER and co-author of a report on ‘Impact of India’s App Economy.’ India’s app ecosystem could be worth Rs 2,000 crore in 2016; it created about 75,000 direct jobs in 2015, according to the report.

The government can pass regulations on apps covering privacy, Net Neutrality and safety, eg. SoS buttons, medical apps. The UK government has drawn up a range of app guidelines covering issues such as in-app purchases.

“Design in India is more important than Make In India,” said Vipin Tyagi, Executive Director, C-DOT, drawing attention to issues of participatory design and citizen-centric services rather than only one-way top-down initiatives from government and large industry players.

The road ahead

Broadband penetration in India is only 10 per cent. By 2018, video will be 62 per cent of India’s mobile data traffic, and there will be 526 million Internet users, according to Anil Kaushal, Member, Telecom Regulatory Authority of India (TRAI).

The government’s BharatNet initiative aims to connect 2,50,000 Gram Panchayats across the country. TRAI has given recommendations for Virtual Network Operators, wherein niche players can offer Smart City services.

In addition to regulators, operators and developers, success of the app economy also rests on responsible user behaviour, said Deepak Maheshwari, Head-Government Affairs, Symantec. “Be more active with respect to data encryption on your device. Use multi-factor authentication,” he advised.

Seventy per cent of India’s population lives in villages; digital innovation will help bring education and healthcare to them, said Vimal Wakhlu, Chairman & Managing Director, TCIL. There are also global extensions and markets for Indian innovations, such as the Pan-African E-Network targeted at 53 countries. There are major uses of ICTs across India, such as monitoring the cleaning of the Ganges as well as water gate management in Gujarat, Vimal added.

“India needs to mandate telecom infrastructure in real estate development and town planning. Digital media will change the way we learn and earn,” said T.R. Dua, Director General, Tower and Infrastructure Providers Association (TAIPA) India, and Co-Chair ITU APT Foundation of India.

For more details visit https://cis-india.org/telecom/news/yourstory-sneha-maselkar-and-madanmohan-rao-january-14-2016-a-billion-mobile-users

A beauty’s blog creates furore

praskrishna — 2012-04-11T03:50:47Z

Her first Tamil poetry anthology Otraiyilaiyena (As a single leaf) saw three editions and the second one Ulagin Azhagiya Muthal Penn (The first beautiful woman in the world) invited mixed reactions like Iyal Poetry Award and a call for a ban by Hindu Makkal Katchi. Parathaiyarul Raani (Queen of sluts) her third collection was a reaction to all the moral policing.

Lakshmi Krupa's article was published in Deccan Chronicle on April 10, 2012

While her film Sengadal The Dead Sea was stopped from being screened to the public, until the Supreme Court’s Appellate tribunal intervened with regional censor board for the film clearance, groups like the Makkal Kalai Ilakiya Kazhagam attacked her beliefs. Adding to this list is the latest revelation that the Principal Secretary of IT Department of the Tamil Nadu government requested that her blog be blocked along with a host of others.

In a text sent from A.K. Kaushik, Additional Director & CPIO Cyber Laws & E-Security in response to an RTI petition on Website Blocking, it was reported that Leena’s blog http://ulaginazhagiyamuthalpenn.blogspot.com was requested to be blocked on 21.07.2010 by the Principal Secretary, IT Department.

This recent revelation has led to an outrage over the fact that artists and activists like Leena have had to constantly knock on the doors of the legal system to exercise the most basic of their rights. In an interview from London where she is currently the Charles Wallace Visiting Scholar at the University of London, Leena says, “Center for Internet and Society in Bengaluru that works towards upholding Civil Liberties Online, had obtained a list of all websites that were sought to be blocked by Governmental authorities with the use of Right to Information Act.

They sent me all the details on how my blog was one amongst them as the Principal Secretary, IT Department, Govt of TN had asked for it to be blocked. As the Internet’s role in free speech becomes increasingly prevalent, tactics to control the Internet are growing more refined each year. Methods of accessing private data and censoring content vary between countries, but all maintain an element of oppression. We, who are concerned about civil liberties should wake up to the secret missions of our government on Internet Censorship and protect freedom of speech online.”

Leena’s blog has been in the center of controversies before too. “Hindu Makkal Katchi, the right wing moral police lodged a police complaint to ban my poetry collections and ban my blog ulaginazhagiyamuthalpenn. blogspot.com. They went to every possible media house and were making threat calls and there were discussions on the alleged obscenity in my poems. They even wanted the Iyal International Poetry Prize and Sirpi Literary Awards to be revoked.”

Leena’s poetry challenges fanatic minds. “My poetry has a feminist agenda and it is just not about equal rights for women. It is a socialist, anti-institutional political movement which calls for women to break the code, destroy capitalism, live their sexuality and witch hunt every possible patriarchal design. I am not amused about the fact that my poetry gave jitters to ultra blasphemous right and left wingers,” she concludes.

For more details visit https://cis-india.org/news/beauty-blog-creates-furore

A 13-year-old's rape in TN highlights the major threat online sexual grooming poses to children

praskrishna — 2017-05-19T10:16:40Z

Predatory paedophiles online pose a major threat to children who form 7% of internet users in India.

The blog post by Priyanka Thirumurthy was published by News Minute on May 6, 2017. Pranesh Prakash was quoted.

It was a usual practice, for 13-year-old Meena* from Tirupur to log into her father's Facebook account when she came home from school. While she was scrolling through his timeline one day, she received and accepted a friend request from a profile named Siva Idiot on Facebook. When this 'new friend' sent her a “hi” on chat, the young girl found no reason to ignore this message. Over the next 10 days, they chatted incessantly and she revealed all her personal details - where she lived, studied, who her parents were and even her phone number. Siva Idiot then proceeded to begin calling her on a mobile phone and their conversations lasted hours.

Meanwhile, miffed by her lack of focus on her studies, Meena's parents often chastised her and threatened to take away her laptop and mobile phone. An upset Meena proceeded to complain to Siva Idiot about the 'problems' she faced, who provided emotional support to the teenager. He even offered to come meet her outside her home.

Meena's parents were out in their offices till 8pm every day and Siva Idiot knew this. He met Meena outside her home, when she was still upset about her parents' advice. Her 'friend' then convinced the teenager to leave her house and marry him. Fifteen days after she first spoke to him on Facebook, 13-year-old Meena ran away from home to 'get married' to 22-year-old Ibrahim.

Online sexual grooming

"This is a classic case of sexual grooming," says Vidya Reddy, of Tulir, Centre for Prevention and Healing of Child Sexual Abuse. "Abusers study a situation carefully to understand what a child's Achilles heel is and then exploit the situation. Now, with almost every child having accesses to technology and internet in the form of a laptop or phone, these criminals have found new platforms to target children," she adds.

What Vidya explains is called online sexual grooming, a worldwide phenomenon, that has spread along with the speed and easy access to the internet. According to UNICEF, it can be defined as preparing a child or adult for sexual abuse, exploitation or ideological manipulation. A report released by the organisation in 2014 states that the surge in mobile and internet usage in India had brought 400 million people online. Of this, seven percent of internet users in the country are reportedly children.

"Phones are now an extension of our hands and it has completely changed the way crime is committed and presented, " Vidya notes.

Even a report of the Parliamentary Committee on Information Technology in 2014 recognized the threat posed to children by predatory paedophiles online. It emphasises how these predators "conceal their true identity whilst using the internet to ‘groom’ potential victims for sexual purposes."

From home to horror

Meena too was unaware about the identity of the person she was chatting with. In fact, an officer told The News Minute, that it was only when Ibrahim called her on the phone that she even realised she had compromised all her data to an unknown man. But Ibrahim, as the police put it, was too smart for the girl.

"He spoke to her very nicely and formed an emotional connect before she even realised the dangers of the situation," a police officer told The News Minute. "He was just somebody who did odd jobs for a living but his real life was on Facebook. He has close to 5000 friends and they are all young girls," she admits.

On April 27, Ibrahim and Meena made their way to Puducherry, where they took shelter at his friend Prabhakar’s motel. That very night, Meena was allegedly raped. The next morning, Ibrahim's phone somehow came into her possession and when the child surfed through the picture gallery, fresh horror awaited her. It was filled with obscene pictures and videos of young women and children. Shocked, Meena confronted Ibrahim about this and the two got into a loud fight. An angry Ibrahim then abused the teenager who refused to leave with him and abandoned her in the lodge.

When the hotel manager and Ibrahim's friend Prabhakaran came to investigate the source of commotion, he found a devastated Meena alone in the room. In an effort to ‘cheer her up’ he took her out to eat and bought her clothes. As Meena changed in the room, Prabhakaran allegedly waited outside to make his move. He went into the room with a yellow thread in hand, and when she was ready, tied it around her neck and declared that they were married. He then proceeded, according to officials, to sexually assault the girl.

Prabhakaran had even mortgaged all her jewellery, given her some money and pocketed the rest. On April 29, the frightened and devastated teenager managed to escape from the lodge and make a call to her house from a nearby bus stop. By then, her parents had already filed a missing girl complaint with the Tirupur North police and were frantically searching for her.

The need to intervene

According to the UNICEF report, India falls largely short in terms of awareness about online child sexual abuse and exploitation. Parents, it claims, are not aware of the risks the internet poses and therefore do not respond effectively to this form of harassment.

"This case shows that parents and schools have to spend more time educating their wards on online safety. In many schools, non- digital safety lessons are imparted such as good touch and bad touch. But when it comes to the internet, they don't even impart basic lessons," says Pranesh Prakash, Director of the Centre for Internet and Society.

Pranesh argues that while parents cannot monitor children's activity on the internet the whole day, they can ensure they have a trusting relationship with their children. This he claims will create dialogue on the child's activity on the internet or social media and create awareness.

"In this crime, details shared online, led to an offline meeting. So, children must be taught to not share addresses, personal details or meet such 'friends' without their parents' knowledge." he adds.

In India, two major challenges are the lack of a uniform terminology and lacunae in law as far as sexual grooming of children is concerned. Some key legal instruments meant to protect children, predate technological advances. For example, the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography does not criminalize online sexual grooming.

Establishing the criminality of sexual grooming or even sexting is difficult in view of the potential for misuse of the law, states the UNICEF report.

Back home and healing

Following her desperate phone call, Tirupur police rescued Meena, and went on to arrest Ibrahim in Pondicherry on April 30. Prabhakaran was arrested on May 2. They have been booked under the Protection of Children from Sexual Offences Act (POCSO) and other sections of the Indian Penal Code. Police are now investigating if Ibrahim and Prabahakaran have been involved in crimes of this nature in the past as well.

"There is only so much parents can do. They work till eight in the night and children who come back from school at 4pm, have four unsupervised hours to themselves. The only thing they can do is keep a password and stop children from using social media accounts," says the investigating officer, who observes that a number of children chat with strangers, making it difficult to keep track.

Vidya Reddy too expresses shock at sheer number of teenagers who chat with strangers online. The Tulir Director recounts horrific cases, including one where a 16-year-old girl was sexually assaulted and then blackmailed with videos of the abuse. The perpetrator allegedly threatened to leak the images if girl did not bring another child for him to rape.

While sexual grooming and other forms of online sexual abuse are common across the world, in India it takes a unique shape in South Asia. "Our society creates a repressive atmosphere, as far as engagement with the other gender is concerned. So, when the conversation is online, teenagers will risk their safety to push boundaries and the anonymity the internet provides has made this whole set up even more dangerous," concludes Vidya Reddy.

*Name changed

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-6-2017-a-13-year-olds-rape-in-tn-highlights-the-major-threat-online-sexual-grooming-poses-to-children

आधार नंबर, नाम, पता, बैंक अकाउंट और दूसरी संवेदनशील जानकारियां लीक: CIS रिपोर्ट

praskrishna — 2017-05-20T11:40:49Z

एक तरफ भारत सरकार लोगों से अपना आधार कार्ड बनवाने और उसे जरूरी सर्विसों के साथ जोड़ने की अपील कर रही है. दूसरी तरफ लगातार सरकारी वेबसाइट्स से लोगों की आधार से जुड़ी जानकारियां लीक हो रही हैं. सरकार ने आधार को लगभग सभी सर्विसों के लिए जरूरी करने की तैयारी की है.

This was published by Aaj Tak on May 4, 2017.

ताजा रिसर्च के मुताबिक सरकार के डेटाबेस से लगभग 135 मिलियन आधान नंबर ऑनलाइन लीक हुए हो सकते हैं. इस रिसर्च दी सेंटर फॉर इंटरनेट एंड सोसाइटी (CIS) ने कराया है. इस एजेंसी ने इस रिसर्च को इनफॉर्मेशन सिक्योरिटी प्रैक्टिस ऑफर आधार के नाम से प्रकाशित किया है.

रिपोर्ट के मुताबिक सरकारी पोर्टल्स ने लगभग 135 मिलियन भारतीय नागरिकों के आधार नंबर ऑनलाइन को पब्लिक कर दिया. यानी कोई भी इसे ऐक्सेस कर सके. जाहिर है ऐसे में आधार नंबर के गलत यूज का भी खतरा होता है.

चार सरकारी वेबसाइट जिनमें मनरेगा, सोशल ऐसिस्टेंस प्रोग्राम, डेली ऑनलाइन पेमेंट रिपोर्ट और चंद्रण बीमा स्कीम वेबसाइट शामिल हैं. रिपोर्ट के मुताबिक इन वेबसाइट्स पर यूजर्स के आधार नंबर और फिनांशियल जानकारी जैसे बैंक अकाउंट डीटेल को पब्लिक कर दिया जिसे कोई भी ऐक्सेस कर सकता है.

रिपोर्ट के मुताबिक नेशनल सोशल ऐसिस्टेंस प्रोग्राम की वेबसाइट पर पेंशन धारकों के जॉब कार्ड नंबर, बैंक अकाउंट नंबर, आधार कार्ड नंबर और अकाउंट की स्थिति जैसी संवेदनशील जानकारियां उपलब्ध होती हैं. लेकिन कमजोर सिक्योरिटी की वजह से यह दुनिया के किसी भी इंसान के लिए उपलब्ध हो गई. सिर्फ कुछ क्लिक से ही तमाम संवेदनशील जानकारियां हासिल की जा सकती हैं.

हाल ही में झारखंड सरकार की एक वेबसाइट पर लाखों आधार कार्ड होल्डर्स की जानकारियां लीक हो गईं. इसके अलावा कई राज्यों की सरकारी वेबसाइट पर स्कॉलरशिप पाने वाले स्टूडेंट्स के आधार कार्ड डीटेल्स लीक हो गए. गूगल सर्च के जरिए सिर्फ कुछ कीवर्ड्स यूज करके डीटेल्स कोई भी ढूंढ कर गलत यूज कर सकता है.

इस रिसर्च रिपोर्ट में कहा गया है आधार नंबर, जाती, धर्म, पता, फोटोग्राफ्स और यूजर की आर्थिक जानकारी इस तरह पब्लिक होना इस बात को दर्शाता है कि इसे कितने लचर तरीके से लागू किया गया है.

हाल ही में मानव संसाधन विकास मंत्रालय की वेबसाइट से ऐसे डेटा ऐक्सेल शीट आसानी से गूगल के जरिए डाउनलोड की जा सकती थी. आप इसे चूक करें या लापरवाही, लेकिन इतने नागरिकों का घर तक का पता किसी के पास भी हो सकता है.

क्या आधार नंबर को पब्लिक करना सही है?
आधार ऐक्ट 2016 के मुताबिक किसी नागरिक का आधार डेटा पब्लिश नहीं किया जा सकता. यानी मंत्रालय की वेबसाइट इन डेटा को सिक्योर रखने में नाकामयाब हो रही हैं.

आधार ऐक्ट 2016 के तहत कलेक्ट किया गया कोई भी आधार नंबर या कोर बायोमैट्रिक इनफॉर्मेशन पब्लिक नहीं किया जा सकता और न ही इसे किसी पब्लिक प्लैटफॉर्म पर पोस्ट किया जा सकता है. हालांकि इसके इस्तेमाल कानून के तहत शामिल की गईं एजेंसियां और संस्थाएं कर सकती हैं.

दी वायर की एक रिपोर्ट के मुताबिक एक महीने पहले डेटा रिसर्चर श्रीनीवास कोडाली ने थर्ड पार्टी वेबसाइट के द्वारा गलती लीक किए गए 5-6 लाख लोगों के पर्सनल डेटा के बारे में बताया था. इस डेटा में आधार नंबर, नाम, कास्ट, जेंडर और फोटोज शामिल थे.

सरकार के हमेशा दावा करती है कि आधार सिक्योर है
सरकार लगातार दावा करती है कि आधार सिक्योर है सेफ है और डेटा लीक नहीं हो रहे हैं. लेकिन ये घटनाएं लागातार उन दावों को खोखला साबित कर रही हैं. सवाल यह है कि अब इस रिपोर्ट के बाद सरकार कोई कठोर कदम उठाती है या फिर पहले की तरह लचर सुरक्षा बनी रहेगी.

For more details visit https://cis-india.org/internet-governance/news/aaj-tak-may-4-2017-135-million-aadhaar-number-leaked-by-govt-website-cis-report

सावधान आपके प्रोफ़ाइल पर है पुलिस की नज़र!

praskrishna — 2013-07-31T04:10:37Z

जन लोकपाल, दिल्ली रेप केस और बाबा रामदेव के आंदोलनों में उमड़ी भीड़ से घबराई सरकारी एजेंसियां अब सोशल मीडिया पर कड़ी नज़र रखने के लिए मैदान में उतरी हैं.

This blog post by Parul Aggarwal was published by BBC on July 18, 2013. Pranesh Prakash is quoted.

अपनी तरह के एक पहले मामले में मुंबई पुलिस ने क्लिक करें फ़ेसबुक-ट्विटर और दूसरे सोशल मीडिया पर आम लोगों की राय और उनकी भावनाओं पर निगरानी रखने की शुरुआत की है.

साइबर अपराधियों और इंटरनेट पर क्लिक करें गड़बड़ियां फैलाने वालों के अलावा अब पुलिस की नज़र उन लोगों पर भी रहेगी जो राजनीतिक-सामाजिक मुद्दों पर सोशल मीडिया में जमकर बोलते हैं.

आम लोग बने मुसीबत?

पुलिस की मंशा है समय रहते ये जानना कि जनता किन मुद्दो पर लामबंद हो रही है और विरोध प्रदर्शनों के दौरान बड़े स्तर पर लोगों का रुझान किस तरफ़ है.

सोशल मीडिया मॉनिटरिंग का ये काम मार्च 2013 में शुरु किए गए मुंबई पुलिस के सोशल मीडिया लैब के ज़रिए किया जाएगा. मुंबई पुलिस के एक वरिष्ठ अधिकारी ने बीबीसी से हुई बातचीत में कहा, ''नौजवान आजकल फ़ेसबुक पर ख़ासे एक्टिव हैं, ये लोग नासमझ हैं और बात-बात पर उग्र हो जाते हैं. सोशल मीडिया लैब के ज़रिए हम ये देखते हैं कि कौन किस मुद्दे पर ज़्यादा से ज़्यादा लिख रहा है और किस तरह की प्रतिक्रिया दे रहा है.''

दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं."
रजत गर्ग, सीईओ सोशलऐप्सएचक्यू

इस काम में पुलिस को तकनीकी मदद मिल रही है नैसकॉम और तकनीकी क्षेत्र की एक निजी कंपनी ‘सोशलऐप्सएचक्यू’ से.

सोशल मीडिया पर लामबंदी

सोशलऐप्सएचक्यू के सीईओ रजत गर्ग ने बीबीसी से हुई बातचीत में कहा, ''दिल्ली रेप केस हो या इस तरह के दूसरे पब्लिक मूवमेंट, पिछले दिनों ऐसे कई मामले हुए हैं जब पुलिस ये नहीं जान पाई कि लोग क्या सोच रहे हैं या कितनी हद तक और कितनी बड़ी संख्या में लामबंद हो रहे हैं. हमारा काम है सोशल मीडिया पर नज़र रखते हुए पुलिस को ये बताना कि लोग किन चीज़ों के बारे में बात कर रहे हैं किस तरह के मुद्दे ज़ोर पकड़ रहे हैं. ''

फ़ेसबुक-ट्विटर पर क्लिक करें निगरानी कोई नई बात नहीं लेकिन अब तक ये काम ज्यादातर मार्केटिंग कंपनियां ही करती आई हैं. लेकिन सोशलऐप्सएचक्यू जैसी कंपनियां जो कर रही हैं वो 'ओपन सोर्स इंटेलिजेंस' यानी सार्वजनिक स्रोतों से मिली संवेदनशील जानिकारियों को इकट्ठा करना है.

विशेष सॉफ्टवेयर्स की मदद

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’ सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.	अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

रजत गर्ग के मुताबिक़, “इंटरनेट को खंगालने और जानकारियां जुटाने का काम सॉफ्टवेयर करते हैं और जानकारियों को समझने और इन पर निगरानी का काम तकनीकी विशेषज्ञों की टीम. इससे ये देखा जा सकता है कि कि कौन से मुद्दे ज़ोर पकड़ रहे हैं और कौन लोग इन्हें लेकर सबसे ज़्यादा एक्टिव हैं. इन लोगों के सोशल नेटवर्क के ज़रिए ये जाना जा सकता है कि किसकी पहुंच कितने लोगों तक है और कोई भी गतिविधिति क्या रुप ले सकती है.’’

सरकार की दलील है कि जो जानकारियां सोशल मीडिया पर क्लिक करें सार्वजनिक रुप से मौजूद हैं केवल उन्हीं की निगरानी की जाती है. हालांकि तकनीक के जानकार कहते हैं कि भारत में प्राइवेसी से जुड़े क़ानून बेहद लचर हैं और फ़ेसबुक-ट्विटर का इस्तेमाल करने वाले ज्यादातर लोग अपनी निजी जानकारियां छिपाने जैसी तकनीकों से अनजान हैं.

अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया था.

पारदर्शिता की कमी

ऐसे में सार्वजनिक मंच पर कई ऐसी जानकारियां उपलब्ध हो सकती हैं जो उन्हें पुलिस की आंख की किरकिरी बना दें.

साल 2012 में पूर्व शिवसेना प्रमुख बाला साहब ठाकरे की निधन के मौक़े पर बुलाए गए मुंबई बंद के ख़िलाफ़ फ़ेसबुक पर टिप्पणी करने वाली एक लड़की और उसकी पोस्ट को लाइक करने वाली उसकी दोस्त को रातोंरात गिरफ्तार कर लिया गया. पुलिस ने ये कार्रवाई एक स्थानीय शिवसेना नेता की शिकायत पर की थी.

कथित तौर पर संविधान का मज़ाक उड़ाने और अपनी वेबसाइट पर आपत्तिजनक सामग्री डालने को लेकर कार्टूनिस्ट असीम त्रिवेदी को भी गिरफ्तार किया गया. मीडिया में हुए हंगामे के बाद सभी लोगों को छोड़ दिया गया लेकिन भारत में अब तक इस तरह के कई ऐसे मामले सामने आ चुके हैं.

सूचना प्रौद्योगिकी क़ानून की धारा 66 कहती है कि इस तरह की कार्रवाई बेहद संवेदनशील और राष्ट्रहित से जुड़े मामलों में ही की जानी चाहिए. हालांकि धारा 66 की आड़ में सरकार और नेताओं के ख़िलाफ़ बोलने वालों की गिरफ्तारी सरकार की मंशा पर कई सवाल खड़े करती है.

इंटरनेट से जुड़े मुद्दों पर काम करने वाली संस्थाएं मानती हैं कि भारत में इंटरनेट और आम लोगों पर निगरानी रखने के मामले में सरकार की ओर से पारदर्शिता की बेहद कमी है.

'दुरुपयोग की संभावना'

द सेंटर फ़ॉर इंटरनेट एंड सोसाएटी से जुड़े प्रनेश प्रकाश कहते हैं, ''भारत में सूचना प्रौद्योगिकी और इंटरनेट से जुड़े क़ानूनों को अगर पढ़ें तो समझ आता है कि वो कितने ख़राब तरीक़े से लिखे गए हैं. इन क़ानूनों में स्पष्टता और जवाबदेही की गुंजाइश न होने के कारण ही उनका इस्तेमाल तोड़-मरोड़ कर किया जाता है.''

सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुच्छेक मामलों को छोड़कर चीन जैसे देशों के मुकाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अबतक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है. "

प्रनेश कहते हैं, ''साल 2011 में सरकार ने केंद्रीय मंत्रालयों और विभागों के लिए सोशल मीडिया से जुड़े दिशा-निर्देश जारी किए. इसका मक़सद था सरकारी विभागों को ये बताना कि सोशल मीडिया पर आम लोगों से कैसे जुड़ें. यही वजह है कि जब सरकार और पुलिस से जुड़े विभागों ने सोशल मीडिया लैब बनाए तो ज्यादातर लोगों ने समझा कि इनका मक़सद जनता की निगरानी नहीं बल्कि आम लोगों से जुड़ना है.''

तो मुंबई पुलिस का ये क़दम क्या आम लोगों और मानवाधिकार संगठनों के लिए ख़तरे की घंटी है ?

प्रनेश कहते हैं, “सोशल मीडिया के ज़रिए इंटरनेट पर सार्वजनिक रुप से बहुत कुछ हो रहा है. कुछ एक मामलों को छोड़कर चीन जैसे देशों के मुक़ाबले अभिव्यक्ति की स्वतंत्रता को लेकर भारत सरकार ने अब तक कोई दमनकारी नीति नहीं अपनाई है. लेकिन समस्या ये है कि तकनीक की मदद से अगर दिन-रात निगरानी होगी और जानकारियां सामने आएंगी तो उनके दुरुपयोग की संभावना बढ़ जाती है.”

For more details visit https://cis-india.org/news/bbc-uk-july-18-2013-parul-aggarwal-social-media-monitoring