We are anonymous, we are legion

The PDP Bill 2019 Through the Lens of Privacy by Design

2020-11-13T07:51:03Z

This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation.

Background

The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same [1]. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective [2]. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default [3]. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product [4]. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.

The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal [5]. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website [6]. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.

This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do [7]. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.

The full paper can be read here.

[1] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[2] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[3] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[4] https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/

[5] http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

[6] https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft

[7] https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c

For more details visit https://cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design

The Panama Papers and the question of privacy

praskrishna — 2016-04-24T14:03:35Z

This statement was originally published on privacyinternational.org on 4 April 2016.

Read the entry by Claire Lauterbach published in Big News Network on April 6, 2016. Sunil Abraham was quoted.

We do agree with Ramon Fonseca about one thing: that "Each person has a right to privacy, whether they are a king or a beggar."

But that's where our commonality with co-founder of disgraced Panama law firm Mossack Fonseca ends.

Last year, a whistleblower leaked 11.5 million documents about the firm's business brokering offshore companies, details of which were published yesterday. Reportedly the largest leak in journalistic history, the cache reveals hidden assets by a dozen current and former world leaders, and scores of celebrities and tycoons, some of which are linked to high level corruption scandals.

This scandal isn't about privacy, though. If anything, it's about the need for transparency about how the powerful wield their power. We need transparency - and good solid investigation - to understand where and how our right to privacy is eroded.

Privacy and transparency are not opposites. They are two sides of the same coin. As privacy advocates, we use transparency capabilities to investigate surveillance. Meanwhile, privacy as a right requires transparency from the institutions that gather and use our data.

Privacy International, like other human rights groups, conducts investigations in the public interest. That allows us to understand, for example, how Colombia built a shadow surveillance system despite evidence of illegal interceptions, or how UK police appear to be collecting private communications data at protests, according to a Vice News investigation.

Many of the Panama Papers' revelations are in the public interest insofar as they concern the transformation of public assets - like taxpayers' money and state funds - into private gains, and allow the powerful to avoid scrutiny. Privacy and transparency are not opposites. They are two sides of the same coin.

Fonseca called journalism around the leaked files an "international campaign against privacy".

But what Fonseca is really doing is advocating a status quo of 'privacy for the kings, and transparency for the beggars'. Or rather, privacy for the business moguls, politicians, corporations and government agencies, and transparency for the citizens, consumers, activists and journalists.

For the public, our financial systems are now surveiled by design. Our transactions are labelled as suspicious and sent for mining by intelligence agencies. We need IDs to open accounts, and our records are profiled by credit agencies who facilitate key decisions about us and our families. Secretive institutions collate this information to decide whether or not we are terrorists. While a certain degree of this is necessary for public order, what's clear is that we are watched while the 'kings' are able to circumvent many of these measures and escape scrutiny. We should never make the mistake of conflating the right to privacy for the individual with the desire to hide shadowy, ethically dubious, borderline-or-actual illegal activity for the immensely wealthy and powerful.

The real issues around privacy include: the spreading of draconian laws, from the UK, to Pakistan, to Kenya, that sanction warrantless surveillance and online monitoring, with insufficient protection for the public. It's the intrusive biometric registration of some of the most desperate people, like refugees from Dadaab to Calais, desperate for food and medical care. It's the instrumentalisation of consumer data to draw conclusions about us, with or without our consent. It's also the parallel trend of rolling back Freedom of Information laws (see: UK and United States). And, as the Panama Papers show, it is allowing transfers of public funds for private gain to be obscured.

That is the real "campaign against privacy" - not public interest journalism.

As our friend and partner Sunil Abraham, Executive Director of the Centre for Internet and Society in India states succinctly, the right to privacy should "be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power."

For more details visit https://cis-india.org/internet-governance/news/big-news-network-april-6-2016-claire-lauterbach-panama-papers-and-question-of-privacy

The Omnishambles of UID, shrouded in its RTI opacity

elonnai — 2013-02-19T11:04:30Z

The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013.

Click below to see Colonel Mathew Thomas's presentation

Omnishambles of UID Shrouded in its Opacity

For more details visit https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity

The noose tightens on freedom of speech on the Internet

praskrishna — 2015-03-27T01:06:52Z

A WORRYING trend has emerged in the last few years, where intermediaries around the world are being used as chokepoints to restrict freedom of expression online, and to hold users accountable for content.

The blog post by Gabey Goh was published by Digital News Asia on March 26, 2015. Jyoti Panday gave her inputs.

“All communication across the Internet is facilitated by intermediaries: Service providers, social networks, search engines, and more,” said Electronic Frontier Foundation (EFF) senior global policy analyst Jeremy Malcolm.

“These services are all routinely asked to take down content, and their policies for responding are often muddled, heavy-handed, or inconsistent.

“That results in censorship and the limiting of people’s rights,” he told Digital News Asia (DNA) on the sidelines of RightsCon, an Internet and human rights conference hosted in Manila from March 24-25.

This year, the government of France is moving to implement regulation that makes Internet operators ‘accomplices’ of hate-speech offences if they host extremist messages.

In February, the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) urged ICANN (the Internet Corporation for Assigned Names and Numbers) to ensure that domain name registries and registrars “investigate copyright abuse complaints and respond appropriately.”

Closer to home, the Malaysian Government passed a controversial amendment to the Evidence Act 1950 – Section 114A – back in 2012.

Under Section 114A, an Internet user is deemed the publisher of any online content unless proven otherwise. The new legislation also makes individuals and those who administer, operate or provide spaces for online community forums, blogging and hosting services, liable for content published through their services.

Due to the potential negative impact on freedom of expression, a roadmap called the Manila Principles on Internet Liability was launched during RightsCon.

The EFF, Centre for Internet Society India, Article 19, and other global partners unveiled the principles, whose framework outlines clear, fair requirements for content removal requests and details how to minimise the damage a takedown can do.

For example, if content is restricted because it’s unlawful in one country or region, then the scope of the restriction should be geographically limited as well.

The principles also urge adoption of laws shielding intermediaries from liability for third-party content, which encourages the creation of platforms that allow for online discussion and debate about controversial issues.

“Our goal is to protect everyone’s freedom of expression with a framework of safeguards and best practices for responding to requests for content removal,” said Malcolm.

Jyoti Panday from the Centre for Internet and Society India noted that people ask for expression to be removed from the Internet for various reasons, good and bad, claiming the authority of myriad local and national laws.

“It’s easy for important, lawful content to get caught in the crossfire. We hope these principles empower everyone – from governments and intermediaries, to the public – to fight back when online expression is censored,” she said.

The Manila Principles can be summarised in six key points:

Intermediaries should be shielded by law from liability for third-party content.

Content must not be required to be restricted without an order by a judicial authority.

Requests for restrictions of content must be clear, be unambiguous, and follow due process.

Laws and content restriction orders and practices must comply with the tests of necessity and proportionality.

Laws and content restriction policies and practices must respect due process.

Transparency and accountability must be built in to laws and content restriction policies and practices.

“Right now, different countries have differing levels of protection when it comes to intermediary liability, and we’re saying that there should be expansive protection across all content,” said Malcolm (pic).

“In addition, there is no logic in distinguishing between intellectual property (IP) and other forms of content as in the case in the United States for example, where under Section 230 of the Communications Decency Act, intermediaries are not liable for third party content but that doesn’t apply to IP,” he added.

The Manila Principles have two main targets: Governments and intermediaries themselves. The coalition, led by EFF, will be approaching governments to present the document and discuss the recommendations on how best to establish an intermediary liability regime.

This includes immunising intermediaries from liability and requiring a court order before any content can be taken down.

With intermediaries, the list includes companies such as Facebook, Twitter and Google, to discuss establishing transparency, responsibility and accountability in any actions taken.

“We recognise that a lot of the time, intermediaries are not waiting for a court order before taking down content, and we’re telling them to avoid removing content unless there is a sufficiently good reason and users have been notified and presented that reason,” said Malcolm.

The overall aim with the Manila Principles is to influence policy changes for the better.

Malcolm pointed out that by coincidence, some encouraging developments have taken place in India. On the same day the principles were released, the Indian Supreme Court struck down the notorious Section 66A of the country’s Information Technology Act.

Since 2009, the law had allowed both criminal charges against users and the removal of content by intermediaries based on vague allegations that the content was “grossly offensive or has menacing character,” or that false information was posted “for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.”

Calling it a “landmark decision”, Malcolm noted that the case shows why the establishment and promotion of the Manila Principles are important.

“Not only is the potential overreach of this provision obvious on its face, but it was, in practice, misused to quell legitimate discussion online, including in the case of the plaintiffs in that case – two young women, one of whom made an innocuous Facebook post mildly critical of government officials, and the other who ‘liked’ it,” he said.

The court however, upheld section 69A of the Act, which allows the Government to block online content; and Section 79(3), which makes intermediaries such as YouTube or Facebook liable for not complying with government orders for censorship of content.

Gabey Goh reports from RightsCon in Manila at the kind invitation of the South-East Asian Press Alliance or Seapa.

For more details visit https://cis-india.org/internet-governance/news/digital-news-asia-gabey-goh-march-26-2015-noose-tightens-on-freedom-of-speech-on-internet

The Niira Radia Tapes: Scrutinizing the Snoopers

praskrishna — 2011-04-02T07:29:21Z

There’s been plenty of outrage in India over taped phone calls between corporate lobbyist Niira Radia and local journalists, revealing what some people believe is evidence that star reporters at the country’s newspapers and TV channels are too cozy with the subjects they’re supposed to be reporting on.

Amid that firestorm, though, there’s been much less scrutiny of why and how the wiretaps happened in the first place, whether they were justified or a governmental overreach, and how these infamous tapes got from the government into the hands of media companies.

Here are just a few questions that merit more consideration: Who orders telephone surveillance in India and on what grounds? How often is it done? What protections are in place to ensure government officials don’t abuse their surveillance authority to settle scores with journalists, corporate officials or ordinary citizens they have a beef with?

The quick answer to all of these: India trusts its bureaucrats to do the right thing. The central government’s Home Secretary, along with some intelligence agencies and state officials, has the authority to approve wiretaps. Unlike in the U.S. and other countries, where investigators must generally obtain court warrants for surveillance to pursue matters ranging from drug-trafficking to insider trading, in India there is no such legal tradition or rule.

“There is no oversight infrastructure, either in parliament or in the judiciary,” said Sunil Abraham, executive director of the Bangalore-based Center for Internet and Society. There is only “post facto” protection in the sense that you can sue the government later if you feel you were wrongly wiretapped, he said.

According to local media reports, industrial giant Ratan Tata on Monday petitioned the Supreme Court over the leaking of the tapes, on which he is heard bantering with Ms. Radia (his lobbyist) about a range of topics related to the $70 billion Tata Group. The reports say he feels the episode violated his privacy and wants the leakers to be punished. (While there’s no explicit constitutional protection of privacy in India, the Supreme Court in some cases has held it is covered by Article 21 of the Constitution, which says, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”)

A report in the Economic Times Monday said government is going to investigate the leak. A Home Ministry spokesman declined to comment on whether an inquiry has been launched but said India’s system of allowing a handful of security and intelligence officials to approve or deny wiretaps sufficiently guards Indian citizens’ privacy. “It isn’t an unchecked kind of thing, that anyone can just do it,” the spokesman said.

India draws its wiretap authority from a few laws, including the 1885 Telegraph Act and a separate information technology law enacted in 2000 and amended in 2008. The government can tap phones or intercept emails for reasons such as “any public emergency” or “in the interest of the public safety” – pretty broad language that gives a lot of leeway to bureaucrats, critics say.

A report in the Hindu last week claimed that more than 5,000 Indian phones are being bugged daily, citing anonymous sources. Mr. Abraham, of the Center for Internet and Society, says that breadth of surveillance in a country of 1.2 billion people wouldn’t be unreasonable. But his organization is planning a Right to Information request to find out more about the scope of government wiretapping.

The government may have had good reasons to conduct the wiretaps of Ms. Radia, which local media reports say were done by the income tax department for two four-month stints in 2008 and 2009, during which time they reportedly logged 5,851 calls.

The income tax agency hasn’t stated publicly what the rationale was and its officials declined to comment Monday.

Media reports suggest that the material was supposed to help probe the irregular allocation of mobile phone spectrum in 2008 to several Indian telecom firms. (The official in charge of that allocation, A. Raja, resigned as telecom minister Nov. 14 amid charges that he rigged the process to favor some companies over others.)

But much of the content in the several hours of so-called “2G tapes” that have leaked to Indian news organizations has little or nothing to do with taxes or 2G spectrum. There’s talk of the billionaire Ambani brothers’ natural gas pricing dispute, mining policy, a dog who is named Google because he is good at finding things, which corporate honchos are easy to get on the phone, and plenty of titillating exchanges between New Delhi’s power brokers on the politics of cabinet appointments. Some pretty top-notch gossip, in other words.

To be sure, the content on the tapes does raise disturbing and serious questions about whether some elements of the Indian media carry water for particular government ministers or corporations. And it pulls the veil back on how the titans of Indian business and politics shape policy away from the public spotlight, as Siddharth Varadarajan explained in Monday’s edition of the Hindu when he made a clever analogy to the movie The Matrix. (We’ve separately parsed the contents of some of the tapes for their potential significance.)

But it’s still worth asking tough questions about the legal and ethical foundations of wiretapping citizens, because, as Indian civil liberties expert Lawrence Liang said in an email, “if this can happen to a Nira Radia, then it can easily be used for a Nida Nobody.”

Update, 5:09 p.m.: “A Home Ministry spokesman confirmed the ministry has asked the Intelligence Bureau and Central Board of Direct Taxes to conduct a probe into the leak.”

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/niira-radia-tapes

The new tattler in town

praskrishna — 2015-09-26T16:31:00Z

WhatsApp messages, and in particular ‘admins’ of WhatsApp groups come under pressure as rumour-mongering catches the attention of the police.

The article by P. Anima was published in the Hindu Businessline on August 28, 2015. Sunil Abraham was quoted.

In early August, Solapur in southeast Maharashtra was gripped by a strange fear. Like most small towns, Solapur rarely makes the headlines except when drought deepens. That changed as alarmed villagers in almost all of the district’s 11 tehsils camped outdoors day and night, on the look out for an unseen enemy. “In the bastis (villages), residents kept night vigils, sitting around a fire,” Deepak Homkar, a local journalist, recalls. Rumours were flying thick — of theft, widespread looting and possible kidnapping of children. And all of it over WhatsApp, the instant messaging app. Similar scenes were reported from Ahmedabad a month earlier. Rumours of dacoity and terrorist attacks spread panic in areas around Ahmedabad. Arrests were made of those who had allegedly sent fear-mongering texts, but the damage had already been done.

With over 800 million, and growing, active users worldwide, WhatsApp is popular among the 160 million smartphone users in India too. Neatly slotting lives into groups of friends, work and family, it allows users to flit in and out of interactions. But a fair amount of trouble-making is also springing up from the app.

In Solapur, the police tasked with putting the rumours to an end had visited bastis, narrowed down the suspected smartphone users and randomly checked their WhatsApp messages. “We found these rumours on some, not other [phones],” says a police official. After 36 hours of search, 16 young men were held under IPC 505 1(B) for spreading alarm and fear in Pandharpur tehsil alone. It included those who allegedly sent the message and several ‘admins’ (those who open and manage the group accounts). After being questioned and warned against repeating such texts, the men were let off.

The complicity of the WhatsApp admin, whether as a passive onlooker or whether they forwarded the messages themselves, remains hazy. “It is possible that some admins may have forwarded the text, but I spoke to at least one who was held only because he managed the group,” says Homkar.

Are the admins culpable in such situations? “Not at all,” say internet experts, if the admin has had nothing to do with the fear-mongering texts. But if the admin has forwarded a potentially harmful message, he/she is accountable like anyone else. “It is then an act done knowingly,” says Prasanth Sugathan, counsel at the Delhi-based Software Freedom Law Centre. “The act of forwarding makes you accountable. The burden of truth is on you,” he adds. Chinmayi Arun, research director at Centre for Communication Governance, National Law University, Delhi, pitches in, “Just being an inactive administrator of a large group, who may not be able to vet all of its content, is very different from forwarding rumours. People who forward rumours should be responsible enough to at least highlight their doubtful veracity.”

However, if the admin is unconnected to the group activities, he cannot be held for merely starting the group, they say. “Unless, of course, you have started it for an illegal activity or to cause an offence,” says Sunil Abraham, executive director of the Bengaluru-based The Centre for Internet and Society. The WhatsApp admin, they point out, is a mere intermediary. One who isn’t vested with any power, except to add or remove members from the group.

Twenty-three-year-old Hrishikesh, from Dhanbad, is currently admin in six groups. In three, he is one among multiple admins. He hardly keeps tab on the goings-on in this space and is not acquainted with all members, he says. “A WhatsApp admin has no control, no facility to moderate or tweak a message,” says Sugathan. Abraham trots out Section 79 of the IT Act. “It gives the admin immunity from liability that emerges from content posted by the members,” he says. The best way to track the original senders in such cases, he says, is to rope in the help of the telecom department, the other intermediary (in the case of WhatsApp, the owner Facebook) and blend it with some ‘old-fashioned’ detective work.

“Counter bad speech with good speech,” says Abraham, and that is often the best way to deal with rumour-mongering. Instances like those at Solapur and Ahmedabad have been rare, he reasons. “Such stuff can be dealt better with education rather than regulation. All types of nuisance shouldn’t be regulated. The cost of implementing new laws and training police personnel for it is not cheap. In these cases, SMSes from the police could go to every single mobile user in the district, telling them the rumours are false.”

Sugathan concurs with this. Facebook, radio and other mass media should be used by the police to quell rumours, he says. He points out that in the aftermath of the 2011 London riots, although social media was blamed for aggravating the situation, there were ample warnings against shutting it down during such times. “Blocking the medium is blocking an avenue for information. One cannot arrest each and every person. So educating people works better,” says Sugathan. Some like Abraham consider these hiccups inevitable in our evolving use of social media. A new technology is often considered sacrosanct and reliable. “From repeated exposure emerges critical understanding. It will take us another five years to know that Wikipedia is not the source of truth.”

For more details visit https://cis-india.org/internet-governance/news/the-hindu-businessline-august-28-p-anima-the-new-tattler-in-town

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

Prashant Iyengar — 2012-02-29T05:45:41Z

Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.

I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.

A Constitutional/Fundamental Right?

The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.

Preamble

I’m extrapolating here from the Hindu article:

"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."

So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.

Definition of ‘Right to Privacy’

The Hindu article appears to quote directly from the Bill.

Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.

This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).

The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."

This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.

Interception

What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)

Here are some of the sweeping changes sought to be introduced:

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
"unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)

Data Protection

The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.

Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.

The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body

to monitor development in data processing and computer technology;
to examine law and to evaluate its effect on data protection
to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.

Video Surveillance

The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.

No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.

Bodily Privacy

The bill prohibits "surveillance by following a person".

This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.

Impersonation and Financial Fraud

In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".

I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.

Residual

A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).

It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.

I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.

Tailpiece

That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.

I’d greatly appreciate someone sending me a copy of the bill if you have access to it.

Read the article published on the Privacy India website here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/new-right-to-privacy-bill

The new Internet watchdogs

praskrishna — 2012-06-17T08:18:15Z

The Government has taken a series of measures to control the Internet, but should it be doing so? This article by Ronendra Singh was published in the Hindu Business Line on June 12, 2012. Sunil Abraham is quoted in this.

In March 2011, the Indian Government banned several Web sites like Typepad, Mobango and Clickatell without warning. The ban had created a hue and cry amongst netizens, some even comparing Indian authorities to the Chinese iron wall.

But despite these protests, on December 5, 2011 the Government had several social media sites and internet companies, including Google, Facebook and Yahoo “prescreen user content from India and remove disparaging, inflammatory or defamatory content before it goes online”.

The next day, the Communication and Information Technology minister Kapil Sibal held a press conference to explain his action. “We have to take care of the sensibilities of our people,” Mr Sibal told reporters during the press conference on the lawn at his bungalow in New Delhi. “Cultural ethos is very important to us,” he said.

Since then top officials from the Indian units of Google, Microsoft, Yahoo and Facebook have had several meetings with Sibal. In one of the meetings, the Telecom Minister asked these companies to use humans to screen content, not technology.

Proposed rules

Amidst all this, the Government quietly moved a proposal in October 2011 that, if implemented, will have major ramifications on use of the Internet not just in India but across the world. India has moved a UN resolution seeking the creation of a 50-nation super body to regulate the Internet. India has argued for a radical shift from the present model of multi-stakeholder led decision-making, to a purely Government-run multilateral body.

In addition to this, the Communications Ministry headed by Sibal has notified new Information Technology (Intermediaries Guidelines) Rules, 2011 giving various guidelines to be observed by all internet related companies. The rules give sweeping powers to the Government to blank out “messages or communication of any information which is grossly offensive or menacing in nature.” The new rules do not, however, define what is offensive or menacing. Bloggers and netizens are worried that this may be used by the Government to pull down websites and articles critical of the Government. The fact that all this has come about around the time when the Anna Hazare campaigners have used the Internet to drum up support only raises more doubts over the Government's real intention.

Worrying moves

According to Sunil Abraham, Executive Director at the internet advocacy firm Centre for Internet and Society (CIS), all Governments across the world have reserved to themselves the right to block or take-down Internet services completely or specific content on specific services such as a page on a website.

But at the moment, the Indian Government is not following the letter of the law and bypassing judicial safeguards in its crackdown on political speech.

“This aggressive enforcement is also having a chilling effect on access to knowledge and freedom of expression,” Abraham told The Hindu Business Line.

Therefore the Government's sudden move to push the UN resolution without consulting stakeholders has taken many by surprise. There was some limited consultation but it definitely did not meet the current standards of multi-stakeholders being developed at the Internet Governance Forum (IGF), Internet Corporation for Assigned Names and Numbers (ICANN) and existing institutions focused on Internet governance.

Member of Parliament Rajeev Chandrasekhar has also written a letter to the Prime Minister recently saying India's refusal to withdraw its UN statement was disappointing. The worry is that countries with dubious records on human rights and democracy have publicly aligned their positions to that of India.

“Contrary to India's statement in the UN (October 2011) and at World Summit on the Information Society (May 2012), India's proposal for Inter-Governmental oversight of Internet is against the letter and spirit of the Tunis Agenda, 2005,” Chandrasekhar wrote in the letter.

The Tunis Agenda in 2005 – far from supporting a 50-member, Inter-Governmental body manned by bureaucrats/ politicians, neither envisages a separate entity nor a superior role for Governments in the governance of the Internet.

“In sharp contrast to the ‘mandate enshrined' in the Tunis Agenda, if India's proposal is accepted, civil society, academia, engineers, private sector and international organisations by design will be regulated to the fingers of an advisory role,” the Member of Parliament said.

Government officials are tight-lipped and did not reply to questions sent by The Hindu Business Line via email.

Read the original here

For more details visit https://cis-india.org/news/the-new-internet-watchdogs

The New Aadhaar Bill in Plain English

Amber Sinha, Vanya Rakesh and Vipul Kharbanda — 2016-03-11T04:41:38Z

We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016

Chapter I. PRELIMINARY

Section 1

This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
It will be applicable in whole of India (except the state of Jammu and Kashmir).
It will become applicable on a date to be notified by the Central Government.

Section 2

“Aadhaar number” is the identification number issued to an individual under the Act;
“Aadhaar number holder” is the person who has been given an Aadhaar number;
“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);
“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;
“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;
“benefit” means any relief or payment which may be notified by the Central Government;
“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;
“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;
“Chairperson” means the Chairperson of the UIDAI;
“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;
“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;
“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;
“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;
“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;
“Member” includes the Chairperson and Member of the Authority appointed under section 12;
“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;
“prescribed” means prescribed by rules made by the Central Government under this Act;
“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;
“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;
“regulations” means the regulations made by the UIDAI under this Act;
“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;
“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;
“service” means any facility or assistance provided by the Central Government in any form;
“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.

Chapter II. ENROLMENT

Section 3

Every resident is entitled to get an Aadhaar number.
At the time of enrollment, the enrolling agency will inform the individual of the following details—

how their information will be used;
what type of entities the information will be shared with; and
that they have a right to see their information and also tell them how they can see their information.

After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.

Section 4

Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.
An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.
if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.

Section 5

The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.

Section 6

The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.

Chapter III. AUTHENTICATION

Section 7

As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.

Section 8

The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.
Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;
The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.
The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.

Section 9

The Aadhaar number or its authentication will not be a proof of citizenship or domicile.

Section 10

The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.

Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA

Section 11

The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.
The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.
The head office of the UIDAI will be in New Delhi.
The UIDAI may establish its offices at other places in India.

Section 12

The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.

Section 13

The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.

Section 14

The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.
The Chairperson and Members will take an oath of office and of secrecy.
The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.
The salaries and allowances of the Members and Chairperson will be prescribed under the government.

Section 15

The Central Government may remove a Chairperson or Member, who—
(a) has gone bankrupt;
(b) is physically or mentally unable to do his/her job;
(c) has been convicted of an offence involving moral turpitude;
(d) has a financial conflict of interest in performing his/her functions; or
(e) has abused his/her position so that the government needs to remove him/her in public interest.
The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction.

Section 16

An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—

to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;
to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;
to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or
to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.

Section 17

The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.

Section 18

The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.
The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.
The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.
The CEO will have administrative control over the officers and other employees of the Authority.

Section 19

The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.
The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.
All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.
All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.
If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.

Section 20

No actions or proceeding of the UIDAI will become invalid merely because of—

any vacancy in, or any defect in the constitution of, the UIDAI;
any defect in the appointment of a person as Chairperson or Member of the Authority; or
any irregularity in the procedure of the Authority not affecting the merits of the case.

Section 21

The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.
The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.

Section 22.

Once the UIDAI is establishment—

all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.
all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;
all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and
all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.

Section 23

The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—

specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;
collecting demographic information and biometric information from people seeking Aadhaar numbers;
appointing of one or more entities to operate the CIDR;
generating and assigning Aadhaar numbers to individuals;
performing authentication of Aadhaar numbers;
maintaining and updating the information of individuals in the CIDR;
omitting and deactivating an Aadhaar number;
specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;
specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;
establishing, operating and maintaining of the CIDR;
sharing the information of Aadhaar number holders;
calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;
specifying processes relating to data management, security protocols and other technology safeguards under this Act;
specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;
levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;
appointing committees necessary to assist the Authority in discharge of its functions;
promoting research and development for advancement in biometrics and related areas;
making and specifying policies and practices for Registrars, enrolling agencies and other service providers;
setting up facilitation centres and grievance redressal mechanisms;
other powers and functions as prescribed.

The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.

Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT

Section 24

The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.

Section 25

Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India

Section 26

The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government
The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.
The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.
The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.

Section 27

The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.
The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.
The copy of the annual report will be laid before both houses of Parliament by the Central Government.

Chapter VI. PROTECTION OF INFORMATION

Section 28

The UIDAI will ensure the security and confidentiality of identity information and authentication records.
The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.
The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.
Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.
An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.

Section 29

The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.
Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.
Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.
Aadhaar numbers or core biometric information will not be made public except as specified by regulations.

Section 30

All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.

Section 31

If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.
The identity information in the CIDR will not be altered, except as provided in this Act.

Section 32

The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.
Every Aadhaar number holder may obtain his authentication record as specified by regulations.
The UIDAI will not collect, keep or maintain any information about the purpose of authentication.

Section 33

The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.
The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.
An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.
Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.

Chapter VII. OFFENCES AND PENALTIES

Section 34

Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.

Section 35

Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.

Section 36

Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 37

Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 38

The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:

accessing or securing access to the CIDR;
downloading, copying or extracting any data from the CIDR;
introducing or causing any virus or other contaminant into the CIDR;
damaging or causing damage to the data in the CIDR;
disrupting or causing disruption to access to CIDR;
causing denial of access to an authorised to the CIDR;
revealing information in breach of (D) in Section 28, or Section 29;
destruction, deletion or alteration of any files in the CIDR;
stealing, destruction, concealment or alteration of any source code used by the UIDAI.

Section 39

Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.

Section 40

Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 41

Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 42

Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 43

In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.
In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.

Section 44

This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.

Section 45

Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.

Section 46

Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.

Section 47

Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.
No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.

Chapter VIII. MISCELLANEOUS

Section 48

Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency
Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office
Powers, functions and duties will be performed by person(s) authorised by the President.
Properties controlled and owned by UIDAI will vest in the Central Government.
Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.

Section 49

Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.

Section 50

Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.
The UIDAI will be given an opportunity to express views before direction is given.

Section 51

The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.

Section 52

No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.

Section 53

The Central Government has the power to makes Rules for matters prescribed under this provision.

Section 54

UIDAI has the power to make regulations for matters prescribed under this provision.

Section 55

Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.

Section 56

Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.

Section 57

This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

Section 58

The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.

Section 59

Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.

STATEMENT OF OBJECTS AND REASONS

Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government
This has proved to be a major hindrance for successful implementation of these programmes.
In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.
The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.
Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.
With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.
It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

For more details visit https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english

The net is taking over

praskrishna — 2014-02-04T05:57:16Z

For many days to come, people will speculate what caused Sunanda Pushkar's death last week in a New Delhi hotel. Did Union minister Shashi Tharoor's wife die of poisoning or a drug overdose? Wasn't she unwell? Was it suicide? Or was it murder? No less a matter of speculation has been the social media's role in the whole affair.

The article by Veenu Sandhu and Surabhi Agarwal published in the Business Standard on January 24, 2014 quotes Sunil Abraham.

Writer Suketu Mehta has called it "murder by Twitter". Pushkar's very public spat with Mehr Tarar, a Pakistani journalist, on the micro-blogging site, many psychologists feel, may have multiplied her anguish. Apart from other things, Tarar had tweeted: "The blonde's aqal is weaker thn (sic) her grammar & spellings." Still others believe Pushkar had the premonition that end was near, and it was there for all to see on social media. "Hasta hua jayega," (will go laughing), she had tweeted a few days before her death.

Social media is no longer time-pass in the country, certainly not with over 90 million users. The line that divides online and offline lives has blurred. Networking sites have begun to impact human behaviour. Lives are being lived in the open: open to comment, analysis and abuse. Mahesh Murthy, the founder of digital brand management firm Pinstorm, calls it the "demise of the culture of secrecy". This is the age, he says, "of diversity, of coming out in the open with sexual preferences et cetera. Social media will help slaughter sacred cows. It is a good thing to happen, except for the sacred cows." According to Murthy, the pitfalls of uncensored speech are for those "who think they can control their lives or are insecure".

But pitfalls are showing up. Some time ago, a high-profile couple from Delhi approached marriage and family counsellor Nisha Khanna. Their problem was aggravated by the wife's obsession with Facebook, to the extent that she would put out everything, including the ups and downs of her relationship with her husband, as status messages for the consumption of her social media friends and acquaintances. The husband was livid - he felt exposed. It took six months of rigorous counselling before the wife started controlling, though marginally, her social media behaviour. "We are seeing obsession, irrationality and an inability to spot the very thick line that divides the private from the public," says Varkha Chulani, clinical psychologist, psychotherapist and consultant with Lilavati Hospital in Mumbai. People, she adds, are looking for Facebook 'like' buttons even in real life.

Feelings of extreme happiness, depression, loneliness and even suicidal thoughts are being shared not with family and friends but with Facebook 'connections' and Twitter 'followers'. Tweets or status updates that point to suicidal tendencies, in particular, can be telling. Some of these key expressions are "depressed", "feeling abused", "it's over" or "empty inside". A study - Tracking Suicide Risk Factors through Twitter - conducted in the US last year found a strong correlation between the number of tweets that indicated suicidal intentions and the number of suicides committed.

Having realised that the platform is also being used as a medium to vent and express personal trauma, Facebook has, for about a year, been sending reports on profiles of people with suicide risk to Mumbai-based suicide helpline Aasra. "In the last one year, we have received 350 such email intimations concerning Indians," says Aasra Director Johnson Thomas. Aasra then mails that person to subtly and sensitively convey that there is help at hand, in case it is needed. Facebook and Twitter did not offer any comment for this article.

Decoding Social Media Slang

I am an aggregator who has left a cookie crumb trail (while writing this) for a machine algorithm to follow. So, can it point out to my boss the scoops and their origin? In all probability, yes. For an all-devouring algorithm, no crumb, no target, is too small. Algorithms (at their core, a step-by-step method for doing a job) can sound scary, but social media analysts depend on these little-understood, obscure mathematical creatures.

So, information posted publicly on blogs, Facebook, Twitter, and other sites are fair game for these data predators. Suppose you click ‘like’ on Facebook, you’re giving away a lot more than you might think. Your ‘likes’ can be pieced together to form an eerily true portrait of yourself. A study of 58,000 volunteers by Michal Kosinski and David Stillwell (University of Cambridge) and Thore Graepel (Microsoft Research, Cambridge) charts the chances of an accurate prediction: 67 per cent for single versus in a relationship, 73 per cent for cigarette smoking, 70 per cent for alcohol drinking, 65 per cent for drug use, 88 per cent for male homosexuality, 75 per cent for female homosexuality, and 93 per cent for gender.

Another point is not all data out there are cold facts. Far from that, most are sentiments and slang: sweet, bitter and often intimate. “Wazup homie!! howz it going!!” is a profound example. “‘Yo, homie, I'll be at my house in case you want to come kick it later” is another. How is a number cruncher such as an algorithm expected to crunch slang and emotions? But experts insist there’s a bull market in sentiments and foul language. And an emerging field known as sentiment analysis is taking shape. The simplest algorithms here work by scanning keywords to categorise a statement as positive or negative, based on a simple binary analysis (‘love’ is good, ‘hate’ is bad). But a more reliable analysis requires decoding many linguistic shades of gray. For example, to get at the true intent of a statement like ‘dude, i'm like......duuuude,’ the software will have to activate several different filters, including polarity (is the statement positive or negative?), intensity (what is the degree of emotion being expressed?) and subjectivity (how partial or impartial is the source?)

“People first thought that emotions expressed on social media were just cute and stupid,” says Sreeju Thankan who has done computer science and engineering from the Indian Institute of Technology Roorkee and is now working at Mango Solutions. “Now, they are recognising it as a rich vein.” But translating slang into binary code can be much tougher. “Sentiments are different from conventional facts,” says Thankan. “There is a long way for slang patrol to go.” For casual web surfers, a simpler sentiment-analysis tool, Tweetfeel, is available. It tells you the numbers of positive and negative tweets on a given topic. It also gives you their percentages. Its analysis is based not just on emoticons, but also words and phrases.

Ashish Sharma

Last October in Mumbai, a 17-year-old college student, Aishwarya Dahiwal, killed herself after her parents barred her from using Facebook. "Is Facebook so bad? I cannot stay in a home with such restrictions as I can't live without Facebook," her suicide note reportedly read. The parents were in utter shock. "Girls are more prone to putting personal and emotional messages on social networking sites," says Manju Chhabra, child counsellor who runs an organisation called Cactus Lily in Delhi. And they tend to get more affected by what people say and how they react. "And comments on this very impersonal medium which we are giving a very personal space can be very cruel."

Seema Hingorrany, a Mumbai-based psychologist, says one of her recent patients is a girl studying in Class 9. Her friend from school had uploaded a photo of herself, which got 200 'likes'. That upset the patient terribly because it reinforced her belief that she was unattractive and she became extremely upset, to the extent that her parents felt she needed counselling. Constant use of Facebook can affect one's self-esteem, if it's already low. Another of Hingorrany's patient was a 30-year-old who took to social media after he lost his job. But seeing other people's photos and updates made him increasingly jealous, and he began posting nasty comments. The recipients of his ire began "unfriending" him, which only made him more withdrawn.

Irrational behaviour can also be seen in the world of random video chat. Sites like Omegle and Chatroulette aim to bring together surfers together with the help of webcams. The promise is irresistible: an endless stream of visitors in your room. When Ashish Sharma (the author of the accompanying article) logged on, he met a gaggle of girls who giggled endlessly, a German painter who was looking for his muse and wanted him to pose in a state of undress, a Swede who danced around and asked him to sing in praise of his bottom, and a man with an iron mask. It was crude and shocking. The excessively sexual behaviour can be unsettling for an unsuspecting (and young) visitor.

There is another side to it. "Twitter posts," says an article posted on rediff.com, "have saved lives. A man lost on a ski slope in Switzerland got help when he tweeted his predicament. Another got bail from arrest as his friends discovered from a tweet that he was jailed in a foreign country." Human resource managers check out the profiles of job applicants on social media. "People might mask many judgmental things in an interview; there is a possibility that they might express it on social media," says Debdas Sen, leader of technology consulting, PricewaterhouseCoopers. "Inclusion and diversity are important for us." But job seekers have become wise to it. That's why many airbrush their social media profiles. All politically incorrect posts are removed. Friends are treated lavishly offline so that they write nice posts on Facebook pages. Some even hire professional photographers for as much as Rs 20,000 to paste good profile pictures.

But those who hire have started to see through it. Says Murthy of Pinstrip, "One can easily figure out the truthfulness of your statements by seeing what your friends are saying." One human resource manager says he pays more attention to what people post after 10 pm because "it tends to be more truthful". A senior functionary of a Gurgaon-headquartered firm says that he had hired somebody after he had found nothing suspicious on his LinkedIn profile; it was only later he found out that this person had been involved in some financial misdemeanour in his earlier job. "His LinkedIn profile had no clues, he was not on Facebook. That should have struck me," he says. Of course, the person was asked to leave.

Sunil Abraham, the executive director of Bangalore-based Centre for Internet and Society, says social media has made people forget the distinction between private, semi-private and public statements. "Speech used to be ephemeral, but Internet has given it the power it never had," he says. "Internet never forgets." The fact that traces of a communication may remain in cyberspace even after they have been deleted has prompted a legislation called the Right to Erasure by the European Union. Under the law, earlier called Right to be Forgotten, an individual can request all his data to be erased, including by third parties. India is also mulling a similar legislation under its Privacy Bill.

Those at the bottom of the social pyramid, who have little to lose, express themselves most freely on social media, while those with reputations to protect are cautious. The consequences can be serious, as the Mumbai girl who questioned the city's shutdown after Bal Thackeray's death in November 2012 on Facebook and her friend who "liked" realised: both were called in by the police. It's not surprising why even standup comedians, who can't resist taking potshots at one and all, turn extremely careful before they tweet.

So, is social media good or bad? "Social media can help," Amartya Sen said at the recent Jaipur Literature Festival, "But you must read more books".

For more details visit https://cis-india.org/news/business-standard-january-24-2014-veenu-sandhu-surabhi-agarwal-the-net-is-taking-over

The National Privacy Roundtable Meetings

bhairav — 2014-03-21T10:03:44Z

The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Background: The Roundtable Meetings and Organisers

CIS is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. FICCI is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. DSCI is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. Privacy International is a London-based non-profit organisation that defends and promotes the right to privacy across the world.

Privacy in the Common Law and in India

Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.[1]

The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons inter se demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.

Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.[2] In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.[3]

The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of Kharak Singh (1964)[4] and Gobind (1975)[5] considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the Rajagopal case (1994),[6] the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, Rajagopal dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case (1996)[7] and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.[8] A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011)[9] that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.

Attempts to Create a Statutory Regime

The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.[10]

Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.

Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")[11] — were subsequently reviewed by the Committee on Subordinate Legislation of the 15^th Lok Sabha.[12] The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.[13]

In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.

Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the Naz Foundation case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.[14] These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.

Criminal Procedure and Special Laws Relating to Privacy

While the Kharak Singh and Gobind cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.

The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007[15] to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the PUCL case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.[16] Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.

In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.[17]

The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings

In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:

New Delhi: April 13, 2013 (http://bit.ly/17REl0W) with 45 participants;
Bangalore: April 20, 2013 (http://bit.ly/162t8rU) with 45 participants;
Chennai: May 18, 2013 (http://bit.ly/12ICGYD) with 25 participants.
Mumbai, June 15, 2013 (http://bit.ly/12fJSvZ) with 20 participants;
Kolkata: July 13, 2013 (http://bit.ly/11dgINZ) with 25 participants; and
New Delhi: August 24, 2013 (http://bit.ly/195cWIf) with 40 participants.

The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.

[1]. See generally, Dan Solove, “A Taxonomy of Privacy” University of Pennsylvania Law Review (Vol. 154, No. 3, January 2006).

[2]. Wainwright v. Home Office [2003] UKHL 53.

[3]. See A v. B plc [2003] QB 195; Wainwright v. Home Office [2001] EWCA Civ 2081; R (Ellis) v. Chief Constable of Essex Police [2003] EWHC 1321 (Admin).

[4]. Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295.

[5]. Gobind v. State of Madhya Pradesh AIR 1975 SC 1378.

[6]. R. Rajagopal v. State of Tamil Nadu AIR 1995 SC 264.

[7]. People’s Union for Civil Liberties v. Union of India (1997) 1 SCC 30.

[8]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in Maneka Gandhi v. Union of India AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.

[9]. Naz Foundation v. Government of NCT Delhi (2009) 160 DLT 277.

[10]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law" International Data Privacy Law (47-69, Vol. 1, No. 1, March 2011).

[11]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.

[12]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14^th edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.

[13]. See the 31^st Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.

[14]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.

[15]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect vide Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.

[16]. See, inter alia, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.

[17]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.

For more details visit https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

The National Health Stack: An Expensive, Temporary Placebo

Murali Neelakantan, Swaraj Barooah, Swagam Dasgupta, and Torsha Sarkar — 2018-08-13T15:13:10Z

The year 2002 saw the introduction of a very ambitious National Program for Information Technology in the United Kingdom with the goal to transform the National Health Service — a pre-existing state-sponsored universal healthcare program. This would include a centralised, digital healthcare record for patients and secure access for 30,000 professionals across 300 hospitals.

The article was published by Bloomberg Quint on August 6, 2018.

However, the next ten years would see the scheme meet with constant criticism about its poor management and immense expenditure; and after a gruelling battle for survival, including spending £20 billion and having top experts on board, the NPfIT finally met its end in 2011.

Fast forward eight years — the Indian government’s public policy think tank, NITI Aayog, is proposing an eerily similar idea for the much less developed, and much more populated Indian healthcare sector. On July 6, the NITI Aayog released a consultation paper to discuss “a digital infrastructure built with a deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”, called the National Health Stack. The paper identifies four challenges that previous government-run healthcare programs ran into and that the current system hopes to solve. These include:

low enrollment of entitled beneficiaries of health insurance,
low participation by service providers of health insurance,
poor fraud detection,
lack of reliable and timely data and analytics.

The current article takes a preliminary look at the goals of the NHS and where it falls behind. Subsequent articles will break down the proposed scheme with regard to safety, privacy and data security concerns, the feasibility of data analytics and fraud detection, and finally, the role of private players within the entire structure.

The primary aim of any digital health infrastructure should be to compliment an existing, efficient healthcare delivery system.

As seen in the U.K., even a very well-functioning healthcare system doesn’t necessarily mean the digitisation efforts will bear fruit.

The NHS is meant to be designed for and beyond the Ayushman Bharat Yojana — the government’s two-pronged healthcare regime that was introduced on Feb. 1. Unfortunately, though, India’s healthcare regime has long been in the need of severe repair, and even if the Ayushman Bharat Yojana works optimally, there are no indications to show that this will miraculously change by their stated target of 2022. Indeed, experts predict it would take at least a ten-year period to successfully implement universal health coverage. A 2013 report by EY-FICCI stated that we must consider a ten-year time frame as well as allocating 3.5-4.7 percent of the GDP to health expenditure to achieve universal health coverage.

However, as per the current statistics, the centre’s allocation for health in the 2017-18 budget is Rs 47,353 crore, which is 1.15 percent of India’s GDP.

Patients wait for treatment in the corridor of the Acharya Tulsi Regional Cancer Treatment & Research Institute in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Along with the state costs, India’s current expenditure in the health sector comes to a meagre 1.4 percent of the total GDP, far short of what the target should be. Yet, the government aims to attain universal health coverage by 2022.

In the first of its two-pronged strategy, the Ayushman Bharat Yojana aims to establish 1.5 lakh ‘Health and Wellness Centres’ across the country by 2022, which would provide primary healthcare services free of cost.

However, the total fund allocated for ’setting up’ these centres is only Rs 1,200 crore, which comes down to a meagre Rs 80,000 per centre.

It is unclear whether the government plans to establish new sub-centres, or improve the existing ones. Either way, a pittance of Rs 80,000 is grossly insufficient. As per reports, among the 1,56,231 current health centres, only 17,204 (11 percent) have met Indian Public Health Standards as of March 31, 2017. Shockingly, basic amenities like water and electricity are scarce, if not, absent in a substantial number of these centres.

At least 6,000 centres do not have a female health worker, and at least 1,00,000 centres do not have a male health worker.

A woman holds a child in the post-delivery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Even taking the generous assumption that the existing 17,204 centres are in top condition, the future of the rest of these health and wellness centres continues to be bleak.

In truth, both limbs of the Ayushman Bharat strategy remain oblivious to the reality of the situation. The goals do not take into account the existing problems within access to healthcare, nor the relevant economic and social indicators that depict a contrasting reality.

Therefore, the fundamental question remains: if there is no established, well-functioning healthcare delivery system to support, what will the NHS help?

NHS: What Purpose Does It Serve?

The ambitious scope of the National Health Stack consultation paper aside, the central problem plaguing the Indian healthcare system, i.e, delivery, and access to healthcare, remains unaddressed. The first two problems that the NHS aims to solve focus solely on increasing health insurance coverage. However, very problematically, the document does not explicitly mention how a digital infrastructure would lead to rising enrollment of both beneficiaries and service providers of insurance.

This goal of increasing enrollment without a functioning healthcare system could result in two highly problematic scenarios.

Either health and wellness centres will effectively act as enrollment agencies rather than providers of healthcare, or the government would fall back on its ‘Aadhar approach’ and employ external enrollment agents.

The former approach runs a very real risk of the health and wellness centres losing focus on their primary purpose even while statistics show them as functioning centres – thus negatively impacting even the working centres. The latter approach is at a higher risk of running into problems akin to the case of Aadhaar enrollment, such as potential data leakages, identity thefts and a market for fake IDs. Even if we somehow overlook this and assume that the NHS would help increase insurance coverage without additional problems, the larger question still stands: should health insurance even be the primary goal of the government, over and above providing access to healthcare? And what effect will this have on the actual delivery of healthcare services to the common citizen?

A lone patient sleeps in the post operation recovery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Should Insurance Be A Primary Objective Of The Indian Government?

Simply put, the answer is no, because greater insurance coverage need not necessitate better access to healthcare. In recent years, health insurance in India has been rising rapidly due to government-sponsored schemes. In the fiscal year 2016-17, the health insurance market was prized to be worth Rs 30,392 crore. Even with such large investments in insurance premiums, the insurance market accounts for lesser than 5 percent of the total health expenditure.

Furthermore, previous experiences with government-sponsored health insurance schemes have proven that there is little merit to such an expensive task.

For instance, the government’s earlier health insurance scheme, Rashtriya Swasthya Bima Yojana, was predicted to be unable to completely provide ‘accessible, affordable, accountable and good quality health care’ if it focussed only on “increasing financial means and freedom of choice in a top-down manner”.

These traditional insurance-based models are characterised by problems of information asymmetry such as ‘moral hazard’ — patients and healthcare providers have no incentive to control their costs and tend to overuse, resulting in an unsustainable insurance system and cost inflation. Any attempt to regulate providers is met with harsh, cost-cutting steps which end up harming patients.

On another note, some diseases which are responsible for the most number of deaths in the country — including ischaemic heart diseases, lower respiratory tract infections, chronic obstructive pulmonary disease, tuberculosis and diarrhoeal diseases — are usually chronic conditions that need outpatient consultation, resulting in out-of-pocket expenses.

Patients wait at the Head and Neck Cancer Out Patient department of Tata Memorial Hospital in Mumbai, India. (Photographer: Prashanth Vishwanathan/Bloomberg News)

Even though the government has added non-communicable diseases under the ambit of the health and wellness centres, there are still reports stating that for some of the most impoverished, their reality is that 80 percent of the time, they have to cover their expenses from their pocket. This issue in all probability will continue to exist since the status and likelihood for these centres to be successful itself is questionable.

It is clear, that in the current scheme of things, this traditional insurance model of healthcare cannot benefit those it is meant for.

If this is the case, why has the NHS built its main objectives around insurance coverage rather than access to healthcare? It is imperative that we question the legitimacy of these goals, especially if they indicate the government's intentions to push health insurance via the NHS above its responsibility of delivering healthcare. The government's thrust for a digital infrastructure shows tremendous foresight, but at what cost? Even the clear goal of healthcare data portability has very little benefit when one understands that this becomes an important goal only when one has given up on ensuring widespread accessible healthcare. Once the focus shifts from using technology needlessly to developing an efficient and universally accessible healthcare delivery system, the need for data portability dramatically reduces. The temptation of digitisation and insurance coverage cannot and should not blind us from the main goal — access to healthcare. The one lesson that we must learn from the case of the U.K. is that even with a well-functioning healthcare delivery system, a digital infrastructure must be introduced very thoughtfully and carefully. In our eagerness to leapfrog with technology, we must not mistake a placebo for a panacea.

Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-august-6-2018-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-national-health-stack-an-expensive-temporary-placebo

The National Cyber Security Policy: Not a Real Policy

bhairav — 2013-09-25T09:49:11Z

Cyber security in India is still a nascent field without an organised law and policy framework. Several actors participate in and are affected by India's still inchoate cyber security regime. The National Cyber Security Policy (NCSP) presented the government and other stakeholders with an opportune moment to understand existing legal limitations before devising a future framework. Unfortunately, the NCSP's poor drafting and meaningless provisions do not advance the field.

This article was published in the Observer Research Foundation's Cyber Security Monitor Vol. I, Issue.1, August 2013.

For some time now, law and policy observers in India have been noticing a definite decline in the quality of national policies emanating from the Central Government. Unlike legislation, which is notionally subject to debate in the Parliament of India, policies face no public evaluation before they are brought in to force. Since, unlike legislation, policies are neither binding nor enforceable, there has been no principled ground for demanding public deliberation of significant national policies. While Parliament’s falling standard of competence has been almost unanimously condemned, there has been nearly no criticism of the corresponding failure of the Centre to invigilate the quality of the official policies of its ministries. Luckily for the drafters of the National Cyber Security Policy (NCSP), the rest of the country has also mostly failed to notice its poor content.

The NCSP was notified into effect on 2 July 2013 by the Department of Electronics and Information Technology – which calls itself DeitY – of the Ministry of Communications and Information Technology. As far as legislation and legal drafting go, DeitY has a dubious record. In March 2013, in a parliamentary appraisal of subordinate law framed by DeitY, a Lok Sabha committee found ambiguity, invasions of privacy and potentially illegal clauses. Apprehensions about statutory law administered by DeitY have also found their way to the Supreme Court of India, where a constitutional challenge to certain provisions of the Information Technology Act, 2000 (IT Act) continues. On more than one occasion, owing to poor drafting, DeitY has been forced to issue advisories and press releases to clarify the meaning of its laws. Ironically, the legal validity of these clarifications is also questionable.

A national policy must set out, in real and quantifiable terms, the objectives of the government in a particular field within a specified time frame. To do that, the policy must provide the social, economic, political and legal context prevalent at the time of its issue as well as a normative statement of factual conditions it seeks to achieve at the time of its expiry. Between these two points in time, the policy must identify and explain all the particular social, economic, political and legal measures it intends to implement to secure its success. Albeit concerned solely with economic growth, the Five-Year Plans – the Second and Tenth Plans in particular, without prejudice to their success or failure, are samples of policies that are well-drafted. In this background, the NCSP should be judged on the basis of how it addresses, in no particular order, national security, democratic freedoms, economic growth and knowledge development. Let us restrict ourselves to the first two issues.

There are broadly two intersections between national security and information technology; these are: (i) the security of networked communications used by the armed forces and intelligence services, and (ii) the storage of civil information of national importance. While the NCSP makes no mention of it, the adoption of the doctrine of network-centric warfare by the three armed forces is underway. Understanding the doctrine is simple – an intensive use of information technology to create networks of information aids situational awareness and enables collaboration to bestow an advantage in combat. However, the doctrine is vulnerable to asymmetric attack using both primitive and highly sophisticated means. Pre-empting such attacks should be a primary policy concern; not so, apparently, for the NCSP which is completely silent on this issue. The NCSP is slightly more forthcoming on the protection of critical information infrastructure of a civil nature. Critical information infrastructure, such as the national power grid or the Aadhar database, is narrowly defined in section 70 of the IT Act where it used to describe a protected system. Other provisions of the IT Act also deal with the protection of critical information infrastructure. The NCSP does not explain how these statutory provisions have worked or failed, as the case may be, to necessitate further mention in a policy document. For instance, section 70A of the IT Act, inserted in 2008, enables the creation of a national nodal agency to undertake research and development and other activities in respect of critical information infrastructure. Despite this, five years later, the NCSP makes a similar recommendation to operate a National Critical Information Infrastructure Protection Centre to undertake the same activities. In the absence of any meaningful explanation of intended policy measures, there is no reason to expect that the NCSP will succeed where an Act of Parliament has failed.

But, putting aside the shortcomings of its piece-meal provisions, the NCSP also fails to address high-level conceptual policy concerns. As information repositories and governance services through information technology become increasingly integrated and centralised, the security of the information that is stored or distributed decreases. Whether by intent or error, if these consolidated repositories of information are compromised, the quantity of information susceptible to damage is greater leading to higher insecurity. Simply put, if power transmission is centrally controlled instead of zonally, a single attack could black out the entire country instead of only a part of it. Or if personal data of citizens is centrally stored, a single leak could compromise the privacy of millions of people instead of only hundreds. Therefore, a credible policy must, before it advocates greater centralisation of information, examine the merits of diffused information storage to protect national security. The NCSP utterly fails in this regard.

Concerns short of national security, such as the maintenance of law and order, are also in issue because crime is often planned and perpetrated using information technology. The prevention of crime before it is committed and its prosecution afterwards is a key policy concern. While the specific context may vary depending on the nature of the crime – the facts of terrorism are different from those of insurance fraud – the principles of constitutional and criminal law continue to apply. However, the NCSP neither examines the present framework of cybersecurity-related offences nor suggests any changes in existing law. It merely calls for a “dynamic legal framework and its periodic review to address the cyber security challenges” (sic). This is self-evident, there was no need for a new national policy to make this discovery; and, ironically, it fails to conduct the very periodic review that it envisages. This is worrying because the NCSP presented DeitY with an opportunity to review existing laws and learn from past mistakes. There are concerns that cybersecurity laws, especially relevant provisions of the IT Act and its rules, betray a lack of understanding of India’s constitutional scheme. This is exemplified by the insertion, in 2008, of section 66A into the IT Act that criminalises the sending of annoying, offensive and inconvenient electronic messages without regard for the fact that free speech that is annoying is constitutionally protected.

In India, cybersecurity law and policy attempts to compensate for the state’s inability to regulate the internet by overreaching into and encroaching upon democratic freedoms. The Central Monitoring System (CMS) that is being assembled by the Centre is a case in point. Alarmed at its inability to be privy to private communications, the Centre proposes to build systems to intercept, in real time, all voice and data traffic in India. Whereas liberal democracies around the world require such interceptions to be judicially sanctioned, warranted and supported by probable cause, India does not even have statutory law to regulate such an enterprise. Given that, once completed, the CMS will represent the largest domestic interception effort in the world, the failure of the NCSP to examine the effect of such an exercise on daily cybersecurity is bewildering. This is made worse by the fact that the state does not possess the technological competence to build such a system by itself and is currently tendering private companies for equipment. The state’s incompetence is best portrayed by the activities of the Indian Computer Emergency Response Team (CERT-In) that was constituted under section 70B of the IT Act to respond to “cyber incidents”. CERT-In has repeatedly engaged in extra-judicial censorship and has ham-handedly responded to allegedly objectionable blogs or websites by blocking access to entire domains. Unfortunately, the NCSP, while reiterating the operations of CERT-In, attempts no evaluation of its activities precluding the scope for any meaningful policy measures.

The NCSP’s poor drafting, meaningless provisions, deficiency of analysis and lack of stated measures renders it hollow. Its notification into force adds little to the public or intellectual debate about cybersecurity and does nothing to further the trajectory of either national security or democratic freedoms in India. In fairness, this problem afflicts many other national policies. There is a need to revisit the high intellectual and practical standards set by most national policies that were issued in the years following Independence.

For more details visit https://cis-india.org/internet-governance/blog/orfonline-bhairav-acharya-observer-research-foundation-cyber-security-monitor-august-2013-nsp-not-a-real-policy

The Narendra Modi app: The secret weapon in BJP’s elections arsenal

Admin — 2018-03-29T16:28:28Z

Narendra Modi app, BJP's secret weapon.

The article by Jayadevan PK and Pankaj Mishra was published by Factor Daily on March 29, 2018. Pranesh Prakash was quoted.

Story Highlights

Why is Rahul Gandhi beating the drums about the Narendra Modi app? Because he knows that the app – with over 10 million users already – will be crucial decider of a BJP victory or failure in the general elections.
The Narendra Modi app’s mission is two fold — mobilize and integrate some 100 million BJP members and use the app to deliver targeted messaging to voters. Party president Amit Shah has a target that each district should have 100,000 downloads.
In the coming general elections, there will be more than 180 million first-time voters – people who are relatively easy to target on social media. Of the 241 million Facebook users in India, about 54 million are between the age of 18 and 23 years.

Congress president Rahul Gandhi earlier this week got panned for his criticism of the Narendra Modi app. The app, Gandhi had said on Twitter, was leaking user data and added that Prime Minister Narendra Modi was “the Big Boss who likes to spy on Indians”. Much of what the Congress leaders said was hyperbole common at the hustings.

But as it turns out, Gandhi has good reason to beat the drums wildly: the Narendra Modi app is going to be, by all accounts, the Bharatiya Janata Party’s arrowhead as India pads up for its biggest general elections next year. The app is going to be the fulcrum of the BJP’s tech outreach and social media strategy in the months ahead of the elections, which may be held earlier than the scheduled early 2019 going by the buzz in political circles in capital New Delhi.

The usage of the state apparatus to promote an app owned by Modi personally and the way it plans to use data of its users is drawing criticism from political rivals and privacy activists. Critics have pointed out that the app asks for too many permissions, is less than ideally secure, and is run by the BJP while being positioned as the official application of the prime minister of India. These questions are now taking a serious tone after the Facebook-Cambridge Analytica scandal.

“Overall, Facebook’s fallout means even more focus and reliance on the Narendra Modi app by the BJP,” said a person familiar with BJP’s social and digital plans, adding the Facebook and WhatsApp platforms will be in the background and continue to be valuable. This person asked to remain anonymous.

By “Facebook’s fallout”, he is referring to the aftermath of the scandal that implicated political consulting firm Cambridge Analytica of misusing Facebook data of millions of users without consent. Questions are also being raised in the UK and US about the involvement of Russian actors using Facebook, Google and Twitter to influence key global events such as Britain’s exit from the European Union and the US presidential elections in 2016.

After a sting by British broadcaster Channel4 showed Cambridge Analytica used dubious means to influence elections, both the Congress party and the BJP have accused each other of using the services of the analytics company.

To be sure, it will be difficult for anyone to ignore Facebook and WhatsApp for the sheer reach they offer – Facebook has over 240 million users in India and WhatsApp has a similar number of users in India. But growing the Narendra Modi app’s user base will mean a channel that won’t need to be constantly paid for and in the BJP’s direct control with all the granular data and reach that such a platform can offer.

India has the largest number of Facebook users in the world.

“The game plan is to make Narendra Modi app the killer platform for the next elections and beyond,” said the person aware of the BJP’s plan. With estimated downloads of over 10 million already, the Narendra Modi app’s mission is two-fold — mobilize and integrate some 100 million BJP members across the party’s operations and use the app to deliver targeted messaging to existing and potential voters.

To that end, Prime Minister Modi himself and the BJP have been driving app downloads in ways that will put seasoned growth hackers to shame. For instance, Modi’s new book Exam Warriors. Readers can scan QR codes in the book and post responses to the Narendra Modi app. The target: more young users for the app who will soon vote for the first time. A student taking the 12th board exams this year is likely 18 years old, come the 2019 elections.

As has been pointed out, targeting first-time voters in a country where 41% of the population is younger than 20 years is a no-brainer. Political scientist Oliver Heath posited in 2015 that the BJP’s 2014 victory came about more thanks to first-time voters rather the votes it weaned away from rival parties. There were 136 million new voters in 2014. This time there will be more than 180 million first-timers – people who are relatively easy to target on social media. Of the 241 million Facebook users in India, about 54 million are between the age of 18 and 23 years.

The BJP also has plans to co-opt educational institutions to distribute the book, said another source. The book, released in February 2018 is being translated into various languages starting with Hindi and Marathi. The BJP state government in Maharashtra is procuring nearly 150,000 books on Modi but it hasn’t said yet it would be Exam Warriors that it would buy and distribute to state schools.

The number of times Prime Minister Narendra Modi has plugged the app in his Mann Ki Baat speeches.

The prime minister also channels users to the app in his speeches and on his social media channels. A typical plug in his monthly Mann Ki Baat speech would call out a comment received on the app or ask “fellow countrymen” to share a photo or views on an issue on the app. Since October 2014, Modi has made 41 Mann Ki Baat speeches and he has mentioned the Narendra Modi app over 50 times, an analysis of his speeches shows (See graph).

Besides launching modules that enable the prime minister to talk to his council of ministers or run surveys and bundling the app with new phones to drive users, the BJP has also from time to time driven some hard app download targets to its rank and file. In September 2016, for instance, the Gujarat party chief said it will ensure at least 7 lakh downloads of the app as a birthday gift to Modi. BJP President Amit Shah wants nearly 50 million downloads for the app and has directed state officials to drive nearly 100,000 app installations in each district. “Do not take this as an information (or suggestion). Accountability will be ensured and it is the responsibility of each district unit to ensure downloading of one lakh of Narendra Modi App,” Shah reportedly said at the party’s national executive meeting in March 2016.

The app is already in play at the Karnataka elections scheduled for April. “As of now, the app has national content. Going forward we will be pumping lot of content related to Karnataka in Kannada. It will include voice, non-voice and lot of messages. He (Modi) will also be sharing through the app for Kannadigas,” says Amresh K, BJP Information Technology Cell State Convener.

“We will also be doing a Narendra Modi campaign to drive downloads,” said Amresh, who is helping create manifestos for 224 constituencies in Karnataka. “Earlier it used to be one state-level manifesto. This time we have it for 224 constituencies. We’re also engaging with 500-1000 influencers in these constituencies and about 100 sectors to compile their inputs,” he said. The 2013 manifesto of the BJP, a 40-page document, led with the development agenda focussed on specific sectors but also promised freebies such as 25-kilogram free rice to the poor and free laptop to high school goers.

Modi’s popularity as a leader in central to the app. “More than BJP today, Modi as a brand has become extremely strong. There’s a lot of mud sticking to political leaders but in comparison, he seems to be coming through as spotless,” says brand strategist and author M G Parameswaran, who helped create some of the biggest brands such as Santoor and Wipro. To appeal to the young voter, it’s important for Modi to stick to the “development narrative and not get derailed by the Hindutva narrative,” he adds.

So how does the app really help the BJP? The answer to this question really lies in the BJP’s earlier campaigns and the party’s learnings. FactorDaily interviewed people closely associated with BJP’s 2014 campaign to find out.

The ‘Golden Triple’

India could go to polls as early as the end of this year, as is being speculated by the political chatterati, or early next year. Nearly one billion Indians eligible to vote this time around (814 million in 2014) will decide the fate of 543 seats to which representatives are elected. As Rajesh Jain, a former advisor to the BJP campaign points out on his blog, “using data and analytics to identify supporters and then getting them out to vote on election day will be instrumental in determining the eventual winner”. He estimates that nearly 670 million people in India, comprising 330 million who don’t vote and 340 million who aren’t likely to support a mainstream party (or are undecided), are up for grabs.

Importantly, the dynamics at the hustings have changed. “Unlike 2015, this isn’t an election with a wave (the Narendra Modi wave). This isn’t a Facebook or a WhatsApp election in that sense. This is going to be about micro-targeting and use of Narendra Modi app. If BJP wins 2019, the app will become even more all-pervasive and a way to be free from platforms like WhatsApp and Facebook,” said the source familiar with the BJP’s plans quoted above.

Micro-targeting is the practice of crafting messages and advertising to small user cohorts. For this to work, the advertiser, will need to understand its target audience deeply and accurately. Having data from various sources, including the Modi app, will help target the electorate better.

The golden triple is a combination of booth level information, contact details and political leaning of a voter.

The lynchpin of the data strategy of the BJP is what number crunchers call the “Golden Triple”, which has three pieces to it: the details of the booth at which someone votes, the contact phone number and the political leaning of the voter. Voter details are public information in India. Collating that accurately with contact phone numbers is difficult but doable (and likely has already been done by political parties including the BJP).

The BJP, through its missed call-based membership drive back in November 2014, had amassed nearly 100 million registered members. At the time, the BJP had collected voter ID details of members as well. In other words, the party already has over 100 million ‘golden triples’. “If you have 10 crore golden triples, your target audience is sorted,” said the source who knows of BJP’s plans.

“There are four things on which the battles are won and lost—identifying those who already are your supporters, voter registration, pursue them, and finally ensuring that they turn out on the day when it all matters the most,” says the person. The Narendra Modi app becomes a tool to mobilize party workers and getting them to execute the game plan. It also doubles up as a channel to send targeted messages based on the data it has captured already.

Having data of its supporters in a constituency can help parties craft targeted messages and zone in on the audience better using social media platforms, says Ankit Lal, the author of India Social: How social media is leading the charge and changing the countryand a social media strategist for the Aam Aadmi Party (AAP). For instance, Facebook allows you to build a custom audience by uploading a list of email addresses or phone numbers.

The election commission’s Form 20 gives polling booth level data on which candidate got how many votes. “Now, this combined with more specific data sets, can make it far more impactful,” says the person quoted above. For instance, if the numbers aren’t looking good in a certain region, the Narendra Modi app can be used to mobilise party workers to campaign harder in those areas.

In 2014, the BJP used a market research and analytics agency Penn Schoen Berland (PSB) to firm up the key planks on which it would fight elections. The party built its campaign around issues of corruption, security of women, and inflation based on the firm’s inputs. For sure, there will be voter surveys done by the BJP (as also other parties) this time, too, but with the Narendra Modi app and its growing install base, the party’s understanding of local, district-level issues – even booth-level inputs – get strengthened through internal surveys and other mechanisms.

But, can the sophisticated combination of data analytics, micro-targeting, and bespoke messaging swing an election? The answer depends on how close the electoral fight in different constituencies will turn out to be.

When victory margins are thin, targeted campaigns (especially on social media) can win seats. Case in point: Gujarat assembly elections late last year. As this article points out, the victory margins in 57 out of 182 seats in Gujarat was less than 5% – in other words, just a few thousand votes could swing victory either which way. “The win or loss margin is very small, generally less than 5% of the electorate for a majority of constituencies,” says Lal, the AAP strategist. “For urban areas, it is easy to influence results using social media because the margins are so close.” In Karnataka, more than 30 of the 224 seats in the legislative assembly had wins with a margin of less than 3%.

What about the national elections? Here, too, the narrow wins are make or break in nature. Ninety-two seats were won with a winning margin of less than 5% in the 2014 elections. This despite the Modi wave that saw the BJP end with 282 seats in the Lok Sabha – the first time in 30 years a party won a simple majority in the lower house of Parliament.

In other words, social media has – and will continue to have – a definite sway in Indian electoral outcomes and the Narendra Modi app has its role cut out for itself.

The privacy question

On March 23, a security researcher who goes by the pseudonym Elliot Alderson, revealed that the data collected by Narendra Modi app is being passed on to analytics company Clevertap. The app also takes 22 permissions from the user, including the ability to access the user’s contacts, gallery and microphone. Privacy advocates warn that doing so without explicitly telling the user is a breach of trust. “Be careful when you enter personal data. It is often not needed and this data is often misuse (sic) after that,” Alderson messaged FactorDaily on Twitter in reply to a question. His tweets were what had the Congress Party’s Gandhi kicking up a minor storm accusing the BJP of spying on users. To be sure, it is common practice to integrate analytics and marketing tools like Clevertap into an app (also see: CleverTap’s Commitment to User Consent and Data Privacy).

Thejesh G N, founder of Datameet, a community of data scientists and open data enthusiasts, says that it’s okay for politicians to use websites or apps to string members together or talk to their constituents. But they should follow ground rules such as stating the purpose of data collection clearly, collecting minimum amount of data, sharing information about who is collecting the data, for what purpose and guaranteeing the security of personal data, and also stating how it will share data with third parties and for what purpose. This may have sounded like ideal principles of data use but less so in the aftermath of the Facebook-Cambridge Analytica scandal which has brought into focus the flagrant violation of privacy standards by almost every platform.

“People might be thinking they are giving data to the prime minister… in fact, it’s probably going to a campaign database. It’s important to make that clear.”

In the case of Narendra Modi app, some of these basic rules aren’t followed, points out Thejesh, a privacy activist from Bengaluru. “The app description on Play Store says ‘Official App of Prime Minister of India, Narendra Modi. It brings to you latest information, instant updates & helps you contribute towards various tasks. It provides a unique opportunity to receive messages and emails directly from the Prime Minister.’ But the app is not owned by Government of India and so the statement is misleading,” he says. “People might be thinking they are giving data to the prime minister… in fact, it’s probably going to a campaign database. It’s important to make that clear.”

Lal of AAP minces no words when it comes to the question of ownership of data. “That’s the biggest question. How did a private app end up being used by the prime minister’s office? Either they were conned into it or they know about it. If they did it deliberately, they knowingly stole data which is no smaller than that of Cambridge Analytica. There it was between Cambridge Analytica and Facebook, here it is between citizen and their prime minister,” he says.

“There is a distinction to be drawn between providing one’s own data and providing the data of others that you happen to have.”

In 2015, privacy and tech policy expert Pranesh Prakash helped report a security vulnerability that exposed the data of Narendra Modi app users. “In 2016 again, the same set of security vulnerabilities blew up… this time, more than 5 million people’s personal profiles including their birthdates, phone numbers was available to the public,” Prakash told India Today TV. “There is a distinction to be drawn between providing one’s own data and providing the data of others that you happen to have. For instance, the Narendra Modi app asks for permissions for ‘Contacts’, which allows it to harvest your contacts. Are they using it (as you suggest they would) for the elections? If so, are they upfront about that as one of the purposes for the data collection? And are they collecting your details or details of your contacts as well,” Prakash later told FactorDaily in reply to a question on the use of data from the Narendra Modi app.

The BJP has responded to some of the criticism. Amit Malviya, the BJP IT Cell chief pointed FactorDaily to the party’s statement that said: “Narendra Modi App is a unique App, which unlike most Apps, gives access to users in ‘guest mode’ without even any permission or data. The permissions required are all contextual and cause-specific. Contrary to Rahul (Gandhi)’s lies, fact is that data is being used for only analytics using third-party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content. This ensures that a user gets the best experience by showing content in his language & interests. A person who looks up agri-related info will get agri related content easily. A person from TN will get updates in Tamil and get an update about an important initiative about TN.”

Will the Narendra Modi app prove to be the BJP’s Brahmastra – the mythical destructive weapon from ancient Hindu texts? The contextual content served on the app in the coming months will give the answer. If it is hyperlocal and raises issues at the booth level, you can be sure that the Brahmastra has been deployed.

For more details visit https://cis-india.org/internet-governance/news/factor-daily-jayadevan-pk-and-pankaj-mishra-march-29-2018-narendra-modi-app-bjp-2019-election

The mystery of the website which published the ‘scoop’ on BJP’s Ram Madhav

Admin — 2018-02-22T14:55:33Z

The website has since been taken down, but the identity of its creators may not be very easy to find.

The blog post by Kaveesha Kohli and Talha Ashraf was published in The Print on February 13, 2018.

The BJP filed a criminal complaint Sunday against a website after it published a report about an alleged video said to show the party’s national general secretary Ram Madhav in a ‘compromising position’. However, the site no longer exists and experts say it may be difficult to find out who was behind the ‘expose’.

Congress MP from Assam, Sushmita Dev, was among those who shared the website’s report, which claimed that the senior BJP functionary and in-charge of the party’s north-east affairs, was allegedly caught in a hotel.

But soon after the Nagaland unit of the BJP vehemently denounced it as “fictitious report” and filed an FIR, the website ceased to exist. In its complaint, the BJP said the “news report is totally false and it seeks to character assassinate Ram Madhav and sabotage the election campaign of the BJP”.

However, the screenshot of the article continues to be shared on social media.

Registration details of thenewsjoint.com (now defunct) taken from The Internet Corporation for Assigned Names and Numbers (ICANN) that manages domain names says the site was created and registered on 2 January 2018. The site’s expiry date is 2 January 2019.

Since its creation, the site has published multiple stories, most of which have been published in the last two weeks.

“If we look through Google cache, it has published multiple stories about budget aftershocks, Sensex falls by record, Modi Sarkar shuts bamboo budget, etc,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

Anyone could have published the website with the domain name The News Joint, said Madhulika Srikuamar, Junior Fellow, Cyber Initiative, Observer Research Foundation.

“The buyer, for an additional fee, can opt to keep her details private and not reveal her identity online,” she said.

The domain name thenewsjoint.com is registered through a private organisation named DomainsByProxy.com. The use of the private organisation is to maintain secrecy and makes it easy to hide the owner’s actual name and address. So how can it be traced?

“In order to track the original owners of the domain name, the police will have to take the court order and ask DomainsByProxy to hand over the name and IP address of the persons who registered themselves,” said Prakash.

And there’s no way to regulate against such sites as well.

“While there are no specific domestic regulations that govern the registration, sale and purchase of domain names, most restrictions on domain name registration stem from intellectual property protections,” said Srikumar.

In this particular case, it remains unclear whether the website was taken down because of the article on Madhav.

Prakash says it is important to verify whether The News Joint was created to peddle false news, or was pretending to be a genuine news website.

“It can be compared to the broader news environment in India where very mainstream newspapers, especially their Web desks, very often end up publishing news without any regard for journalistic ethics, without verification of the facts,” he said.

For more details visit https://cis-india.org/internet-governance/news/the-print-kaveesha-kohli-and-talha-ashraf-the-vanishing-act-scoop-on-bjp-ram-madhav