We are anonymous, we are legion

SC directs govt to further regulate social media: Is it necessary? Experts weigh in

Geetika Mantri — 2019-09-30T14:28:10Z

With the SC's directive to the Indian government for further regulation of social media, TNM asked experts what were the challenges associated with the same.

The article by Geetika Mantri was published in the News Minute on September 28, 2019. Pranesh Prakash was quoted.

The Supreme Court recently expressed the need to regulate social media to curb fake news, defamation and trolling. It also asked the Union government to come up with guidelines to prevent misuse of social media while protecting users’ privacy in three weeks’ time.

The apex court made these statements while hearing a transfer petition by Facebook which has asked for petitions on regulation of social media filed in Madras, Bombay and Madhya Pradesh High Courts on similar issues to be transferred to the SC so that the scope can be expanded.

In India, social media platforms already come under the purview of the Information Technology (IT) Act, the ‘intermediaries guidelines’ that were notified under the IT Act in 2011 and the Indian Penal Code.

With the SC's directive to the Indian government for further regulation of social media, TNM asked experts what were the challenges associated with the same.

Existing regulations and misuse

Executive Director of the Internet Freedom Foundation (which is also an intervenor in the above case in SC) and lawyer Apar Gupta points out that under existing laws, social media channels are already required to take down content if they are directed to do so by a court or law enforcement.

There are also reporting mechanisms on these platforms, where they exercise discretion to ascertain whether a reported post is violating community guidelines and needs to be taken down. These, however, have been reported to be arbitrary – many posts on body positivity and menstruation, for instance, have been taken down in the past while other explicit imagery continues to be allowed.

“But it’s necessary to have minimum legal standards that need to be fulfilled to compel such take-downs on social media. If platforms had to take down posts based on individual complaints, it could result in many frivolous take-downs. Free speech should be the norm, and removal of content, the exception,” Apar argues.

IT consultant Kiran Chandra says that many of the existing regulations themselves are “dangerously close to censorship and may have a chilling effect on freedom of speech, which is why cases are being fought on those in courts.”

Even under existing regulations, there is scope for misuse - which has also been documented in the past - to curb dissent.

“One of the key problems of a lot of regulatory measures is the vagueness of language which is exploited by state agencies to behave in a repressive way,” Kiran says. “Any regulation has to be clear and concrete so that there is no scope for overreach."

Much of fake news is driven by politics

Fake news isn't exactly new, but its proliferation and extent have expanded manifold with social media.

Srinivas Kodali, an independent security researcher, says that it is not as though governments do not know where a good portion of fake news is coming from. “Most political parties have IT cells that dedicatedly work on creating and spreading fake news. But what is the Election Commission or anyone else doing to stop that?” he questions.

Kiran points out that this machinery exists with a view to gain electoral dividends. “There can be no countering fake news without taking on these structures and the political forces behind them,” he says.

He adds that social media giants also need to take responsibility. “Currently, considering the role social media companies play in the society, they are doing almost nothing [about fake news]. In fact, virality - and a lot of fake news tends to be viral - is the basis of the business model of many social media companies, including Facebook, and WhatsApp, which it owns. At the very least, these companies need to dedicate far more resources, and must provide more transparency into their functioning if any dent has to be made in countering fake news.”

Kiran also says that there is a need to support websites that bust fake news, and make people more aware of the need to verify news.

Defamation and online harassment

Experts say that when it comes to the SC’s observation that there should be redressal mechanisms for someone who has been ‘defamed’ on social media, the recourse is pretty clear-cut.

Pranesh Prakash, a fellow at the Centre for Internet and Society, says, “If it concerns defamation, it is very likely that the victim knows where the defamatory post has come from. Even if it is not an original message, the defamation law does not require you to find out the origin of such a message. Anyone who has put it, forwarded it, is liable.”

That being said, it is the social media giants that need to pick up the slack when it comes to dealing with targeted harassment and online bullying.

It has been reported earlier that Facebook, due to its lack of understanding of the Indian context as well as diversity, often fails in effectively removing hate speech from the platform in India. Facebook's community guidelines are unavailable in several Indian languages too.

Kiran says that while there already exist legal provisions for dealing with offensive speech, the problem is that they are either misused or underused. “Critics of the government get hit with these cases unreasonably while many who engage in hate speech and abuse are followed by the most powerful people in the country. Here again, social media firms need to massively increase the resources they spend on weeding out such content.”

Privacy and surveillance concerns

Any conversation on additional regulation of social media brings up concerns about privacy and surveillance.

Apar says if regulators want easy access to user information for curbing misuse, spread of fake news and the like, it would require online platforms to modify their products to increase surveillance - to have exact details about who said what, when and about whom. “This is why it’s important for legal standards and conditions for accessing user information to be followed. Government also needs to become more accountable on what information on users they are demanding from social media companies.”

Kiran cautions that “any bid at regulating expression online has to be proportional and concrete with adequate redressal mechanisms and without any blanket provisions.”

“We need strong data protection and privacy laws which restrict the scope of these companies and reduce their footprint online,” he adds, referring, for instance to Facebook's monopoly - the company also owns Instagram. “Similarly, the role they play in elections and political processes as a whole, needs to be checked.”

Srinivas points out that ultimately, social media is a reflection of what is happening in the society: “If there is no rule of law offline, it won’t be there online.”

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-geetika-mantri-september-28-2019-sc-directs-govt-to-further-regulate-social-media

Say 'Password' in Hindi

nishant — 2012-03-21T09:18:19Z

English might be the language of the online world, but it’s time other languages had their say, writes Nishant Shah. The article was published in the Indian Express on June 5, 2011.

On skype the other day, a friend narrated an incident that made the otherwise familiar terrains of the internet, uncanny. His grandmother, who had recently acquired a taste for Facebook, had signed off on a message saying “Love, Granny”. For people of the xoxo generation, this sounds commonplace, in fact it might even be archaic. However, for my friend, who had never thought of his emotions for his grandmother as “love”, it produced a moment of sheer strangeness.

In Gujarati, it would have been silly to think of your emotions for family as “love”. There are better nuances. The emotional connect between lovers is different from the affective relationship with parents. The fondness for siblings is different from the bond with friends. And it was unnerving, for him, to have this range of emotions suddenly condensed into “love”. Like many of us polyglots who work in the rapidly digitising world of the World Wide Web, he was experiencing the gap between the mother tongue and the other tongue. It is an experience that is quite common to non-native speakers of English, who have to succumb to de facto English language usage on the global web and often find themselves at sea about how to translate emotions, histories and experiences into a language which does not always accommodate them.

This experience only becomes more intense for people who are fluent neither in the English language nor in international online English. This question of localisation of language remains one of the biggest gating factors of the internet. It also remains, after literacy and skills, the biggest impediment to including people from non-mainstream geopolitics in discussions online. Several global linguistic majorities have dealt with this by producing different language webs. Spanish, Chinese, Japanese and German are among the largest non-English language internets which are in operation now. However, in post-colonial countries like India, where linguistic diversity is the order of the day, the efforts at localisation have been sporadic and not very popular.

There are many facets to the implementation of localisation practices. It requires developing local language fonts so that people don’t have to merely transliterate local words using an English language script. These fonts further need to be made translatable into other languages, identified by machine translations. Keyboards and hardware infrastructure, which grants ease of access to the users need to be built. Tool kits to de-Anglify the computer language, code, browser signs etc. are being developed. There are many attempts being made by public and private bodies in the country to produce this ecology of localisation, both at the level of hardware and software.

And yet, adoption of localisation tools, despite a growing non-urban user base, remains low. Most people engage with the digital and online services through English, even though their fluency with the language might be low. One of the reasons why localisation of Indic language content is facing so much resistance is because of a narrow understanding of localisation as linguistic translation. Most attempts at localisation in the country merely think of translating English terms like “browser”, “code”, or “password” into the regional languages. In many instances, the term is merely rewritten in the local script.

Such an approach to localisation ignores the fact that the language of technology does not only produce new expressions and words, but also new ways of thinking. While localising the English language content, care also has to be given to translating the contexts, which the words and phrases carry. Do a simple exercise. Take the word “Password”. Try and translate this into your local language so that it makes complete sense to a native speaker. You will realise that just saying “Password” doesn’t mean much and that it requires background information to make that word intelligible to a community.

The second is that localisation is not merely about giving rights to generate content online. While the Web 2.0 wave of user-generated content is ruling the internet now, we must realise that most people come online to consume as much, if not more than, what they generate. Policies that promote local language information production, translation projects etc. need to be in place so that the minimum threshold of information is available online in languages other than English. Government documents, state records, public artifacts, etc. need to be digitised and made available in local languages so that people can access data online.

Localisation is not only about language and translations. It is about changing the top-down approach; instead of forcing existing concepts on to material realities which don’t always fit them, it is time to see that the true power of digital technologies is in building bottom-up models where everyday practice can be captured through localised vocabularies that allow for users to say, “I love you,” to anybody, in a language, and meaning that makes sense to them.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/password-in-hindi

Saving privacy as we knew it

praskrishna — 2013-10-29T05:01:25Z

Long overdue protection law still on the back-burner; meanwhile, depts put more of one's personal details online.

The article by Surabhi Agarwal and Somesh Jha was published in the Business Standard on October 29, 2013. Sunil Abraham is quoted.

It was in 2010 when the central government decided to institute a legal framework on privacy. This was in the wake of increasing data collection by both government and corporate agencies. Concerns had mounted in the wake of projects such as the National Population Register, Aadhaar and the National Intelligence Grid.

Over three years and hundreds of consultations later, several drafts of the proposed Bill were written and rejected, and at least two committees have given recommendations. However, the law has not seen the light of day. Meanwhile, citizen data digitisation is moving at a pace like never before in the country.

Business Standard had reported on October 28 about how an investigation revealed that several states and central departments might be, unwittingly, following a bare-it-all approach in posting citizen data online in order to push the government's agenda of greater transparency and accountability. While the Centre's National Rural Employment Guarantee Scheme puts out full bank account numbers of its beneficiaries, government website of Uttar Pradesh has put out full details of ration card holders, including annual income along with address and information about members of the family. By putting such sensitive information online, the government could be jeopardising the privacy of its 1.2 billion citizens, who stand exposed to a variety of risks, including those of 360-degree profiling and financial frauds. (INFORMATION DELUGE)

According to government officials, the department of personnel and training has finished compiling the final draft of the privacy legislation, now awaiting approval from the prime minister; the department is under him.

"In the absence of a privacy Bill, the only data protection, pseudo, is through Section 43A of the Information Technology (IT) Act. Unfortunately, that is not a data protection law; it is only a data security provision," said Sunil Abraham, executive director of the Centre for Internet and Society.

Pavan Duggal, a Supreme Court lawyer and cyber security expert, said India needs more security while collecting data and "currently a lot of these websites don't have these security layers". Take for instance, the website of the chief electoral officer of New Delhi. Type a person's first or last name and select the constituency - the website throws up the details of all people with this name, along with all the details such as address and voter identity number. According to officials of the Election Commission, the searchability feature helps in easy access of voter details by people themselves or by interested political parties. "There has been no evidence to prove its use otherwise," an official of the EC told Business Standard.

However, experts said otherwise. Abraham said the electronic version of the electoral roll has a unique identifier, the voter ID number. "And, if there are other databases with the same identifier, a comprehensive profile of a citizen can be created." He added, at the moment, we are saved from 360-degree profiling to some extent, since there is no common identifier.

Once a privacy law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary for the purpose. It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.

Though in a less detailed manner, the current IT Act also addresses some of these issues. It defines anything which reveals financial information, biometric, health and medical records, etc, as sensitive financial information which cannot be put in the public domain.

However, experts said the government is lax in even enforcing the existing laws. To be fair, some states and departments have started being prudent about the data they put online. For instance, the state government of Chhattisgarh, a trend setter in effectively implementing the Public Distribution System, doesn't reveal much in terms of citizen information that can identify a person or can be termed as a breach of privacy. Similarly, Odisha and some northeastern states have put in a layer of security which creates some deterrents while using common keywords to search the electoral roll and create a profile of residents in a particular locality.

However, for now, most departments stuck in the tradeoff between privacy and transparency find solace in pointing fingers at contemporaries who might have also put "more sensitive and dangerous" citizen details online. The blame game doesn't end.

For more details visit https://cis-india.org/news/business-standard-october-29-2013-surabhi-agarwal-somesh-jha-saving-privacy-as-we-knew-it

Save Your Voice — A movement against Web censorship

praskrishna — 2012-03-13T11:44:27Z

‘Save Your Voice (SYV)’ is a movement against Web censorship and its main demand is the repealing of the Information Technology Act, said SYV founders, Aseem Trividi, a cartoonist, and Alok Dixit, a journalist, on Monday.

DNA Correspondent covered a press conference held on March 12, 2012 in Bangalore. Sunil Abraham was quoted in the story.

Trivedi’s website — www.cartoonistagainstcorruption.com — was banned during Anna Hazare’s movement. Trivedi said: “Mumbai police banned the website without any prior notice and cases of ‘treason’ were also filed. The website was banned without a judicial order and I haven’t received an explanation about the crime committed.”

Sunil Abraham, executive director, Centre for Internet and Society, said the private sector does not protect the freedom of expression.

Read the original published by Daily News & Analysis on March 13, 2012

For more details visit https://cis-india.org/news/save-your-voice-2014-a-movement-against-web-censorship

Salient Points in the Aadhaar Bill and Concerns

Amber Sinha and Elonnai Hickok — 2016-03-21T04:37:48Z

Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill.

Use of Aadhaar Number

What the Bill says:

Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)
Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.
Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)
Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)

Concerns:

Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.
There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.
There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)
Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)
Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.
Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.
Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)
Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)
Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)
Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.
Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.
“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.
Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.
Opt out of sharing of information at the enrollment stage or authentication stage.
Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)
Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)
Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54)

Concerns:

Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)
Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.
Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)
Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)
Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33)

Concerns:

Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.
Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.
Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.
Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.
Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

The process of collecting information,
Verification of information,
Individual access to information,
Sharing and disclosure of information,
Alteration of information,
Request and response for authentication,
Defining use of Aadhaar numbers,
Defining privacy and security processes,
Specifying processes relating to data management, security protocols and other technology safeguards under this Act
Establishing redressal mechanisms.

Concerns:

Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.
Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.

For more details visit https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns

Sales of surveillance cameras are soaring, raising questions about privacy

Admin — 2018-10-16T14:22:55Z

The Telangana government wants more eyes on the streets to upgrade Hyderabad’s safety. It has asked enterprises, public sectors, residential associations and individuals to install closed-circuit television cameras (CCTVs) in and around their premises.

The article by Rahul Sachitanand was published in Economic Times on October 14, 2018. Elonnai Hickok was quoted.

More than a lakh CCTVs are expected to be installed across the city in the next few years. The initiative is part of the Nenu Saitham (Telugu for Me Too) project — being promoted by Hyderabad Police, which will monitor the feed. To ensure that lowquality CCTVs are not installed and the project is sustainable, the police has asked citizens to only buy from selected vendors.

With this move, launched in November 2017, the Telangana govt joins a growing list of governments, corporations, educational institutes, residential buildings and small businesses across the country that are buying such technology.

According to industry estimates, over a million surveillance units were sold every month a couple of years ago. Now it is two million. The Indian market is growing 20-25% annually, say experts. Frost & Sullivan says the security & surveillance market was worth Rs 8,200 crore in FY2017, reached Rs 11,000 crore in FY2018 and is expected to touch Rs 20,000 crore in FY2020.

The rise in CCTV coverage can also be observed anecdotally. There’s a steady uptick in CCTV clips circulating on Whatsapp, capturing crimes or funny events that would otherwise have gone undocumented. Many of the sensational crimes recently, including multiple incidents of murder in Tamil Nadu, were captured on CCTV cameras, distilling the pure horror of those moments on our mobile screens, and also offering valuable proof to nail the culprits.

The surveillance and security boom is fed by several companies, ranging from homegrown firms such as CP Plus to joint ventures such as Prama Hikvision to multinationals such as Bosch, Panasonic, Honeywell and Axis. The Telangana project, for example, helped Sweden-based Axis Communications widen its India market. It has already installed 1,500 cameras, and more will be installed soon. Other state governments have or are in the process of placing orders.

The Swedish company says it recently installed cameras and associated technology across a range of large corporate and government establishments across India. “We are at the beginning of a five-year boom cycle for these devices,” says Sudhindra Holla, sales director (India & Saarc), Axis Communications. “We are catering to a rush of orders ranging from large companies with complex security infrastructure to deals from government agencies in small towns such as Nanded and Kolhapur.”

Multiple factors are driving the growth in the CCTV segment, says Manu Tiwari, programme manager (automation and electronics practice), Frost and Sullivan. A strong government push to enhance security; purchases for initiatives such as the Smart City project, which covers 100 cities, and the Rs 2,219 crore allocated under the Nirbhaya Fund for women’s safety, which covers eight cities, are some of the growth drivers.

According to Sanjay Kaushik, managing director of security consultancy Netrika Consulting, there is a push to better use CCTV feeds to improve security across India. “While the focus hitherto has been on post facto scouting of footage to find perpetrators, organisations are now trying to be more proactive with their monitoring to spot suspicious people and packages before crimes occur.”

This could involve closely looking at footage to spot suspicious movements at places such as malls or airports or using technology to spot suspicious objects left unattended for long periods. Then, there’s also a focus on making sure the cameras are installed correctly. “Recognisability is key. Organisations are being pushed to ensure simple things like camera feeds are free of obstructions, licence plates are visible in feeds and there is adequate lighting,” adds Kaushik. Advances in technology have ensured that CCTV systems are cheaper and more accessible.

While large enterprises had taken to such technology earlier, even smaller commercial establishments and private residents now can afford to install security systems. The prices have practically halved over the last couple of years. An entry-level camera is now available for a little over Rs 2,000. “Even the cost of an integrated solution, which was as much as Rs 40,000 to Rs 50,000 three or four years ago, is today available for as little as Rs 15,000,” says Yogesh Dutta, COO of New Delhi-based CP Plus. “A rapid increase in the number of CCTVs sellers and technicians has also helped widen access.” The devices have become popular as it helps law enforcers to tackle crime, he adds.

CP Plus’s customers include Vedanta Power and Odisha Police, which has also decided to use e-surveillance to enhance security. Frost and Sullivan says small & medium enterprises and large corporations were together the biggest end-user segments in FY18. This segment had a market share of 33%. Residential had a 28% market share; the industrial segment had 18% and the government 13%, it said. Other major end-user segments are hospitality, education and healthcare.

An increase in such surveillance, however, may be double-edged, say privacy advocates. While a blanket coverage using CCTVs may give citizens a feeling of security, India’s rudimentary legislation around who can access these feeds is a problem. Some countries such as the UK and UAE have stricter guidelines on this. Law-enforcement agencies can access such feeds while following up on their investigations, says Supreme Court lawyer Karnika Seth, without procuring a warrant. “As long as it is for this purpose, it is within the purview of the law. However, with the new judgment on privacy, anything more would be a no-go area.”

The use of CCTV can potentially impinge on the rights of an individual, says Elonnai Hickok, who heads privacy research at the Centre for Internet and Society, an advocacy outfit in Bengaluru. “Technically speaking, the feed can reveal personal information about an individual, including identity, location and daily patterns. Because the feed captures individuals in public spaces, it is not possible for people to have an opt-out option. The access and use of the data are often unclear.” Regulations are starting to address the use of CCTV imagery in some places. The European Union’s General Data Protection Regulation, for example, has recognised that imagery that identifies an individual is personal data and thus requires lawful, fair and transparent processing.

The draft data protection bill by the Srikrishna committee also says CCTV imagery would be considered personal data. If CCTV cameras are put in place by a private actor, Hickok contends, they would need to adhere to the principles laid out in chapters II and III of the draft — which covers fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation, accountability and consent.

For feeds used by the state for reasons such as public safety, the consent clause will not apply. But state actors will still need to adhere to the principles laid out in chapter II. If CCTVs are used for the purpose of prevention, detection, investigation and prosecution of a crime, it will be exempt from adhering to the requirements of the bill. However, this use must be backed by a law passed in Parliament and the data cannot be retained once its purpose has been met.

There are more legal restrictions if the CCTV application is integrated with capabilities that capture biometrics. "Clear responsibilities and reasons should be enunciated, the policies should be clearly documented and publicised and, importantly, the cost and benefits should be ascertained," Hickock argues. ¡§It is important to have technical safeguards like encryption and procurement guidelines.

Legal and privacy issues aside, the commercial aspect is clearly looking bright. Prama Hikvision, a Chinese-Indian joint venture, has invested Rs 100 crore in a factory in Bhiwandi to make 500,000 cameras a month. A second factory, possibly in Telangana, is expected to go on stream soon, with a monthly capacity of 1,50,000 units. "CCTVs have gone from being used by a sliver of companies, primarily banks and jewellers, to being adopted by a much broader audience," says Ashish Dhakan, MD and CEO, Prama Hikvision. "Our client list includes companies in the sectors of transportation, power, petroleum, oil and gas and retail."

Another trend market players have spotted is a shift from analog, which used tapes to record footage, to digital systems, where recording time and storage space are not major constraints. "We see continuous enhancement to megapixel (displays) from lowresolution, improved compression technology. This allows more data, more storage capacity, and overall lowering of cost for storage recording devices," says Sharad Yadav, general manager, Honeywell Building Technologies, India. Frost and Sullivan analyst Tiwari lists emerging offerings - including intelligent video surveillance, wireless systems and higher resolution of visuals - as features that will define the next-generation devices.

But digital also comes with some dangers. As CCTV cameras go from standalone devices to being digital and connected ones, experts say there is a risk of hacking. Hackers may also be able to use the network as a gateway. This could give hackers access to much more than just the camera feed. "Cybersecurity is a constant focus for us," says Holla of Axis Communications. "While no camera is hackproof, we believe we have built enough capabilities to react to these hacks and quickly release patches to secure them."

Others such as Hickok of CIS say more safeguards are required. "Technical safeguards like encryption and procurement guidelines are also important, as has been highlighted by the UK Information Commissioner's Office," she says. Keeping the cameras safe may be as important as safeguarding the lives these devices monitor.

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-october-14-2018-sales-of-surveillance-cameras-are-soaring-raising-questions-about-privacy

Russian social network VKontakte temporarily blocked in India for Blue Whale threat

Admin — 2017-09-14T01:17:51Z

Russian social network Vkontakte, where the suicidal online "game" Blue Whale+ is believed to have originated, was blocked on certain internet service provider networks on Tuesday.

The article by Kim Arora was published in the Times of India on September 12, 2017.

Internet users accessing the website through ACTFibernet in Bengaluru and Chennai, as well as YouBroadband in Bengaluru reported that visiting the its URL vk.com resulted in a page bearing the message: "The URL has been blocked as per the instructions of the Competent Government Authority/in compliance to the orders of the Court of Law." A senior official in the union ministry of electronics and information technology (MeitY) confirmed the block.

"Vkontakte has been blocked temporarily. We understand that it has been used for Blue Whale+ in the past, and are trying to ascertain its current usage. Law enforcement agencies are investigating the suspected cases of Blue Whale suicides and the modus operandi. We have held meeting with internet companies. We are taking several multi-dimensional ways of containing the Blue Whale threat in India," says Dr Ajay Kumar, additional secretary at the MeitY.

While blocked on some networks, vk.com was accessible on several other mobile internet networks such as Idea, Airtel, Vodafone, Jio etc on Tuesday afternoon.

The Blue Whale challenge involves a "curator" or "administrator" guiding a participant through a set of tasks involving self-harm culminating in suicide. These interactions happen through various online channels, like messaging apps or social networks, and allegedly involve participants uploading pictures after completing tasks like inflicting cuts on their bodies. In the last two to three months, India has seen several cases of young persons and teenagers attempting or committing suicide allegedly as part of the Blue Whale challenge.

Rohini Lakshane, program officer at Bengaluru's Centre for Internet and Society points to the lack of hard evidence definitively connecting the suicides to the Blue Whale game in India, and also to hoax-debunking websites that have questioned the veracity of the game. "If the game is so clandestine, then URL-level blocking will not work. Suicide is a mental health issue. Since the affected group here is teenagers, it would make sense for parents and school counselors to educate the children about the evils that exist online," she says.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-kim-arora-russian-social-network-vkontakte-temporarily-blocked-in-india-for-blue-whale-threat

Rural Indians don’t trust messages on WhatsApp blindly: Survey

Admin — 2018-10-28T06:21:34Z

Only 8% of the respondents marked 10 as their trust score on a scale of 1-10, where 1 stands for complete distrust and 10 for complete trust, in information received on WhatsApp, found a survey.

The article by Vidhi Choudhary was published in the Hindustan Times on October 19, 2018. Sunil Abraham was quoted.

WhatsApp users in rural India do not blindly trust messages they receive on the messaging service, according to a limited survey across 14 states, a finding that must provide some cheer to law enforcement officials and policymakers trying to combat fake news and rumours, and to the messaging service itself.

Only 8% of the respondents marked 10 as their trust score on a scale of 1-10, where 1 stands for complete distrust and 10 for complete trust, in information received on WhatsApp, found a survey conducted by Digital Empowerment Foundation (DEF), a New Delhi-based non-profit organisation that seeks to find solutions to bridge the digital divide.

To be sure, the Digital Empowerment Foundation survey titled “What’s up Rural India?” recorded responses from only 1018 rural users in 14 states including districts like Bettiah in Bihar, Barabanki in Uttar Pradesh, Chamba, Narendra Nagar and Pratapnagar in Uttarakhand, Betul and Guna in Madhya Pradesh, Musiri in Tamil Nadu, Memboobnagar, Vikarabad and Warangal in Telangana and Alwar and Barmer in Rajasthan among others, and only a larger survey can authoritatively weigh in on the trust people have in the messaging service.

Since May, at least 30 people have been lynched by mobs with rumours on the messaging platform being responsible for some of the incidents. Fake videos and rumours of child-lifting circulated via WhatsApp have triggered lynchings in at least eight states. The Indian government wrote to WhatsApp about the incidents and the platform, owned by Facebook Inc made some changes, including a clear labelling of forwarded messages as well as limiting the number of forwards to tackle the spread of rumours and Fake News.

WhatsApp has over 200 million users in India, its largest market, and India’s chief election commissioner OP Rawat said in a recent interview with Hindustan Times that attempts to influence poll outcomes using technology was the biggest challenge before his organization, which is responsible for the conduct of polls in India.

According to the DEF survey, almost 70% of the respondents rated their trust score between 1-5. “This composition of trust is unlike what I’d imagined. Users in rural India have exercised restraint in believing the information they get from WhatsApp. They still prefer to check with peers and local communities about what is right and wrong,” said Osama Manzar, founder and director at DEF.

What’s up, rural India?

Survey on WhatsApp by Digital Empowerment Foundation:

It is heartening to know people in rural India are sceptical about messages shared on WhatsApp, said Sunil Abraham co-founder at think-tank Centre for Internet and Society. “It’s a societal learning curve. Most of these users have been exposed to WhatsApp over the last one year. Previous incidents where trust has been misused is perhaps a reason for their apprehension. Their scepticism will grow in the light of all the disappointments that have happened. Ask them this question in 2019 and the numbers are likely to rise further,” added Abraham. Statistics in terms of overall usage of WhatsApp shows that about 66% rural users interviewed in the survey spend 1-4 hours on the messaging app daily, 46% receive between 11-60 messages in a day, 38% are active on upto five WhatsApp groups with a majority being in groups with friends, followed by work colleagues, and family. Experts said the usage of WhatsApp in rural India is surprisingly high. The high usage can be attributed to the rise of smartphone penetration in these areas.

A majority of 88% users also knew what a WhatsApp forward is and 45% said they receive between 6-20 forwarded messages in a day. In July, WhatsApp launched a label to identify forwarded messages in a bid to combat fake news and the spread of misinformation globally, including India. It later set a limit to the use of forwarded messages to 5 chats in India.

In response to an email query, WhatsApp said it has made product changes that make it clear when users have received forwarded messages and also provided greater controls for group administrators to help reduce the spread of unwanted messages in private chats.

“WhatsApp is a private messaging service for communicating with friends and family... We are working together with a number organisations to step up our education efforts so that people know how to spot fake news and hoaxes circulating online. It is heartening to note that these efforts are making a difference and keeping our users safe,” said a WhatsApp spokesperson.

Among other findings, about 40% of respondents said they were part of WhatsApp groups created by members or representatives of political parties.

“This reflects the level of campaigning and penetration of political parties. Villages are always politically sensitive and also interested in politics,” said Manzar.

Interestingly, the survey noted that 63% of the respondents were not on the service in 2014. WhatsApp will play a key role in the campaigns for 2019 as this will be the first election with a host of rural India users actively part of the service.

Data shows that the share of active WhatsApp users in rural India has doubled since 2017, according to a survey done by the Centre for the Study of Developing Societies. Abraham added this means political parties have a “direct channel” of communication with a “huge percentage of the voter base”.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-october-19-2018-vidhi-choudhary-rural-indians-don-t-trust-messages-on-whatsapp-blindly-survey

Ruling in India shields Web posts

praskrishna — 2015-03-27T00:38:34Z

The Supreme Court in India struck down a section of its country’s information technology act Tuesday that had made it illegal for anyone to spread ‘‘offensive messages’’ on electronic devices and resulted in arrests over posts on Facebook and other social media.

This is the modified version of the article originally published by Washington Post and mirrored in Boston Globe. Sunil Abraham is quoted. Picture by Manjunath Kiran, AFP.

Supreme Court Judge Rohinton Fali Nariman wrote in the ruling that the section of the law, known as 66A, was unconstitutional, saying the vaguely worded legislation had wrongly swept up innocent people and had a ‘‘chilling’’ effect on free speech in the world’s most populous democracy.

‘‘Section 66A is cast so widely that virtually any opinion on any subject would be covered by it,’’ the judge wrote. ‘‘If it is to withstand the test of constitutionality, the chilling effect on free speech would be total.’’

India had first passed its Information Technology Act in 2000, but stricter provisions were added in 2008 and ratified in 2009 that gave police sweeping authority to arrest citizens for their personal posts on social media, a crime punishable for up to three years in jail and a fine.

Sunil Abraham, the executive director of the Center for Internet and Society in Bangalore, said that the section was originally intended to protect citizens from electronic spam, but it did not turn out that way.

‘‘Politicians who didn’t like what people were saying about them used it to crack down on online criticism,’’ he said.

In the end, there were more than 20 high-profile arrests, including a professor who posted an unflattering cartoon of a state political leader and an artist who drew a set of cartoons lampooning the government and Parliament.

The most well-known was the case of two young women arrested in the western town of Palghar after one of them posted a comment on Facebook that argued that the city of Mumbai should not have been shut down for the funeral of a famous conservative leader. A friend, who merely ‘‘liked’’ the post, was also arrested. After much outcry, the two were released on bail and the charges eventually dropped.

The case of the ‘‘Palghar Girls’’ inspired a young law student, Shreya Singhal, to take on the government’s law. Singhal became the chief petitioner for the case, along with other free speech advocates and an Indian information technology firm.

‘‘It’s a big victory,’’ Singhal said after the ruling. ‘‘The Internet is so far-reaching and so many people use it now, it’s very important for us to protect this right.’’

Singhal and other petitioners had also argued that another section of India’s technology act that allowed the government to block websites containing questionable material were also unconstitutional, but the court disagreed, saying there was a sufficient review process in place to avoid misuse.

Free speech in India is enshrined in the country’s constitution but has its limits. Books and movies are often banned or censored out of consideration for religious and minority groups.

In 2014, a conservative Hindu group persuaded Penguin India to withdraw a book on Hinduism by Wendy Doniger, a professor of religion at the University of Chicago, from the Indian market. And more recently, the government of India blocked a planned television debut of a documentary film on a 2012 gang rape case, ‘‘India’s Daughter.’’

Along with India, other nations have sharply increased monitoring and crackdowns on perceived insulting Web posts in recent years.

Across the Gulf Arab states, dozens of activists have been arrested for social media posts considered insulting to the country’s rulers or tarnishing the national image.

For more details visit https://cis-india.org/internet-governance/news/boston-globe-march-25-2015-annie-gowen-ruling-in-india-shields-web-posts

Rule 419A of the Indian Telegraph Rules, 1951

jdine — 2013-11-19T07:16:04Z

The Central Government made the following rules to amend the Indian Telegraph Rules, 1951.

G.S.R. 193 (E).— In exercise of the powers conferred by Section 7 of the Indian Telegraph Act, 1885 (13 of 1885), the Central Government hereby makes the following rules further to amend the Indian Telegraph Rules, 1951, namely:—

10 (1) These rules may be called the Indian Telegraph (Amendment) Rules, 2007.

(2) They shall come into force on the date of their publication in the Official Gazette.

20 In the Indian Telegraph Rules, 1951, after rule 419, the following rule shall be substituted, namely:—

[1] 419-A. (1) Directions for interception of any message or class of messages under sub-section (2) of Section 5 of the Indian Telegraph Act, 1885 (hereinafter referred to as the said (Act) shall not be issued except by an order made by the Secretary to the Government of India in the Ministry of Home Affairs in the case of Government of India and by the Secretary to the State Government in-charge of the Home Department in the case of a State Government. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorized by the Union Home Secretary or the State Home Secretary, as the case may be:

Provided that in emergent cases—

(i) in remote areas, where obtaining of prior directions for interception of messages or class of messages is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception of message or class of messages is not feasible;

the required interception of any message or class of messages shall be carried out with the prior approval of the Head or the second senior most officer of the authorized security i.e. Law Enforcement Agency at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police at the state level but the concerned competent authority shall be informed of such interceptions by the approving authority within three working days and that such interceptions shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the competent authority is not received within the stipulated seven days, such interception shall cease and the same message or class of messages shall not be intercepted thereafter without the prior approval of the Union Home Secretary or the State Home Secretary, as the case may be.

(2) Any order issued by the competent authority under sub-rule (1) shall contain reasons for such direction and a copy of such order shall be forwarded to the concerned Review Committee within a period of seven working days.

(3) While issuing directions under sub-rule (1) the officer shall consider possibility of acquiring the necessary information by other means and the directions under sub-rule (1) shall be issued only when it is not possible to acquire the information by any other reasonable means.

(4) The interception directed shall be the interception of any message or class of messages as are sent to or from any person or class of persons or relating to any particular subject whether such message or class of messages are received with one or more addresses, specified in the order, being an address or addresses likely to be used for the transmission of communications from or to one particular person specified or described in the order or one particular set of premises specified or described in the order.

(5) The directions shall specify the name and designation of the officer or the authority to whom the intercepted message or class of messages is to be disclosed and also specify that the use of intercepted message or class of messages shall be subject to the provisions of sub-section (2) of Section 5 of the said Act.

(6) The directions for interception shall remain in force, unless revoked earlier, for a period not exceeding sixty days from the date of issue and may be renewed but the same shall not remain in force beyond a total period of one hundred and eighty days.

(7) The directions for interception issued under sub-rule (1) shall be conveyed to the designated officers of the licensee(s) who have been granted licenses under Section 4 of the said Act, in writing by an officer not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank.

(8) The officer authorized to intercept any message or class of message shall maintain proper records mentioning therein, the intercepted message or class of messages, the particulars of persons whose message has been intercepted, the name and other particulars of the officer or the authority to whom the intercepted message or class of messages has been disclosed, the number of copies of the intercepted message or class of messages made and the mode or the method by which such copies are made, the date of destruction of the copies and the duration within which the directions remain in force.

(9) All the requisitioning security agencies shall designate one or more nodal officers not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisitions for interception to the designated officers of the concerned service providers to be delivered by an officer not below the rank of Sub-lnspector of Police.

(10) The service providers shall designate two senior executives of the company in every licensed service area/State/Union Territory as the nodal officers to receive and handle such requisitions for interception.

(11) The designated nodal officers of the service providers shall issue acknowledgment letters to the concerned security and Law Enforcement Agency within two hours on receipt of intimations for interception.

(12) The system of designated nodal officers for communicating and receiving the requisitions for interceptions shall also be followed in emergent cases/unavoidable cases where prior approval of the competent authority has not been obtained.

(13) The designated nodal officers of the service providers shall forward every fifteen days a list of interception authorizations received by them during the preceding fortnight to the nodal officers of the security and Law Enforcement Agencies for confirmation of the authenticity of such authorizations. The list should include details such as the reference and date of orders of the Union Home Secretary or State Home Secretary, date and time of receipt of such orders and the date and time of Implementation of such orders.

(14) The service providers shall put in place adequate and effective internal checks to ensure that unauthorized interception of messages does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of interception of messages as it affects privacy of citizens and also that this matter is handled only by the designated nodal officers of the company.

(15) The service providers are responsible for actions for their employees also. In case of established violation of license conditions pertaining to maintenance of secrecy and confidentiality of information and unauthorized interception of communication, action shall be taken against the service providers as per Sections 20, 20-A, 23 & 24 of the said Act, and this shall include not only fine but also suspension or revocation of their licenses.

(16) The Central Government and the State Government, as the case may be, shall constitute a Review Committee. The Review Committee to be constituted by the Central Government shall consist of the following, namely:

(a) Cabinet Secretary — Chairman

(b) Secretary to the Government of India Incharge, Legal Affairs — Member

The Review Committee to be constituted by a State Government shall consist of the following, namely:

(a) Chief Secretary — Chairman

(b) Secretary Law/Legal Remembrancer Incharge, Legal Affairs — Member

(17) The Review Committee shall meet at least once in two months and record its findings whether the directions issued under sub-rule (1) are in accordance with the provisions of sub-section (2) of Section 5 of the said Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and orders for destruction of the copies of the intercepted message or class of messages.

(18) Records pertaining to such directions for interception and of intercepted messages shall be destroyed by the relevant competent authority and the authorized security and Law Enforcement Agencies every six months unless these are, or likely to be, required for functional requirements.

(19) The service providers shall destroy records pertaining to directions for interception of message within two months of discontinuance of the interception of such messages and in doing so they shall maintain extreme secrecy.

[1].Subs, by G.S.R. 193 (E), dated 1.3.2007 (w.e.f. 12.3.2007).

For more details visit https://cis-india.org/internet-governance/resources/rule-419-a-indian-telegraph-rules-1951

RTI response regarding the UIDAI

vanya — 2015-12-22T02:57:21Z

This is a response to the RTI filed regarding UIDAI

The Supreme Curt of India, by virtue of an order dated 11th August 2015, directed the Government to widely publicize in electronic and print media, including radio and television networks that obtaining Aadhar card is not mandatory for the citizens to avail welfare schemes of the Government. (until the matter is resolved). CIS filed an RTI to get information about the steps taken by Government in this regard, the initiatives taken, and details about the expenditure incurred to publicize and inform the public about Aadhar not being mandatory to avail welfare schemes of the Government.

Response: It has been informed that an advisory was issued by UIDAI headquarters to all regional offices to comply with the order, along with several advertisement campaigns. The total cost incurred so far by UIDAI for this is Rs. 317.30 lakh.

Download the Response

For more details visit https://cis-india.org/internet-governance/blog/rti-response-regarding-the-uidai

RTI regarding Smart Cities Mission in India

Paul Thottan — 2016-04-21T02:25:28Z

Centre for Internet & Society (CIS) had filed an RTI on 3 February 2016 before the Ministry of Urban Development (MoUD) regarding the Smart Cities Mission in India. The RTI sought information regarding the role of various foreign governments, private industry, multilateral bodies that will provide technical and financial assistance for this project and information on Government agreements regarding PPP’s for financing the project.

A response to the RTI is here.

The various government, private industry and civil society actors involved in the Smart Cities Mission.
The various agreements the Government has undertaken through PPP’s for financing the mission.
Role of private companies in this project.
The process for selecting the cities for this mission and ministry responsible for this task.
The various international organisations, foreign governments and multilateral bodies that will provide technical and financial assistance for this project.

The MoUD sent its reply to the RTI application and the response is as follows:

With reference to the first query, the answer provided was that the mission statement and guidelines are available on the Missions website - smartcities.gov.in. This mission statement essentially envisages the role of citizens/citizen groups such as Resident Welfare Associations, Taxpayers Associations, Senior Citizens and Slum Dwellers Associations etc, apart from the government of India, States, Union Territories and Urban local bodies.
Regarding information about agreements for the purpose of financing the project, it has been provided in the response that the Ministry would facilitate the execution of MoU’s between Foreign Agencies and States/UT’s for assistance under this mission. The two agreements that have been executed include the MoU between the United States Trade and Development Agency (USTDA) and the French Agency for Development (AFD) for the States/UT’s of Andhra Pradesh, Uttar Pradesh, Rajasthan, Maharashtra, Chandigarh and Puducherry. They have also provided us with copies of the same and they have been summarised below. They also go on to state that various countries like Spain, Canada, Germany, China, Singapore, UK and South Korea have also shown interest in collaborating with the Ministry for the development of Smart Cities.
CIS sought the documents relating to role of private actors in this field. This information could not be provided by the Department since it was not available with them. Further, an application has been sent to the SC-III Division for providing the information directly to us.
As regards the fourth query, the information provided states that the role of the government, States/UT’s and Urban Local Bodies has been envisaged in para 13 of the Smart Cities Mission Statement - smartcities.gov.in
With respect to the query regarding the foreign actors involved, the information provided states that the documents relating to the involvement of the same are scattered in different files. Compilation of such information would divert the limited resources of the Public Authority disproportionately. Another application must be filed if any specific information is required.

Copies of several MoUs signed between Foreign Development Agencies and States (for the respective cities) that were shared with us are:

Memorandum of Understanding between the United States Trade and Development Agency(USTDA) and the Government of Andhra Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Andhra Pradesh-namely Visakhapatnam.
Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Rajasthan of the Republic of India on Cooperation to support the development of Smart Cities in Rajasthan- namely Ajmer.
Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Uttar Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Uttar Pradesh- namely Allahabad.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Chandigarh of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of Maharashtra on Technical Cooperation in the field of Sustainable Urban Development.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Puducherry of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.

Key clauses under the MoU between the United States Trade and Development Agency (USTDA) and the governments of Andhra Pradesh, Rajasthan and Uttar Pradesh are:

The MoU undertaken by the USTDA for the development of Visakhapatnam, Allahabad and Ajmer clearly establishes that the document only cements the intention of the body to assist in the development of these cities and funding must be addressed separately.
The USTDA intends to contribute specific funding for feasibility studies, study tours, workshops/training, and any other projects mutually determined, in furtherance of this interest. The USTDA will also fund advisory services for the same.
The USTDA will seek to bring in other US government agencies such as the Department of Commerce, the US Export Import Bank and other trade and economic agencies to encourage US-India infrastructure development cooperation and support the development of smart cities in Vishakhapatnam, Allahabad and Ajmer.
One of the key points the USTDA stresses on is the creation of a Smart Solutions for Smart Cities Reverse Trade Mission, where Indian delegates will get a chance to showcase their methodologies and inventions in the United States.
The MoU also talks about involving industry organisations in the development of Smart Cities, to address important aviation and energy related infrastructure connected to developing smart cities.
The respective State Governments of the cities will provide resources for the development of these smart cities, including technical information and data related to smart cities planning; staff, logistical and travel support, and state budgetary resources will be allocated accordingly.

Key clauses under the MoU between the Agency Francaise De Developpement (AFD) and the governments of Maharashtra, Chandigarh and Puducherry are:

The MoU with AFD is along the same lines but with more detail provided in the field of research in sustainable urban development. It comprises of four articles dealing with implementation, research, resource allocation and cooperation.
The AFD clearly states that it will adopt an active role in managing and implementing the project.
The AFD will equip the respective state governments with a technical cooperation programme which will include a pool of French experts from the public sector, complemented by experts from the private sector.
The MoU goes on to state the various vectors of sustainable urban development that will be the focal point of this project – urban transport, water and waste management, integrated development and urban planning, architecture and heritage, renewable energy, energy efficiency etc.
Apart from strategizing, the AFD looks to provide technical support as well. This technical expertise would be used to strengthen strategy and management of urban services in the city.
They would also play a key role in management through the creation of a Special Purpose Vehicle(SPV) to build strategic management (Human Resources, finance, potential market assessment) and capacity building for financial management.
As per Article II of the MoU, this support framework will be accompanied by annual reviews, a policy similar to the USTDA Smart Solutions for Smart Cities Reverse Mission with Indian and French counterparts, collaboration between academic and research institutions for the exchange of information, documentation and results of research in the field of smart cities (a key policy to establish firm research groundwork and increase cooperation and innovation), capacity building research and development.
Article III of the MoU deals with resource allocation wherein the respective State Governments will assist AFD by providing technical information and data related to smart cities planning, and also meet their logistical requirements.

For more details visit https://cis-india.org/internet-governance/blog/rti-on-smart-cities-mission-in-india

RTI on Officials and Agencies Authorized to Intercept Telephone Messages in India

praskrishna — 2013-07-15T05:23:54Z

In an RTI mailed on April 17, 2013, the Centre for Internet and Society sought comprehensive information on the officials and agencies authorized to intercept telephone messages in India.

A portion of the RTI still awaits response, as it was redirected to the Department of Electronics and Information Technology. But on May 23, 2013 Rakesh Mittal of the Ministry of Home Affairs responded in brief and directed us to the 2007 Amendment to the 1885 Indian Telegraph Act.

Referring to rule 419-A of the amendment and the Ministry of Home Affairs website, we find that within central government the power to order communications surveillance is normally reserved for Union Home Secretary, a position held by Shir Anil Goswami as of June 30, 2013 (previously R.K. Singh). The amendment goes on to say, “In unavoidable circumstances,” however, such an order can be commanded by a Joint Secretary who has been authorized by Union Home Secretary Goswami. On the federal level, the Ministry of Home Affairs includes nearly 20 such Joint Secretaries able to be authorized for making interception commands.

A listing of the original question requests are given below:

Please provide a list containing name, rank and office address of the officers/agencies authorized by the Central Government to issue an order for interception under section 5(2) of the Telegraph Act, 1885
Please provide a list containing name, rank and office address of the officers authorized to issue interception orders under Rule 419A(1) of the Telegraph Rules, 1951 in unavoidable circumstances when such orders cannot be issued by the secretary to the Government of India, Ministry of Home Affairs.
Please provide a list containing the name, rank and office address of the officers/agencies designated as “competent authority” in terms of the Rule 419A(1) proviso of the Telegraph Rules, 1951.
Please provide a list of the agencies authorized by the Central Government to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under section 69(1) of the Information Technology Act, 2000.
Please provide a list of the agencies authorized by the Central Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource under section 69-B of the Information Technology Act, 2000.
Please provide a list containing name, rank and office address of the officers/agencies authorized to issue interception orders under Rule 3, first proviso, of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
Please provide a list of the agencies authorised to intercept, monitor, decrypt any information generated, transmitted, received or stored in any computer resource under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.

For more details visit https://cis-india.org/internet-governance/resources/rti-on-officials-and-agencies-authorized-to-intercept-telephone-messages-in-india

RTI on Complaints under Section 79 of IT Act

praskrishna — 2013-06-12T09:50:40Z

The Department of Electronics and Information Technology, Ministry of Communications and Information Technology, gave its reply to an RTI application filed by Saket Bisani. We are reproducing the text below:

No. 14(146)/2012-ESD
M/o Communications & Information Technololgy
Department of Electronics & Information Technology
Electronics Niketan,6, CGO Complex
New Delhi-110003

																					Dated: 15.1.13

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application requesting for the following information.

In an article titled "We believe in the freedom of speech and expression" published in Mint of February 1, 2012, Dr. Gulshan Rai has been quoted saying:

"if the police say something has to be disabled, we tell then (Google and others) that a complaint has come under section 79 of the IT Act. We feel them: "we're bringing it to your notice. Please look at it and do whatever best you can do under the law."

With respect the above quote I request you to provide me the following information under Right to Information Act, 2005:

Please provide me a copy of every complaint that has been received by the Department of Information Technology (now the Department of Electronics and Information Technology) under Section 79 of the Information Technology Act, 2000.
Please provide me a copy of every notice and complaint that your office has sent pursuant to complaints received under section79 of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Department of Electronics and Information Technology has not received any complaint quoting specifically under Section 79 of the Information Technology Act,2000.
Not applicable.

																		(A.K. Kaushik) Additional Director & CPIO (E-Security & Cyber Laws)

Shri Saket Bisani
No. 194, 2nd ׳C Cross
Domlur 2nd Stage *
Bangalore-560 071

Read a scanned version of the reply that we got from the Department of Electronics and Information Technology.

For more details visit https://cis-india.org/internet-governance/resources/rti-on-complaints-under-it-act-section-79

RTI and Third Party Information: What Constitutes the Private and Public?

Noopur Raval — 2011-11-24T09:21:20Z

The passing of the Right to Information Act, 2005 was seen as giving an empowering tool in the hands of the citizens of India, six years post its implementation, loopholes have surfaced with misuse of the many fundamental concepts, which have yet not been defined to allow for a consistent pattern of decisions. Among many problems that emerge with the Act, a major problem is defining the extent to which an individual has access to other people’s information. While most of us tend to think that asking for other people’s phone numbers, personal details like passport number or IT returns are private and would be kept so, under the RTI Act and as seen in the Central Information Commission (CIC) decisions, all of these details can be availed of by someone who doesn’t know you at all!

According to section 2 (n) of the RTI Act, 2005, 'third party' means a person other than the citizen making a request for information and includes a 'public authority'. This implies that the term 'third party' includes anyone other than the appellant or the respondent. In matters where an appellant is seeking information not regarding his or her own activities, or is asking for details of shared records that list details of several persons other than him or her, information cannot be provided until the ‘third party’ consents to disclosure and subsequently until the Central Public Information Office (CPIO), after considering the implications of such disclosure allows it. Section 11 (1) the Act provides the procedure to access third party information wherein the appellant needs to request for the third party’s consent after which the CPIO will produce a written request to the 'third party' and within a stipulated time period obtain their response. However, it is not the information bearer (third party) who holds the key to disclosure. The power, by the RTI Act, 2005, is vested in the public information officer who will then, either see a 'larger public interest', or otherwise allow disclosure based on the merits of the case.

In such a situation, it is interesting to see who the Central Information Commission (CIC) regards as 'third party'. While going through the judgments delivered by the CIC, one comes across several judgments that tell you who can and who cannot access your information. While a son or daughter naturally inherits his/her father’s wealth, land or other possessions, they do not inherit his position for obtaining information. This is just one instance. Similar holds true for access to information of a deceased kin. Unless the public information officer sees a ‘larger public interest’ in disclosure of such information, it cannot be revealed even to the deceased’s wife, husband or children unless they hold a power of attorney specifically to a right to access information.

This brings us to the question of ‘larger public interest’ and what information can be delved to anyone for this cause. While the RTI Act, 2005, clearly states that the appellant needs not a reason to ask for any information, it is largely based on the public information officer’s inference as to what the appellant may do with the data and hence, maybe deemed as acting in public interest or for personal gains. This also produces positions of potential criminality and the need for State subjects to prove themselves as ideal information seekers, void of malice in order for the public information officer to rule in their favour.

Third party position is a problematic one as it only goes so far as to define the state-mediated interaction between two subjects in relation to each other through legal machinery that holds massive discretionary powers to disclose or withhold information. Hence, while, in relation to ‘third party’, a subject may need to justify his larger benevolent interests, the State finds no problems revealing or disclosing information for its own good. In Shri Rajender Kumar Arya vs Dy. Commissioner of Police (DCP), (4 March 2009), the commission ruled that they now have the decision of the Madras High Court in the context of right to privacy in light of the RTI Act. The Madras High Court observed that with the advent of the Right to Information Act, section 3 of the Act entitles a citizen to the right of information. Section 4(2) of the said Act obliges a public authority to disclose information to common people. Even personal information or information, which may otherwise amount to an invasion of privacy, may also be disclosed if the larger public interest so warrants. The court in fact came to the conclusion that the right to privacy virtually fades out in front of the 'Right to Information' and 'larger public interest’. This tells us that ‘third party’ is a mere negotiating position from which the State itself regulates information flow to citizens and can revoke these privileges as and when needed.

Moreover, there is no clear definition to the ‘larger public interest’ or ‘invasion of privacy’. In several judgments, the committee upholds principles of natural justice to justify instance of public good but these cannot be upheld for all decisions. It is also interesting to see what comes under the purview of ‘public information’. It’s a misconception if you think that you hold the right to revealing your age, birth date, place you belong to, your marks, the rank that you hold, the salary you get, the returns you file or subsequently any of this information regarding your children. As upheld in Madhulika Rastogi vs Regional Passport Office, New Delhi, on 4 February 2009, M. Rajamannar vs PIO, AC Division, Indira Gandhi National Open University on 18 February 2009 and A.V.Subrahmanyam vs BSNL, Hyderabad on 16 February 2009 — the judgments illustrate that information submitted to public authorities at any point in time whether to get admitted to school, to get a license, to pass a public services examination or even file a divorce; all qualify for access to other people because they have been knowingly submitted to the public domain. A lot of sensitive information like passport details, telephone call records and medical records that can map intimate interactions of a person’s daily life can also be obtained if larger public interest is proven.

Hence, it becomes important to revise and rethink the commonly accepted notions of privacy, especially when information gains such strategic importance as well as fluidity through fast expanding platforms as well as tools such as RTI. While one may confidently think that information generated by the self, pertaining to one’s own business and life rightfully belongs to the private domain, it is very important to realize the constantly looming hold of the State to any information. In such a situation, what you can claim as private data totally depends on how much common interest it garners.

For more details visit https://cis-india.org/internet-governance/blog/rti-and-third-party-info