We are anonymous, we are legion

Second Expert Meeting on Human Rights and the Internet

praskrishna — 2011-06-08T10:01:55Z

The second expert meeting on human rights and the Internet is being organised by the Swedish Ministry for Foreign Affairs and the UN Special Rapporteur on Freedom of Opinion and Expression on 30 and 31 March 2011 in Stockholm (Sweden). Anja Kovacs will participate in this meeting.

List of Participants (draft)

Alison LeClaire Christie alison.leclairechristie@international.gc.ca	Minister-Counsellor and Deputy Permanent Representative, Canadian mission to UN in Geneva
Anabella Rivera libert.expresion@gmail.com	Executive Director, DEMOS, Guatemala
Anja Kovacs anja@cis-india.org	Fellow, The Centre for Internet and Society, Bangalore
Anna Nawrot anna.nawrot@rwi.lu.se	Researcher, Raoul Wallenberg Institute of Human Rights, Lund, Sweden
Annie Game agame@cjfe.org	Executive Director, CJFE-IFEX
Anriette Esterhuysen anriette@apc.org	Executive Director, Association for Progressive Communications, South Africa
Arthit Suriyawongkul arthit@gmail.com	Thai Neitzen Network, Centre for Popular Media Reform
Brett Solomon brett@accessnow.org	Executive Director, Access Now
Charlotta Bredberg charlotta.bredberg@sida.se	Thematic Coordinator for Democracy, Human Rights, Peace and Security, Global Programme Unit, Department for Global Cooperation, Sida
Cynthia Wong cynthia@cdt.org	Director, Project on Global Internet Freedom, Center for Democracy and Technology, Washington DC
Daniel Westman Daniel.Westman@juridicum.su.se	Researcher and Teacher, Faculty of Law, Stockholm University
Danny Aerts danny.aerts@iis.se	CEO, The Internet Infrastructure Foundation (.SE)
David Mothander davidmothander@google.com	Nordic Policy Counsel, Google, Stockholm
Dunja Mijatovic pm-fom@osce.org	OSCE Representative on Freedom of the Media
Eduardo Bertoni eberto2@palermo.edu	Director, Center for Studies on Freedom of Expression and Access to Information, Palermo University School of Law, Argentina
Eric King eric@privacy.org	Human Rights and Technology Advisor, Privacy International
Grace Githaiga ggithaiga@hotmail.com	Kenya ICT Action Network (KICTANET)
Guy Berger G.Berger@ru.ac.za	Professor, School of Journalism & Media Studies, Rhodes University, South Africa
Helena Bjuremalm helena.bjuremalm@sida.se	Senior Policy Specialist, Democracy Assistance, Sida
Hossam Bahgat Hossam@eipr.org	Executive Director, Egyptian Initiative for Personal Rights, Cairo
Jan Kleijssen jan.kleijssen@coe.int	Director, Directorate General of Human Rights and Legal Affairs, Council of Europe
Jean-Luc Delvert Jean-luc.DELVERT@diplomatie.gouv.fr	Counsellor, Human Rights Division, Ministry for Foreign Affairs, France
Jean-Pierre Kempeneers, jem.kempeneers@minbuza.nl	Head of the Human Rights Division, Ministry of Foreign Affairs, The Netherlands
Jermyn P Brooks jermynbrooks@aol.com	Chair, Global Network Initiative
Joana Varon joana@varonferraz.com	Researcher, Centre for Technology and Society, Rio De Janeiro
Joe McNamee joe@mcnamee.eu	EU Advocacy Coordinator, European Digital Rights Initiative
Joy Liddicoat joy@liddicoatlaw.co.nz	Project Coordinator, Internet Rights are Human Rights, APC, South Africa
Kurt Erik Lindqvist kurtis@netnod.se	CEO, NETNOD, Stockholm
Lee Hibbard Lee.HIBBARD@coe.int	Coordinator for Internet Governance and Information Society, Council of Europe
Lisa Horner LisaH@global-partners.co.uk	Head of Research & Policy, Global Dialogue, London
Lise Bergh lise.bergh@amnesty.se	Director, Amnesty International, Swedish Section
Louise Bermsjö louise.bermsjo@sida.se	Programme Manager for Democracy and Human Rights, Global Programme Unit, Department for Global Cooperation, Sida
Lucille Morillon internet@rsf.org	Head, Bureau of New Media, Reporters sans frontières
Maciej TOMASZEWSKI maciej.tomaszewski@ec.europa.eu	European Commission DG INFSO, Unit A3 Internet; Network & Information Security
Maria Häll maria.hall@enterprise.ministry.se	Deputy Director, Division for Information Technology Policy, Ministry of Enterprise, Energy and Communications, Sweden
Mats Ringborg mats.ringborg@foreign.ministry.se	Ambassador of Sweden to OECD and UNESCO
Matthew Barzun BarzunMW@state.gov	US Ambassador to Sweden
Michael Camilleri MCamilleri@oas.org	Attorney, office of the Special Rapporteur for Freedom of Expression, OAS
Nicklas Lundblad nlundblad@google.com	Senior Policy Counsel, Public Policy and Government Affairs, Google
Nicole Gregory nicole.gregory@fco.gov.uk	Head of Human Rights Section, Human Rights and Democracy Department, Foreign and Commonwealth Office, UK
Orest Nowosad onowosad@ohchr.org	Director, Special Procedures of the Office of the UN High Commissioner for Human Rights
Patrik Fältström patrik@frobbit.se	Distinguished Consulting Engineer, Cisco
Patrik Hiselius Patrik.Hiselius@teliasonera.com	Senior Advisor, Public Affairs, Group Communications, Telia Sonera
Paula Uimonen paula@spidercenter.org	Director, The Swedish Program for ICT in Developing Regions, Stockholm
Richard Allan, ric@fb.com	Director of Policy in Europe, Facebook
Richard Esguerra gwen@eff.org	Senior Activist, Global Internet Freedom Policy, Electronic Frontier Foundation
Robert Guerra guerra@freedomhouse.org	Project Director, Internet Freedom, Freedom House
Robert Hårdh Robert.Hardh@civilrightsdefenders.org	Executive Director, Civil Rights Defenders, Stockholm
Sally Elkhodary sally.khodary@anhri.net	Programs Director, The Arabic Network for Human Rights Information, Cairo
Sarah Labowitz LabowitzSB@state.gov	Office of the Coordinator for Cyber Issues, US State Dept
Staffan Jonson staffan.jonson@iis.se	Policy Adviser, The Internet Infrastructure Foundation (.SE)
Sylvie Coudray s.coudray@unesco.org	Division for Freedom of Expression, Democracy and Peace, UNESCO
Thomas Hajnoczi, Thomas.HAJNOCZI@bmeia.gv.at	Ambassador, Permanent Representative of Austria to Council of Europe
Toby Mendel toby@law-democracy.org	Executive Director, Centre for Law and Democracy
Vilhelm Konnander vilhelm.konnander@gmail.com	Global Voices
Wolfgang Benedek wolfgang.benedek@uni-graz.at	Professor, Faculty of Law, Graz University, Austria
Yaman Akdeniz yaman.akdeniz@bilgi.edu.tr Ženet Mujić zenet.mujic@osce.org	Associate Professor of Law, Faculty of Law, Istanbul Bilgi University Senior Adviser, office of the OSCE Representative on Freedom of the Media

Organisers

Frank la Rue Co-Chair of the meeting libert.expresion@gmail.com	UN Special Rapporteur on Freedom of Opinion and Expression
Olof Ehrenkrona Co-Chair of the meeting olof.ehrenkrona@foreign.ministry.se	Ambassador, Political Adviser to Foreign Minister Carl Bildt, MFA, Sweden
Per Sjögren per.sjogren@foreign.ministry.se	Head, Dept of International Law, Human Rights and Treaty Law, MFA, Sweden
Hans Dahlgren hans.dahlgren@foreign.ministry.se	Ambassador for Human Rights, MFA, Sweden
Måns Molander mans.molander@foreign.ministry.se	Head of Human Rights Section, MFA, Sweden
Johan Hallenborg johan.hallenborg@foreign.ministry.se	Special Adviser, HR Section, MFA, Sweden
Maria Koliopanou maria.koliopanou@foreign.ministry.se	Assistant, HR Section, MFA, Sweden
Karin Keil Pettersson karin.keil-pettersson@foreign.ministry.se	Assistant, HR Section, MFA, Sweden
Pauline Etemad pauline.etemad@foreign.ministry.se	Intern, HR Section, MFA Sweden
Rolf Ring rolf.ring@rwi.lu.se	Deputy Director, Raoul Wallenberg Institute of Human Rights and Humanitarian Law, Lund, Sweden
Gordana Jankovic Gordana.Jankovic@osf-eu.org	Director, Open Society Foundation Media Program
Vera Franz vfranz@osf-eu.org	Senior Program Manager, Information Program, Open Society Foundations
Stewart Chisholm Stewart.Chisholm@osf-eu.org	Senior Manager for Freedom of Expression, Open Society Media Program

For more details visit https://cis-india.org/notices/second-expert-meeting

SEBI and Communication Surveillance: New Rules, New Responsibilities?

kovey — 2013-07-12T10:51:46Z

In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Introduction

The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.

SEBI’s Authority (Until Now)

Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."[1] Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."[2] Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”[3] SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.

But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.

What is the Importance of CDR Access?

Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."[4] Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.

One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.[5] Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.[6] Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.[7] It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."[7] With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.[8] But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.

Significance and Responsibility in this Decision

Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.

[1]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).

[2]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).

[3]. “Sebi Finalising new Anti-money laundering guidelines,” The Times of India, June 16, 2013

http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms

[4]. International Principles on the Application of Human Rights to Communications Surveillance -http://www.necessaryandproportionate.net/#_edn1

[5]. “Sebi to soon to get Powers to Access Call Records,” Business Today, June 13, 2013

http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html

[6]. 1973 Criminal Procedure Code, Section 92 http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf

“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013

http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary

[7]. 1992 Securities and Exchange Board of India Act, section 11C, part 8

[8]. 2002 Prevention of Money-Laundering Act, section 12

For more details visit https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance

Search and Seizure and the Right to Privacy in the Digital Age: A Comparison of US and India

divij — 2014-06-02T06:45:14Z

The development of information technology has transformed the way in which individuals make everyday transactions and communicate with the world around us. These interactions and transactions are recorded and stored – constantly available for access by the individual and the company through which the service was used.

For example, the ubiquitous smartphone, above and beyond a communication device, is a device which can maintain a complete record of the communications data, photos, videos and documents, and a multitude of other deeply personal information, like application data which includes location tracking, or financial data of the user. As computers and phones increasingly allow us to keep massive amounts of personal information accessible at the touch of a button or screen (a standard smartphone can hold anything between 500 MB to 64 GB of data), the increasing reliance on computers as information-silos also exponentially increases the harms associated with the loss of control over such devices and the information they contain. This vulnerability is especially visceral in the backdrop of law enforcement and the use of coercive state power to maintain security, juxtaposed with the individual’s right to secure their privacy.

American Law - The Fourth Amendment Protection against Unreasonable Search and Seizure

The right to conduct a search and seizure of persons or places is an essential part of investigation and the criminal justice system. The societal interest in maintaining security is an overwhelming consideration which gives the state a restricted mandate to do all things necessary to keep law and order, which includes acquiring all possible information for investigation of criminal activities, a restriction which is based on recognizing the perils of state-endorsed coercion and its implication on individual liberty. Digitally stored information, which is increasingly becoming a major site of investigative information, is thus essential in modern day investigation techniques. Further, specific crimes which have emerged out of the changing scenario, namely, crimes related to the internet, require investigation almost exclusively at the level of digital evidence. The role of courts and policy makers, then, is to balance the state’s mandate to procure information with the citizens’ right to protect it.

The scope of this mandate is what is currently being considered before the Supreme Court of the United States, which begun hearing arguments in the cases Riley v. California,[1] and United States v Wurie,[2]on the 29^th of April, 2014. At issue is the question of whether the police should be allowed to search the cell phones of individuals upon arrest, without obtaining a specific warrant for such search. The cases concern instances where the accused was arrested on account of a minor infraction and a warrantless search was conducted, which included the search of cell phones in their possession. The information revealed in the phones ultimately led to the evidence of further crimes and the conviction of the accused of graver crimes. The appeal is for a suppression of the evidence so obtained, on grounds that the search violates the Fourth Amendment of the American Constitution. Although there have been a plethora of conflicting decisions by various lower courts (including the judgements in Wurie and Riley),[3] the Federal Supreme Court will be for the first time deciding upon the issue of whether cell phone searches should require a higher burden under the Fourth Amendment.

At the core of the issue are considerations of individual privacy and the right to limit the state’s interference in private matters. The fourth amendment in the Constitution of the United States expressly grants protection against unreasonable searches and seizure,[4]however, without a clear definition of what is unreasonable, it has been left to the courts to interpret situations in which the right to non-interference would trump the interests of obtaining information in every case, leading to vast and varied jurisprudence on the issue. The jurisprudence stems from the wide fourth amendment protection against unreasonable government interference, where the rule is generally that any warrantless search is unreasonable, unless covered by certain exceptions. The standard for the protection under the Fourth Amendment is a subjective standard, which is determined as per the state of the bind of the individual, rather than any objective qualifiers such as physical location; and extends to all situations where individuals have a reasonable expectation of privacy, i.e., situations where individuals can legitimately expect privacy, which is a subjective test, not purely dependent upon the physical space being searched.[5]

Therefore, the requirement of reasonableness is generally only fulfilled when a search is conducted subsequent to obtaining a warrant from a neutral magistrate, by demonstrating probable cause to believe that evidence of any unlawful activity would be found upon such search. A warrant is, therefore, an important limitation on the search powers of the police. Further, the protection excludes roving or general searches and requires particularity of the items to be searched. The restriction derives its power from the exclusionary rule, which bars evidence obtained through unreasonable search or seizure, obtained directly or through additional warrants based upon such evidence, from being used in subsequent prosecutions. However, there have evolved several exceptions to the general rule, which includes cases where the search takes place upon the lawful arrest of an accused, a practice which is justified by the possibility of hidden weapons upon the accused or of destruction of important evidence.[6]

The appeal, if successful, would provide an exception to the rule that any search upon lawful arrest is always reasonable, by creating a caveat for the search of computer devices like smartphones. If the court does so, it would be an important recognition of the fact that evolving technologies have transmuted the concept of privacy to beyond physical space, and legal rules and standards that applied to privacy even twenty years ago, are now anachronistic in an age where individuals can record their entire lives on an iPhone. Searching a person nowadays would not only lead to the recovery of calling cards or cigarettes, but phones and computers which can be the digital record of a person’s life, something which could not have been contemplated when the laws were drafted. Cell phone and computer searches are the equivalent of searches of thousands of documents, photos and personal records, and the expectation of privacy in such cases is much higher than in regular searches. Courts have already recognized that cell phones and laptop computers are objects in which the user may have a reasonable expectation of privacy by making them analogous to a “closed container” which the police cannot search and hence coming under the protection of the Fourth Amendment.[7]

On the other hand, cell phones and computers also hold data which could be instrumental in investigating criminal activity, and with technologies like remote wipes of computer data available, such data is always at the risk of destruction if delay is occurred upon the investigation. As per the oral arguments, being heard now, the Court seems to be carving out a specific principle applicable to new technologies. The Court is likely to introduce subtleties specific to the technology involved – for example, it may seek to develop different principles for smartphones (at issue in Riley) and the more basic kind of cell-phones (at issue in Wurie), or it may recognize that only certain kinds of information may be accessed,[8]or may even evolve a rule that would allow seizure, but not a search, of the cell phone before a search warrant can be obtained.[9] Recognizing that transformational technology needs to be reflected in technology-specific legal principles is an important step in maintaining a synchronisation between law and technology and the additional recognition of a higher threshold adopted for digital evidence and privacy would go a long way in securing digital privacy in the future.

Search and Seizure in India

Indian jurisprudence on privacy is a wide departure from that in the USA. Though it is difficult to strictly compartmentalize the many facets of the right to privacy, there is no express or implicit mention of such a right in the Indian Constitution. Although courts have also recognized the importance of procedural safeguards in protecting against unreasonable governmental interference, the recognition of the intrinsic right to privacy as non-interference, which may be different from the instrumental rights that criminal procedure seeks to protect (such as misuse of police power), is sorely lacking. The general law providing for the state’s power of search and seizure of evidence is found in the Code of Criminal Procedure, 1973.

Section 93 provides for the general procedure of search. Section 93 allows for a magistrate to issue a warrant for the search of any “document or thing”, including a warrant for general search of an area, where it believes it is required for the purpose of investigation. The particularity of the search warrant is not a requirement under S. 93(2), and hence a warrant may be for general or roving search of a place. Section 100, which further provides for the search of a closed place, includes certain safeguards such as the presence of witnesses and the requirement of a warrant before a police officer may be allowed ingress into the closed place. However, under S. 165 and S. 51 of the code, the requirements of a search warrant are exempted. S. 165 dispenses with the warrant requirement and provides for an officer in charge of a police station, or any other officer duly authorized by him, to conduct the search of any place as long as he has reasonable grounds to believe that such search would be for the purpose of an investigation and a belief that a search warrant cannot be obtained without undue delay. Further, the officer conducting such search must as far as possible note down the reasons for such belief in writing prior to conducting the search. Section 51 provides another express exception to the requirement of search warrants, by allowing the search of a person arrested lawfully provided that the arrested person may not or cannot be admitted to bail, and requires any such seized items to be written in a search memo. As long as these conditions are fulfilled, the police has an unqualified authority to search a person upon arrest. Therefore, where the arrestee can be admitted to bail as per the warrant, or, in cases of warrantless arrest, as per the law, the search and seizure of such person may not be regular, and the evidence so collected would be subject to greater scrutiny by the court. However, besides these minimal protections, there is no additional procedural protection of individual privacy, and the search powers of the police are extremely wide and discretionary. In fact, there is a specific absence of the exclusionary rule as a protection as well, which means that, unlike under the Fourth Amendment, the non-compliance with the procedural requirements of search would not by itself vitiate the proceedings or suppress the evidence so found, but would only amount to an irregularity which must be simply another factor considered in evaluating the evidence.[10]

The extent of the imputation of the Fourth Amendment protection against unreasonable governmental interference in the Indian constitution is also uncertain. A direct imputation of the Fourth Amendment into the Indian Constitution has been disregarded by the Supreme Court.[11]Though the allusions to the Fourth Amendment have mostly been invoked on facts where unreasonable intrusions into the homes of persons were challenged, the indirect imputation of the right to privacy into the right under Article 21 of the Constitution, invoking the right to privacy as a right to non-interference and a right to live with dignity, would suggest that the considerations for privacy under the Constitution are not merely objective, or physical, but depend on the subjective facts of the situation, i.e. its effect on the right to live with dignity (analogous to the reasonable expectation of privacy test laid down in Katz).[12] Further, the court has specifically struck down provisions for search and seizure which confer particularly wide and discretionary powers on the executive without judicial scrutiny, holding that searches must be subject to the doctrine of proportionality, and that a provision probable cause to effect any search.[13] The Fourth Amendment protection against unreasonable interference in private matters by the state is a useful standard to assess privacy, since it imputes a concept of privacy as an intrinsic right as well as an instrumental one, i.e. privacy as non-interference is a good in itself, notwithstanding the rights it helps achieve, like the freedom of movement or speech.

Regarding digital privacy in particular, Indian law and policy has failed to stand up to the challenges that new technologies pose to privacy and has in fact been regressive, by engaging in surveillance of communications and by allowing governmental access to digital records of online communications (including emails, website logs, etc.) without judicial scrutiny and accountability.[14] In an age of transformative technology and of privacy being placed at a much greater risk, laws which were once deemed reasonable are now completely inadequate in guaranteeing freedom and liberty as encapsulated by the right to privacy. The disparity is even more pronounced in cases of investigation of cyber-crimes which rely almost exclusively on digital evidence, such as those substantively enumerated under the Information Technology Act, but investigated under the general procedure laid down in the Code of Criminal Procedure, which is already mentioned. The procedures for investigation of cyber-crimes and the search and seizure of digital evidence require special consideration and must be brought in line with changing norms. Although S.69 and 69B lay down provisions for investigation of certain crimes,[15] which requires search upon an order by competent authority, i.e. the Secretary to the Department of IT in the Government of India, the powers of search and seizure are also present in several other rules, such as rule 3(9) of the Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 which allows access to information from intermediaries by a simple written order by any agency or person who are lawfully authorised for investigative, protective, cyber security or intelligence activity; or under rule 6 of the draft Reasonable Security Practices Rules, 2011 framed under Section 43A of the Information Technology Act, where any government agency may, for the prevention, detection, investigation, prosecution, and punishment of offences, obtain any personal data from an intermediate “body corporate” which stores such data. The rules framed for investigation of digital evidence, therefore, do not inspire much confidence where safeguarding privacy is concerned. In the absence of specific guidelines or amendments to the procedures of search and seizure of digital evidence, the inadequacies of applying archaic standards leads to unreasonable intrusions of individual privacy and liberties – an incongruity which requires remedy by the courts and legislature of the country.

[1]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-132_h315.pdf

[2]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-212_86qd.pdf

[3]. In Wurie, the motion to supress was allowed, while in Riley it was denied. Also see US v Jacob Finley, US v Abel Flores-Lopez where the motion to suppress was denied.

[4]. The Fourth Amendment to the Constitution of the United States of America: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

[5]. Katz v United States, 389 U.S. 347, 352 (1967).

[6]. Stephen Saltzer, American Criminal Procedure

[7]. United States v Chan, 830 F. Supp. 531,534 (N.D. Cal. 1993).

[8]. A factor considered in US v Abel Flores-Lopez, where the court held that the search of call history in a cell phone did not constitute a sufficient infringement of privacy to require the burden of a warrant.

[9]. The decision in Smallwood v. Florida, No. SC11-1130, before the Florida Supreme Court, made such a distinction.

[10]. State Of Maharashtra v. Natwarlal Damodardas Soni, AIR 1980 SC 593; Radhakrishnan v State of UP, 1963 Supp. 1 S.C.R. 408

[11]. M.P. Sharma v Satish Chandra, AIR 1954 SC 300

[12]. Kharak Singh v State of UP, (1964) 1 SCR 332; Gobind v State of Madhya Pradesh, 1975 AIR 1378

[13]. District Registrar and Collector v. Canara Bank, AIR 2005 SC 186, which related to S.73 of the Andhra Pradesh Stamps Act which allowed ‘any person’ to enter into ‘any premises’ for the purpose of conducting a search.

[14]. S. 69 and 69B of the Information Technology (Amendment) Act, 2008.

[15]. Procedures and Safeguards for Monitoring and collecting traffic data or information rules 2009, available at http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009

For more details visit https://cis-india.org/internet-governance/blog/search-and-seizure-and-right-to-privacy-in-digital-age

Sean McDonald - Ebola: A Big Data Disaster

sumandro — 2016-04-21T09:57:26Z

We are proud to initiate the CIS Papers series with a fascinating exploration of humanitarian use of big data and its discontents by Sean McDonald, FrontlineSMS, in the context of utilisation of Call Detail Records for public health response during the Ebola crisis in Liberia. The paper highlights the absence of a dialogue around the significant legal risks posed by the collection, use, and international transfer of personally identifiable data and humanitarian information, and the grey areas around assumptions of public good. The paper calls for a critical discussion around the experimental nature of data modeling in emergency response due to mismanagement of information has been largely emphasized to protect the contours of human rights.

Read

Download the paper: PDF.

Preface

This study titled “Ebola: A Big Data Disaster” by Sean Martin McDonald, undertaken with support from the Open Society Foundation, Ford Foundation, and Media Democracy Fund, explores the use of Big Data in the form of Call Detail Record (CDR) data in humanitarian crisis.

It discusses the challenges of digital humanitarian coordination in health emergencies like the Ebola outbreak in West Africa, and the marked tension in the debate around experimentation with humanitarian technologies and the impact on privacy. McDonald’s research focuses on the two primary legal and human rights frameworks, privacy and property, to question the impact of unregulated use of CDR’s on human rights. It also highlights how the diffusion of data science to the realm of international development constitutes a genuine opportunity to bring powerful new tools to fight crisis and emergencies.

Analysing the risks of using CDRs to perform migration analysis and contact tracing without user consent, as well as the application of big data to disease surveillance is an important entry point into the debate around use of Big Data for development and humanitarian aid. The paper also raises crucial questions of legal significance about the access to information, the limitation of data sharing, and the concept of proportionality in privacy invasion in the public good. These issues hold great relevance in today's time where big data and its emerging role for development, involving its actual and potential uses as well as harms is under consideration across the world.

The paper highlights the absence of a dialogue around the significant legal risks posed by the collection, use, and international transfer of personally identifiable data and humanitarian information, and the grey areas around assumptions of public good. The paper calls for a critical discussion around the experimental nature of data modelling in emergency response due to mismanagement of information has been largely emphasized to protect the contours of human rights.

This study offers an important perspective for us at the Centre for Internet and Society, and our works on Privacy, Big Data, and Big Data for Development, and very productively articulates the risks of adopting solutions to issues important for development without taking into consideration legal implications and the larger impact on human rights. We look forward to continue to critically engage with issues raised by Big Data in the context of human rights and sustainable development, and bring together diverse perspectives on these issues.

- Elonnai Hickok, Policy Director, the Centre for Internet and Society

CIS Papers

The CIS Papers series publishes open access monographs and discussion pieces that critically contribute to the debates on digital technologies and society. It includes publication of new findings and observations, of work-in-progress, and of critical review of existing materials. These may be authored by researchers at or affiliated to CIS, by external researchers and practitioners, or by a group of discussants. CIS offers editorial support to the selected monographs and discussion pieces. The views expressed, however, are of the authors' alone.

For more details visit https://cis-india.org/papers/ebola-a-big-data-disaster

Scrap UID project, say people's organisations

praskrishna — 2011-04-02T12:26:57Z

The unique identification number project is executed without any legislative or parliamentary sanction.

Representatives of people's movements, mass organisations and institutions on Wednesday said the unique identification number (UID) project is being executed without any legislative or parliamentary sanction and demanded an end to it.

Sunil Abraham, executive director of the Centre for Internet and Society told press persons here that neither the launch of the UID project nor the constitution of the Unique Identification Authority of India (UIDAI) had any legislative sanction. Nothing is known of how the chairperson of the authority is selected, while the project proposes finger-printing of the entire population and storing of biometric and personal data of every person throughout his life and thereafter.

“Although the scheme is to only provide verification of identity, it is unclear what safeguards would prevent third parties from handling, sharing and utilising the data for any purpose,” he said. The UIDAI has agreed to use the services of foreign companies, their software and hardware. It appears that no thought has been give to the perils of placing in the hands of foreign companies data pertaining to the entire population of the country, Mr. Abraham felt. About the claims that the UID project will save crores of rupees by preventing misuse of various welfare schemes, Mr. Abraham questioned whether any feasibility study had been made in this regard.

The UID, the National Population Registry and the NATGRID, once combined and connected, pose grave concerns pertaining to civil liberties and fundamental rights.

Read the original article in the Hindu

For more details visit https://cis-india.org/news/Scrap-UID-project

SCOSTA and UID Comparison not Valid, says Finance Committee

elonnai — 2011-11-22T16:37:43Z

The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.

On January 6, 2011, CIS had sent an open letter to the Parliamentary Finance Committee demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.

Sir,

This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.

CIS View /Suggestion:

"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."

In this regard, do you agree with the following view? If not, please justify.

"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.

The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.

UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."

You are requested to email your view by 14 October, 2011 positively.

Standing Committee on Finance Branch
Lok Sabha Secretariat

For more details visit https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid

Scared by a spoof? You’ve got to be kidding me!

praskrishna — 2012-06-05T05:24:09Z

Whether it is Mamata Banerjee's recent crackdown on a comic strip or the new legal guidelines that allow touchy readers to have objectionable content taken down, what you say online is under scrutiny. What, then, will happen to news satire websites?

The article by Dhamini Ratnam was published in the Times of India on June 3, 2012

"Meri site www.cartoonsagainstcorruption.com kabse band ho chuki hai (...) Humara sabse bada hathiyar humse chheena ja raha hai (...) Aaj chup rahe toh phir bolne ke liye zubaan bhi nahin bachegi." (My site www.cartoonsagainstcorruption.com has been shut down (...) Our biggest weapon is being taken away from us (...) If we remain silent, we won't be left with anything to articulate with").

That's the first thing you read on Kanpur-based blogger Aseem Trivedi's new site, www.cartoonsagainstcorruption.blogspot.in, on which he transferred all his satirical cartoons earlier this year, after he found that his website had been arbitrarily blocked based on a complaint lodged with the Mumbai Crime Branch last December.

In May, Trivedi went on a hunger strike. His point was simple. The police had no right to have his website taken down, under the Information Technology (Amendment) Act 2008, or even under the new Information Technology (intermediary guidelines) Rules, 2011. These rules came into effect last April, and give 36 hours to the intermediary (read Internet Service Provider) to take down content deemed 'objectionable'.

At the face of it, this may seem like a handing over of power to Internet users. But what does this hold out for news satire websites that routinely critique public figures, spoof politics and play an important role in raising public awareness through humour?

For one, in a surprising move, the editors are giving up being anonymous. Says Rahul Roushan, editor, Faking News, "I began this site under the pseudonym Pagal Patrakar in 2008. By the end of 2009, I didn't want to remain anonymous anymore."

Roushan, who is based in Gurgaon, felt readers weren't taking him seriously. "Unless there's a face to such sites, people will think you're spreading lies," says the 33-year-old former television news anchor. Yet, coming out wasn't a cakewalk. "A post I wrote about on the anti-people policy of Mr Thackeray received a comment that I am a Bihari, and therefore against Marathi manoos. Had he not known my name, the reader would never have written such a comment," says Roushan.

Yet, Roushan would rather have his readers - his blog gets 10 lakh page views a month - trust his judgement.

However, recent events, including Pashimbanga Chief Minister Mamata Banerjee's crackdown on a comic strip, and Union human resource development, communications and IT minister Kapil Sibal's suggestion to Internet giants to "regulate themselves" has left Roushan and other news satire website editors wary.The new IT guidelines, fears Roushan, will create an army of self-righteous people with "a lot of hurt sentiments".

"I'm scared of sentiments," he says, wryly.

T S Sudhir, editor of Tenali Rama Reports, a news spoof site that was started in September 2011, feels the trick to safeguard against such "sentiments" is to maintain a rigorous editorial policy. "No obscene, lewd or toilet humour," says the Hyderabadbased former journalist.

The recent fracas over Mamata's 'Maoist' concerns, for instance, elicited a light-hearted piece that said all dosa-eaters are Maoists, because 'mao' in Tamil means 'batter'. "India has a long-standing political tradition of satire, and readers are used to political cartoons with biting humour."

Mangalore-based political cartoonist Satish Acharya, however, has faced the brunt for his biting humour. In September 2011, a Mumbai Crime Branch officer asked him to take down a cartoon depicting Sharad Pawar in a red gown that Acharya had posted on his blog, after it was published in a Mumbaibased tabloid. "In political cartoons, what is the yardstick to measure what is objectionable," asks Acharya. "Can a policeman decide whether a political cartoon is objectionable and have it taken down?"

Programme manager at The Centre for Internet and Society, Bengaluru, Pranesh Prakash has a one word reply: No. Together with his teammates, Prakash is working on a set of guidelines that counters the Intermediary Rules and offers checks and balances without trampling on fundamental rights. For instance, says Prakash, after a complaint is made, the content owner - say the website editor, or cartoonist - should be allowed to reply. If the problem persists, the complainant can go to court.

If cartoons are an effective vehicle of critique online, so are videos. The UnReal Times, run by New Delhi-based IIM graduates C S Krishna and Karthik Laxman, shot to online fame last year after they released a video depicting the Prime Minister as Singham, the heroic character played by Ajay Devgn in a film.

"The best sort of satire," says Krishna, "is when you can't prove in the court of law that the piece is insulting." Krishna and Laxman, who do policy research work for BJP MP Uday Singh, insist that they are not card-holders for the party, and have taken pot-shots at the BJP, too. "Since political satire focuses on mocking the establishment, the UPA government is the subject of most our (satirical) pieces on politics," says Krishna. Tanay Sukumar, editor of News That Matters Not, feels that the content should be directed at a problematic policy, not person. Engineering students Sukumar and Sugandha, who founded the site in 2009, feel that a satirist needs to distinguish between what is necessary and what isn't. "Portraying a political figure using sexual innuendo might be funny for several readers, but would be "unnecessary" in most cases. Our job is to to critique governance." In the case of a crackdown, however, they are clear about what they'd do: they'll take down the 'offending' piece, and then write about having done so. "We will not offend them; we will wear them out," they say.

Want to start a news satire website? here's how:

Have a disclaimer page. Apologise in advance for "hurt sentiments", offer readers a chance to get in touch with you directly for redressal, explain why you're using satire as a tool to critique. If your ISP is asked to remove content, the current IT guidelines are such that they would need to obey. However, since the law doesn't require ISPs to keep track of content that has been removed, make noise about it. There'll be enough people online who will fight for your freedom of expression. Study satire - it's an effective tool - but learn to distinguish it from slander and falsehood. Keep the post grounded in a real event or phenomenon. Critique the agenda, not the person. Consult an IT lawyer if you are in doubt about a piece. It's always good to know your legal argument beforehand.

Pranesh Prakash is quoted in this article.

For more details visit https://cis-india.org/news/scared-by-a-spoof

SC seeks govt reply on PIL challenging powers of IT Act

praskrishna — 2014-09-08T04:45:51Z

Section 66A of the IT Act punishes sending offensive messages through communication services, including posts on social media websites like Facebook.

The article by Shreeja Sen was published in Livemint on August 30, 2014. Leslie D’Monte contributed to this story. Sunil Abraham gave his inputs.

The Supreme Court on Friday asked for the central government’s response in a writ petition filed by Internet and Mobile Association of India (IAMAI) challenging the arbitrary powers that the Information Technology (IT) Act confers on the government to remove user-generated content.

This is not the first time that the amended provisions of the IT Act 2000 and the IT (Intermediaries Guidelines) Rules, 2011 have been challenged. The rules were released by the government in April 2011, and laid down detailed procedures for regulation of intermediaries and online content.

A bench of justices J. Chelameswar and A.K. Sikri, while issuing notice to the central government, tagged the cases with others of a similar nature, including ones by MouthShut.com, a consumer review website, and Shreya Singhal, a public interest litigant who challenged the constitutionality of Section 66A in support of Shaheen Dhada, who was arrested for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray in 2012. Section 66A of the IT Act punishes sending offensive messages through communication services, including posts on social media websites like Facebook.

“We’re very happy at MouthShut that IAMAI decided to take a stand regarding this,” said Faisal Farooqui, chief executive officer of MouthShut.com.

The petition, which runs into 1,100 pages according to those familiar with the case, seeks to challenge Section 79(3)(b) of the Information Technology Act. The section holds an Internet service provider (ISP) responsible for content which may be unlawful, published by third parties (not the ISPs) when they’ve been intimated by the government. It takes away the safe harbour rule, which protects ISPs from being sued because of third party actions.

According to a statement by IAMAI, the industry lobby approached the apex court for “objective interpretation of the laws”. Referring to the court agreeing to hear the petition, the statement said, “This admission today allows the industry an opportunity to argue for a clear Safe Harbour Provision for the intermediaries, which is an essential pre-condition of a thriving digital content business.”

“In my view, the court may be sympathetic to this particular situation because there is a body of research and evidence that demonstrates that the private censorship regime instituted by Section 79A that places unconstitutional limits of freedom of speech and expression,” said Sunil Abraham, executive director of the Centre for Internet and Society (CIS), India, a non-profit organization involved with research in freedom of expression, privacy and open access to literature.

On 27 April 2012, CIS-India had released a paper which, among other things, listed why the IT Rules 2011 could have a “chilling” effect on intermediaries. No much has changed since. The paper argued that not all intermediaries have sufficient legal competence or resources (or the willingness to devote such legal resources) to deliberate on the legality of an expression, as a result of which, intermediaries have a tendency to err on the side of caution. It also pointed out that the qualifications and due diligence requirements of different classes of intermediaries have not been clearly defined in the Rules resulting in uncertainty in the steps to be followed by the intermediary. It noted that depending on the nature of a service, it may be technically unfeasible for an intermediary to comply with the takedown within 36 hours.

“The chilling effect can primarily be attributed to the requirement for private intermediaries to perform subjective judicial determination in the course of administering the takedown. From the responses to the takedown notices, it is apparent that not all intermediaries have sufficient legal competence or resources to deliberate on the legality of an expression, as a result of which, such intermediaries have a tendency to err on the side of caution and chill legitimate expressions in order to limit their liability,” the paper said.

Another privacy lobby body, SFLC.in, had submitted feedback to the government when the draft IT Rules were put up for consultation but said that “when the final Rules were notified we found that most of our concerns were not addressed and that the Rules exceeded the scope of the parent act”.

In a July paper, SFLC.in reiterated that “Words and phrases like grossly harmful, harassing, blasphemous, disparaging and “harm minors in any way” are not defined in these Rules or in the Act or in any other legislation. These ambiguous words make the Rules susceptible to misuse…(and have a) chilling effect on free speech rights of users by making them too cautious about the content they post and byforcing them to self-censor…As technology evolves at a fast pace, the law should not be found wanting. The law should be an enabling factor that ensures that citizens enjoy their right to freedom of speech and expression without any hindrance. India, being the largest democracy in the world should lead the world in ensuring that the citizens enjoy the right to express themselves freely online.”

SFLC.in is a donor-supported legal services organization that brings together lawyers, policy analysts, technologists, and students.

According to a March study commissioned by the Global Network Initiative, a multistakeholder group of companies, civil society organizations, investors, and academics and conducted by Copenhagen Economics, an economic consultancy, the GDP contribution of online intermediaries may increase to more than 1.3 % ($ 241 billion) by 2015, provided the current liability regime is improved.

In another development, hearing a petition asking to take down pornographic website, the court deemed it fit to send it to an advisory committee that has been set up under Section 88 of the Information Technology Act. The petition, filed by lawyer Kamlesh Vaswani in 2013, asked for a direction to the central government to block pornography websites, platforms, links or downloading. Speaking to reporters, Vaswani’s lawyer Vijay Panjwani said, “as on date, there are 4 crore pornographic websites. For 18 months, the government has not blocked them.”

The central government informed the committee was considering several options to address the issue of including methods used in the US and UK. This case was being heard by a three-judge bench headed by the chief justice of India R.M. Lodha, who said that to address these technological issues, a “synthesis of law, technology and governance is required.”

For more details visit https://cis-india.org/internet-governance/news/livemint-august-30-2014-shreeja-sen-sc-seeks-govt-reply-on-pil-challenging-powers-of-it-act

SC reserves judgement in cases against Section 66A

praskrishna — 2015-03-08T15:08:00Z

The verdict will have far reaching consequences on civil liberties and right to freedom of speech on the Internet.

The article by Shreeja Sen was published in Livemint on February 26, 2015. Pranesh Prakash is quoted.

The Supreme Court on Thursday reserved its judgment in cases involving multiple challenges to certain provisions of the Information Technology Act, 2000, and so-called guidelines for intermediaries.

The verdict will have far reaching consequences on civil liberties and right to freedom of speech on the Internet. One of the cases is a public interest litigation filed by Shreya Singhal, after two Mumbai-based girls were arrested for criticising on a social media platform the city’s shutdown following the death of Shiv Sena leader Bal Thackeray.

A bench of justices J. Chelameswar and Rohinton F. Nariman has heard 10 cases in all that challenge Section 66A (which punishes sending offensive messages through a communication service), intermediary guidelines under Section 79 of the IT Act, and Section 69A, which allows the central government to block “information” for “public access” over a “computer resource” if the same is “in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign states or public order or for preventing incitement”.

In the court, the government, which made it clear it was not taking an adversarial position, said through additional solicitor general Tushar Mehta that the laws had to interpreted in a way so that they would serve the purpose it was meant for without jeopardising free speech. Some of the petitioners claimed that Section 66A definitely infringes on the right to free speech. “I can’t presume to know the minds of the judges and I will not do so.

But I find it very disappointing that the Narendra Modi government with ministers like Arun Jaitley, who had argued against Section 66A and the intermediary guidelines under Section 79, are now defending them,” said Pranesh Prakash, policy director at think-tank Centre for Internet Society.

“Second, that given the line of questioning the court has taken, the arguments adduced in court and based on our research on 66A, 69A and intermediary guideline rules under 79, which ought to be called Internet censorship rules according to me, it is amply clear that these provisions are unconstitutional.” Ideally, Prakash said, the government should redraft the law, with inputs from legal experts, academics, civil society organizations and technologists.

For more details visit https://cis-india.org/internet-governance/news/livemint-shreeja-sen-february-26-2015-sc-reserves-judgment-in-cases-against-section-66a

SC has set a high threshold for tolerance: Lawrence Liang

praskrishna — 2015-03-28T16:18:18Z

Lawyer-activist Lawrence Liang on why SC upheld section 69A and the implications of striking down section 66A.

The article by Dhamini Ratnam was published in Livemint on March 28, 2015. Lawrence Liang gave his inputs.

Tuesday marked a landmark in the fight for free speech in our country, as the Supreme Court struck down the contentious section 66A of the Information Technology Act of 2000. The section, which was introduced through an amendment in 2009, penalized those who wrote messages online that could be deemed as being false or grossly offensive. However, the apex court turned down a plea to strike down sections 69A (procedure for blocking websites) and 79 (exemption from liability of intermediaries) of the same law. Lawrence Liang, a lawyer who co-founded the Alternative Law Forum in Bengaluru, a fellow at the Centre for Internet and Society, and author of The Public is Watching: Sex, Laws and Videotape and A Guide to Open Content Licenses, spoke in an interview on the wide-ranging implications of the judgement. Edited excerpts:

What was the impetus to fight section 66A?

Over the past few years, there have been numerous cases in which section 66A has been used in bad faith against individuals online. One of the cases that became well-known by virtue of just how ridiculous it was involved the arrest of Shaheen Dhada and her friend Renu Srinivasan (which led petitioner Shreya Singhal to file a public interest litigation in the Supreme Court that eventually led to this judgement), but there have been more, so it was inevitable that a law as draconian as section 66A would be challenged for its constitutional validity.

The judgement begins by noting a distinction between three forms of speech—discussion, advocacy and incitement—and says discussion and advocacy of a particular cause, howsoever unpopular, is at the heart of Article 19(1)(a) of the Constitution (all citizens shall have the right to freedom of speech and expression). Only when they reach the level of incitement can they be legitimately prohibited. While the judgement does not provide a new definition of incitement, it affirms what was laid down in the Rangarajan test (1989), in which the courts had established that for censorship to be justified, the “expression of thought should be intrinsically dangerous to the public interest”. There should be an immediate and direct relation between speech and effect.

The court said that section 66A is “cast so widely that virtually any opinion on any subject would be covered by it, as any serious opinion dissenting with the mores of the day would be caught within its net”. The courts have also historically held that Article 19(1)(a) is as much about the right to receive information as it is to disseminate, and when there is a chilling effect on speech, it also violates the right to receive information. However, I would say that the court missed an opportunity to consider the blocking of websites under section 69A.

Why did the court uphold section 69A, and which other parts of the IT Act did it examine?

If section 66A was found to be arbitrary, then the procedure for blocking websites, as laid out in section 69A, is also beset with similar problems. The court, however, upheld this section and the rules under the IT Act on the grounds that there are internal safeguards and reasonable procedures. This section allows the government to block any site or information that violates Article 19(2) of the Constitution (which enables the legislature to impose certain restrictions on free speech).

The problem is that often there is no hearing or notice given to the owner of information, there is no transparency since blocks can happen on a confidential basis and these can have serious implications for the right to receive information.

The court read down section 79, which used to provide an intermediary exemption from liability with the exception that if it received “actual knowledge” of any illegal content, it was obliged to act within 36 hours. A study by the Centre for Internet and Society showed that even on sending frivolous takedown notices, intermediaries tended to comply to be on the safe side. The court’s decision has read down section 79 now to mean that “actual knowledge” means either an order of a court or the government. It moves it away from a subjective determination by intermediaries.

The court could have, like it did with section 79, retained section 66A while clarifying a procedure that would maintain a balance between the need sometimes to block and public interest, and transparency.

What does the judgement open up for the free speech debate?

The judgement speaks of chilling effects, because if one is not careful, one runs the risk of endangering political discourse through self-censorship. This is terrible for a democratic culture, which is premised on the ability to debate and dissent. Much of the use of section 66A has been politically motivated to silence criticism, and the judgement goes a long way towards promoting a culture of critique.

As the first major Supreme Court case on free speech in the 21st century, it sets the tone on how we think of free speech in a context where every individual with a smartphone is potentially a writer, a publisher and a distributor. By setting a high threshold for what is tolerated in online speech, it ensures that the online space is not doomed to be infantilized.

What position must the law take to protect rights and minority identities?

I think it is important to distinguish between different effects of speech. The court has merely reaffirmed a position that has been held in India for a long time (such as through the Ram Manohar Lohia judgement of 1960, which interpreted what “restriction made in the interests of public order” in Article 19(2) means). In other words, if someone is inciting violence, especially if they have the power to effect such violence (such as a politician), then their speech can be regulated, but the court also held that the idea of threat to public order is often imaginary.

For instance, in what way would Shaheen Dhada’s post on Facebook have incited violence? (In November 2012, Dhada, then a student and based in Palghar, Maharashtra, had written a post on Facebook commenting on the state of shutdown that followed politician Bal Thackeray’s death. Her comment was liked by her friend Srinivasan, and both of them were charged under section 66A.) So, the court is distinguishing between speech that is critical and speech that is dangerous. There are laws that deal with the latter, such as 153A and 295A of the IPC (Indian Penal Code).

It must be noted, however, that provisions also suffer from the same vice of vagueness. What we need is a more nuanced understanding of hate speech that addresses speech that incites violence or hatred against a community, but one in which the test is not of subjective hurt sentiment. The problem with hate speech laws is that they collapse questions of law and order with questions of subjective hurt, and we run the risk of becoming a republic of hurt sentiments where anyone can claim that their sentiments are hurt, especially their religious sentiments.

What happens to existing cases that are being tried under section 66A, such as the one against the organizers and participants of the All India Bakchod Roast?

Court judgements do not necessarily have retrospective effect, so cases that have been filed will continue. We must also remember that the cases filed under section 66A were also accompanied by other provisions. Of course, a judgement as significant as this, which completely delegitimizes section 66A, will have a profound impact on the ongoing cases insofar as they relate to the offence under the section, but the other charges remain.

For more details visit https://cis-india.org/internet-governance/news/livemint-dhamini-ratnam-march-28-2015-sc-has-set-a-high-threshold-for-tolerance

SC directs govt to further regulate social media: Is it necessary? Experts weigh in

Geetika Mantri — 2019-09-30T14:28:10Z

With the SC's directive to the Indian government for further regulation of social media, TNM asked experts what were the challenges associated with the same.

The article by Geetika Mantri was published in the News Minute on September 28, 2019. Pranesh Prakash was quoted.

The Supreme Court recently expressed the need to regulate social media to curb fake news, defamation and trolling. It also asked the Union government to come up with guidelines to prevent misuse of social media while protecting users’ privacy in three weeks’ time.

The apex court made these statements while hearing a transfer petition by Facebook which has asked for petitions on regulation of social media filed in Madras, Bombay and Madhya Pradesh High Courts on similar issues to be transferred to the SC so that the scope can be expanded.

In India, social media platforms already come under the purview of the Information Technology (IT) Act, the ‘intermediaries guidelines’ that were notified under the IT Act in 2011 and the Indian Penal Code.

With the SC's directive to the Indian government for further regulation of social media, TNM asked experts what were the challenges associated with the same.

Existing regulations and misuse

Executive Director of the Internet Freedom Foundation (which is also an intervenor in the above case in SC) and lawyer Apar Gupta points out that under existing laws, social media channels are already required to take down content if they are directed to do so by a court or law enforcement.

There are also reporting mechanisms on these platforms, where they exercise discretion to ascertain whether a reported post is violating community guidelines and needs to be taken down. These, however, have been reported to be arbitrary – many posts on body positivity and menstruation, for instance, have been taken down in the past while other explicit imagery continues to be allowed.

“But it’s necessary to have minimum legal standards that need to be fulfilled to compel such take-downs on social media. If platforms had to take down posts based on individual complaints, it could result in many frivolous take-downs. Free speech should be the norm, and removal of content, the exception,” Apar argues.

IT consultant Kiran Chandra says that many of the existing regulations themselves are “dangerously close to censorship and may have a chilling effect on freedom of speech, which is why cases are being fought on those in courts.”

Even under existing regulations, there is scope for misuse - which has also been documented in the past - to curb dissent.

“One of the key problems of a lot of regulatory measures is the vagueness of language which is exploited by state agencies to behave in a repressive way,” Kiran says. “Any regulation has to be clear and concrete so that there is no scope for overreach."

Much of fake news is driven by politics

Fake news isn't exactly new, but its proliferation and extent have expanded manifold with social media.

Srinivas Kodali, an independent security researcher, says that it is not as though governments do not know where a good portion of fake news is coming from. “Most political parties have IT cells that dedicatedly work on creating and spreading fake news. But what is the Election Commission or anyone else doing to stop that?” he questions.

Kiran points out that this machinery exists with a view to gain electoral dividends. “There can be no countering fake news without taking on these structures and the political forces behind them,” he says.

He adds that social media giants also need to take responsibility. “Currently, considering the role social media companies play in the society, they are doing almost nothing [about fake news]. In fact, virality - and a lot of fake news tends to be viral - is the basis of the business model of many social media companies, including Facebook, and WhatsApp, which it owns. At the very least, these companies need to dedicate far more resources, and must provide more transparency into their functioning if any dent has to be made in countering fake news.”

Kiran also says that there is a need to support websites that bust fake news, and make people more aware of the need to verify news.

Defamation and online harassment

Experts say that when it comes to the SC’s observation that there should be redressal mechanisms for someone who has been ‘defamed’ on social media, the recourse is pretty clear-cut.

Pranesh Prakash, a fellow at the Centre for Internet and Society, says, “If it concerns defamation, it is very likely that the victim knows where the defamatory post has come from. Even if it is not an original message, the defamation law does not require you to find out the origin of such a message. Anyone who has put it, forwarded it, is liable.”

That being said, it is the social media giants that need to pick up the slack when it comes to dealing with targeted harassment and online bullying.

It has been reported earlier that Facebook, due to its lack of understanding of the Indian context as well as diversity, often fails in effectively removing hate speech from the platform in India. Facebook's community guidelines are unavailable in several Indian languages too.

Kiran says that while there already exist legal provisions for dealing with offensive speech, the problem is that they are either misused or underused. “Critics of the government get hit with these cases unreasonably while many who engage in hate speech and abuse are followed by the most powerful people in the country. Here again, social media firms need to massively increase the resources they spend on weeding out such content.”

Privacy and surveillance concerns

Any conversation on additional regulation of social media brings up concerns about privacy and surveillance.

Apar says if regulators want easy access to user information for curbing misuse, spread of fake news and the like, it would require online platforms to modify their products to increase surveillance - to have exact details about who said what, when and about whom. “This is why it’s important for legal standards and conditions for accessing user information to be followed. Government also needs to become more accountable on what information on users they are demanding from social media companies.”

Kiran cautions that “any bid at regulating expression online has to be proportional and concrete with adequate redressal mechanisms and without any blanket provisions.”

“We need strong data protection and privacy laws which restrict the scope of these companies and reduce their footprint online,” he adds, referring, for instance to Facebook's monopoly - the company also owns Instagram. “Similarly, the role they play in elections and political processes as a whole, needs to be checked.”

Srinivas points out that ultimately, social media is a reflection of what is happening in the society: “If there is no rule of law offline, it won’t be there online.”

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-geetika-mantri-september-28-2019-sc-directs-govt-to-further-regulate-social-media

Say 'Password' in Hindi

nishant — 2012-03-21T09:18:19Z

English might be the language of the online world, but it’s time other languages had their say, writes Nishant Shah. The article was published in the Indian Express on June 5, 2011.

On skype the other day, a friend narrated an incident that made the otherwise familiar terrains of the internet, uncanny. His grandmother, who had recently acquired a taste for Facebook, had signed off on a message saying “Love, Granny”. For people of the xoxo generation, this sounds commonplace, in fact it might even be archaic. However, for my friend, who had never thought of his emotions for his grandmother as “love”, it produced a moment of sheer strangeness.

In Gujarati, it would have been silly to think of your emotions for family as “love”. There are better nuances. The emotional connect between lovers is different from the affective relationship with parents. The fondness for siblings is different from the bond with friends. And it was unnerving, for him, to have this range of emotions suddenly condensed into “love”. Like many of us polyglots who work in the rapidly digitising world of the World Wide Web, he was experiencing the gap between the mother tongue and the other tongue. It is an experience that is quite common to non-native speakers of English, who have to succumb to de facto English language usage on the global web and often find themselves at sea about how to translate emotions, histories and experiences into a language which does not always accommodate them.

This experience only becomes more intense for people who are fluent neither in the English language nor in international online English. This question of localisation of language remains one of the biggest gating factors of the internet. It also remains, after literacy and skills, the biggest impediment to including people from non-mainstream geopolitics in discussions online. Several global linguistic majorities have dealt with this by producing different language webs. Spanish, Chinese, Japanese and German are among the largest non-English language internets which are in operation now. However, in post-colonial countries like India, where linguistic diversity is the order of the day, the efforts at localisation have been sporadic and not very popular.

There are many facets to the implementation of localisation practices. It requires developing local language fonts so that people don’t have to merely transliterate local words using an English language script. These fonts further need to be made translatable into other languages, identified by machine translations. Keyboards and hardware infrastructure, which grants ease of access to the users need to be built. Tool kits to de-Anglify the computer language, code, browser signs etc. are being developed. There are many attempts being made by public and private bodies in the country to produce this ecology of localisation, both at the level of hardware and software.

And yet, adoption of localisation tools, despite a growing non-urban user base, remains low. Most people engage with the digital and online services through English, even though their fluency with the language might be low. One of the reasons why localisation of Indic language content is facing so much resistance is because of a narrow understanding of localisation as linguistic translation. Most attempts at localisation in the country merely think of translating English terms like “browser”, “code”, or “password” into the regional languages. In many instances, the term is merely rewritten in the local script.

Such an approach to localisation ignores the fact that the language of technology does not only produce new expressions and words, but also new ways of thinking. While localising the English language content, care also has to be given to translating the contexts, which the words and phrases carry. Do a simple exercise. Take the word “Password”. Try and translate this into your local language so that it makes complete sense to a native speaker. You will realise that just saying “Password” doesn’t mean much and that it requires background information to make that word intelligible to a community.

The second is that localisation is not merely about giving rights to generate content online. While the Web 2.0 wave of user-generated content is ruling the internet now, we must realise that most people come online to consume as much, if not more than, what they generate. Policies that promote local language information production, translation projects etc. need to be in place so that the minimum threshold of information is available online in languages other than English. Government documents, state records, public artifacts, etc. need to be digitised and made available in local languages so that people can access data online.

Localisation is not only about language and translations. It is about changing the top-down approach; instead of forcing existing concepts on to material realities which don’t always fit them, it is time to see that the true power of digital technologies is in building bottom-up models where everyday practice can be captured through localised vocabularies that allow for users to say, “I love you,” to anybody, in a language, and meaning that makes sense to them.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/password-in-hindi

Saving privacy as we knew it

praskrishna — 2013-10-29T05:01:25Z

Long overdue protection law still on the back-burner; meanwhile, depts put more of one's personal details online.

The article by Surabhi Agarwal and Somesh Jha was published in the Business Standard on October 29, 2013. Sunil Abraham is quoted.

It was in 2010 when the central government decided to institute a legal framework on privacy. This was in the wake of increasing data collection by both government and corporate agencies. Concerns had mounted in the wake of projects such as the National Population Register, Aadhaar and the National Intelligence Grid.

Over three years and hundreds of consultations later, several drafts of the proposed Bill were written and rejected, and at least two committees have given recommendations. However, the law has not seen the light of day. Meanwhile, citizen data digitisation is moving at a pace like never before in the country.

Business Standard had reported on October 28 about how an investigation revealed that several states and central departments might be, unwittingly, following a bare-it-all approach in posting citizen data online in order to push the government's agenda of greater transparency and accountability. While the Centre's National Rural Employment Guarantee Scheme puts out full bank account numbers of its beneficiaries, government website of Uttar Pradesh has put out full details of ration card holders, including annual income along with address and information about members of the family. By putting such sensitive information online, the government could be jeopardising the privacy of its 1.2 billion citizens, who stand exposed to a variety of risks, including those of 360-degree profiling and financial frauds. (INFORMATION DELUGE)

According to government officials, the department of personnel and training has finished compiling the final draft of the privacy legislation, now awaiting approval from the prime minister; the department is under him.

"In the absence of a privacy Bill, the only data protection, pseudo, is through Section 43A of the Information Technology (IT) Act. Unfortunately, that is not a data protection law; it is only a data security provision," said Sunil Abraham, executive director of the Centre for Internet and Society.

Pavan Duggal, a Supreme Court lawyer and cyber security expert, said India needs more security while collecting data and "currently a lot of these websites don't have these security layers". Take for instance, the website of the chief electoral officer of New Delhi. Type a person's first or last name and select the constituency - the website throws up the details of all people with this name, along with all the details such as address and voter identity number. According to officials of the Election Commission, the searchability feature helps in easy access of voter details by people themselves or by interested political parties. "There has been no evidence to prove its use otherwise," an official of the EC told Business Standard.

However, experts said otherwise. Abraham said the electronic version of the electoral roll has a unique identifier, the voter ID number. "And, if there are other databases with the same identifier, a comprehensive profile of a citizen can be created." He added, at the moment, we are saved from 360-degree profiling to some extent, since there is no common identifier.

Once a privacy law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary for the purpose. It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

Though in a less detailed manner, the current IT Act also addresses some of these issues. It defines anything which reveals financial information, biometric, health and medical records, etc, as sensitive financial information which cannot be put in the public domain.

However, experts said the government is lax in even enforcing the existing laws. To be fair, some states and departments have started being prudent about the data they put online. For instance, the state government of Chhattisgarh, a trend setter in effectively implementing the Public Distribution System, doesn't reveal much in terms of citizen information that can identify a person or can be termed as a breach of privacy. Similarly, Odisha and some northeastern states have put in a layer of security which creates some deterrents while using common keywords to search the electoral roll and create a profile of residents in a particular locality.

However, for now, most departments stuck in the tradeoff between privacy and transparency find solace in pointing fingers at contemporaries who might have also put "more sensitive and dangerous" citizen details online. The blame game doesn't end.

For more details visit https://cis-india.org/news/business-standard-october-29-2013-surabhi-agarwal-somesh-jha-saving-privacy-as-we-knew-it

Save Your Voice — A movement against Web censorship

praskrishna — 2012-03-13T11:44:27Z

‘Save Your Voice (SYV)’ is a movement against Web censorship and its main demand is the repealing of the Information Technology Act, said SYV founders, Aseem Trividi, a cartoonist, and Alok Dixit, a journalist, on Monday.

DNA Correspondent covered a press conference held on March 12, 2012 in Bangalore. Sunil Abraham was quoted in the story.

Trivedi’s website — www.cartoonistagainstcorruption.com — was banned during Anna Hazare’s movement. Trivedi said: “Mumbai police banned the website without any prior notice and cases of ‘treason’ were also filed. The website was banned without a judicial order and I haven’t received an explanation about the crime committed.”

Sunil Abraham, executive director, Centre for Internet and Society, said the private sector does not protect the freedom of expression.

Read the original published by Daily News & Analysis on March 13, 2012

For more details visit https://cis-india.org/news/save-your-voice-2014-a-movement-against-web-censorship

Salient Points in the Aadhaar Bill and Concerns

Amber Sinha and Elonnai Hickok — 2016-03-21T04:37:48Z

Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill.

Use of Aadhaar Number

What the Bill says:

Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)
Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.
Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)
Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)

Concerns:

Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.
There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.
There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)
Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)
Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.
Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.
Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)
Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)
Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)
Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.
Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.
“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.
Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.
Opt out of sharing of information at the enrollment stage or authentication stage.
Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)
Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)
Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54)

Concerns:

Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)
Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.
Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)
Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)
Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33)

Concerns:

Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.
Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.
Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.
Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.
Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

The process of collecting information,
Verification of information,
Individual access to information,
Sharing and disclosure of information,
Alteration of information,
Request and response for authentication,
Defining use of Aadhaar numbers,
Defining privacy and security processes,
Specifying processes relating to data management, security protocols and other technology safeguards under this Act
Establishing redressal mechanisms.

Concerns:

Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.
Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.

For more details visit https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns