We are anonymous, we are legion

Response to RTI on Decisions of the Cyber Regulation Advisory Committee

pranesh — 2013-01-09T15:26:26Z

The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010.

No. 14(110)/2012-ESD
M/o Communiciations & Information Technology
Department of Electronics & Information Technology
Electronics Niketan, 6, CGO Complex
New Delhi-110003

Dated:3.10.2012

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application dated 13.7.12 requesting for the following information.

Question

a) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012?

b) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012.

c) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology.

d) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Answer

a) The meetings of CRAC were held on 6^th March, 2001 and 17-18 March, 2001.

b) Minutes of these two meetings of CRAC are attached.

c) No such advice was given by CRAC to DeitY under section 88(3)(a).

d) Information is attached.

(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)

To: Shri Saket Bisani
No. 194, 2^nd 'C' Cross,
Domlur 2^nd Stage
Bangalore-560 071

Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan, under the Chairmanship of Hon’ble Minister* (IT) Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act.
While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed "Regulation.; under section 89 of the IT Act" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000.
During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following:

For Regulations wider section 89 of IT Act	For amendments to IT Act 2000
Shri K.N. Gupta (CCA) Room No. 4006, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:kgupta@mit.gov.in Tele: 436 3073 Fax: 439 5982	Shri A.B. Saha (Member Secretary) Room No. 2055, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:saha@mit.gov.in Tele: 436 0958 Fax: 436 2924

Meeting ended with a vote of thanks to the Chair.

Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon'ble Minister (IT), Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA). ' " ~
During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000:

a) Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover, such regulations should complement the Rules already framed under the Section 87 of the Act.

b) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the "principles of minimal governance", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence.

c) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be "market-driven" and not "authority-driven". This will also ensure that formulated rules and regulations stay in tune with market realities.

d) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind.

e) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time.

f) The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of "terms & conditions" governing the operations of Certifying Authorities.

g) Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal.

3. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval.

4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal.

SI	Item	Conclusions
1	Regulation 1 Standardising on two key-pairs for PKI in the country. Key-pair generation for subscribers by CAs.	Regulation not required. Encryption Key pair not part of the IT Act. Already covered under Rule 3, 4 & 5 of notified CA Rules. Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act)
2	Regulation 2 Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller.	Regulation not required. IT Act is silent regarding encryption.
3	Regulation 3 Disclosure Record of CA.	Disclosure may be done every six months. Necessary format for disclosure may be notified from time to time. (Para 2(f) above)
4	Regulation 4 Encryption Key Pair of CA to be made available to the Controller.	Regulation not required in accordance to conclusions against 1 & 2 above.
5	Regulation 5 Cross-Certification with foreign CAs.	As per recommendation 2(c) above.
6	Regulation 6 Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs.	Can be merged with regulation 11. As per the recommendation mentioned in 2(c) above.
7	Regulation 7 Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List.	As per the recommendation 2(b) above.
8	Regulation 8 Information to be made publicly available by a CA on its website. Notice of suspension or revocation of license.	CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties.
9	Regulation 9 Standardisation of Certificate Practice Statement.	Agreed.
10	Regulation 10 Compromise of subscribers Digital Signature Key-Pair	Agreed.
11	Regulation 11 Description of classes of Certificates.	Shall be merged with regulation 6 above. In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required.
12	Regulation 12 Cross-Certification of CAs.	It should be market-driven. (Recommendation 2(c) above).
13	Regulation 13 Incorporation of Controllers Public Key Certificate as the "root” in all web browsers in the country.	Regulation not required. Need for integrating Controller's root key in the browsers may not be feasible.
14	Regulation 14 Minimum key length for CAs and subscribers.	Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair.
15	Regulation 15 Audit of applicants to include manpower audit as well. Liability of CAs towards subscribers on account of their negligence.	Regulation not required. Audit provision has already been covered under Rule 31 of CA rules notified by MIT.
16	Regulation 16 Storage of Key-Pairs of CAs. Distribution of Key-Pairs / Certificates of subscribers by CAs.	Not to be regulated. Recommendation 2(e) above shall be followed.
17	Regulation 17 Documents to be submitted to the Controller along with the application for obtaining license to operate as CA.	Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time.
18	Regulation 18 Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties. The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller.	Agreed.

Meeting ended with a vote of thanks to the Chair.

Annexure - A

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.S.C Jain , Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimini Bhagwati, Ministry of Finance
Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India

11. Sh Dewang Mehta, President, NASSCOM

12. Sh Amitabh Singhal, President, Internet Service Providers Association

13. Sh LN Behra, DIG, Director, Central Bureau of Investigation

14. Sh K N Gupta, Controller of Certifying Authority

15. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States

16. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

17. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

18. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

19. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

20. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.N.L. Meenu, Jt. Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimoni Bhagwati, Ministry of Finance
Maj.Gen. M G Datar, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh Dewang Mehta, President, NASSCOM

11. Sh Amitabh Singhal, President, Internet Service Providers Association

12. Sh LN Behra, DIG, Director, Central Bureau of Investigation

13. Sh K N Gupta, Controller of Certifying Authority

14. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi

15. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

16. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

17. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

18. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

19. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

For more details visit https://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac

Response to GCSC on Request for Consultation: Norm Package Singapore

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-27T15:43:12Z

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.

The GCSC announced the release of its new Norm Package on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace

The norms introduced by the GCSC focus on the following areas:

Norm to Avoid Tampering
Norm Against Commandeering of ICT Devices into Botnets
Norm for States to Create a Vulnerability Equities Process
Norm to Reduce and Mitigate Significant Vulnerabilities
Norm on Basic Cyber Hygiene as Foundational Defense
Norm Against Offensive Cyber Operations by Non-State Actors

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.

Read the full submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

pranesh — 2015-11-29T06:35:12Z

This proposal was made to the Global Multistakeholder Community on August 9, 2015. The proposal was drafted by Pranesh Prakash and Jyoti Panday. The research assistance was provided by Padmini Baruah, Vidushi Marda, and inputs from Sunil Abraham.

For more than a year now, the customers and operational communities performing key internet functions related to domain names, numbers and protocols have been negotiating the transfer of IANA stewardship. India has dual interests in the ICANN IANA Transition negotiations: safeguarding independence, security and stability of the DNS for development, and promoting an effective transition agreement that internationalizes the IANA Functions Operator (IFO). Last month the IANA Stewardship Transition Coordination Group (ICG) set in motion a public review of its combined assessment of the proposals submitted by the names, numbers and protocols communities. In parallel to the transition of the NTIA oversight, the community has also been developing mechanisms to strengthen the accountability of ICANN and has devised two workstreams that consider both long term and short term issues. This 2 is our response to the consolidated ICG proposal which considers the proposals for the transition of the NTIA oversight over the IFO.

Click to download the submission.

For more details visit https://cis-india.org/internet-governance/blog/response-by-the-centre-for-internet-and-society-to-the-draft-proposal-to-transition-the-stewardship-of-the-internet-assigned-numbers-authority-iana-functions-from-the-u-s-commerce-department2019s-national-telecommunications-and-information-administration

Responding to govt requests is a challenge for online firms: Colin Maclay

praskrishna — 2013-03-15T05:07:10Z

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard, on challenges in cyberspace.

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard mentions about the Centre for Internet and Society, Bangalore in his interview done by LiveMint. The article was published in LiveMint on March 13, 2013.

Mumbai: Colin M. Maclay, managing director of the Berkman Center for Internet and Society at Harvard University, says that companies such as Google Inc. and Facebook Inc. are facing their greatest challenge in responding appropriately to governments that demand user information from them as part of regular practice or to abuse power. In an email interview to Mint on Wednesday, Maclay underscored the policy gaps on the Internet, differences in cyber laws across nations and the forces transforming education, media and technology companies online. He hopes to elaborate on some of these views in Mumbai on Thursday, the concluding day of Ficci Frames,a conclave on the media and entertainment industry that began on Tuesday. Edited excerpts:

How vulnerable are we because of the information shared on email platforms such as Gmail or Yahoomail or on social networks like Facebook?

We are vulnerable in many ways as we share information about ourselves and our friends, sometimes wisely and other times indiscriminately. But this information is later shared with many third-party tracking networks so that the highest bidder can advertise to us the product they think we want. That information is also sold to other interested parties, from businesses to governments. Other business offerings like facial recognition software only make the proposition spookier. Many of them want to responsibly monetize our data typically for advertising or improving their service offerings although we may not all agree on what that means in practice.

Are any laws being considered in the US to protect people’s privacy online?

Privacy around telephony, wiretaps for instance, is much better than Internet-related government requests. There are a host of laws and regulations around privacy in the US, but many of my colleagues would likely say that they are inadequate—not keeping up with the technology, actual use or business practice. They are also in conflict with European laws, which suggests the need to resolve these differences. In this gap, practices like the Google and Twitter Transparency Reports are significant steps forward in telling what governments are actually doing around the world with respect to online privacy and expression. India’s government has a noteworthy presence in these reports, as does the US.

Is it easier for the government to get personal information of suspects’ activity online from Google or Facebook than it would be through an offline search warrant?

There are questionable requests made to companies to provide user information, censor content or other such action by law enforcement agencies in various jurisdictions. Often it is legitimate, and companies should respond accordingly, while at other times, companies may overreach unintentionally, requesting much more information than they need or broader censorship due to their own lack of understanding. In other cases, as part of regular practice or in an informal abuse of power, governments will make requests that do not hold up scrutiny to the rule of law and due process. They may have political or economic motivations, for instance. It’s in discerning between these cases, and figuring out how to respond appropriately, that the companies face their greatest challenge.

Has the freedom of expression been limited by the governments?

The OpenNet initiative, a research collaboration between the Citizen Lab at the University of Toronto and the Berkman Center at Harvard, has documented the rise of state-sponsored Internet censorship from a handful of countries a decade ago to over 40 countries today. Beyond technical control, there is a massive increase in copyright-related takedowns that include legitimate takedowns, plus many attempts at economic and political control. There are informal legal and process controls on content. There is also a wide range of self-censorship that’s difficult to document.

How are these companies addressing the issue?

In recognition of the difficult situation, companies such as Google, Microsoft Corp., Yahoo Inc. (Facebook is an observer at present), non-government organizations like Human Rights Watch, Center for Democracy and Technology (CDSA) and the Centre for Internet and Society in Bangalore and investors like Calvert Investments Inc. and F&C Asset Management Plc, founded the Global Network Initiative (GNI) in October 2008 to protect and advance privacy and freedom of expression online.

Cybercrimes like credit card frauds surface time and again...why is the Internet still not secure enough?

It goes back to beginnings of the Internet, it was built to be open rather than secure. That said, there are a variety of different concerns, including organizations doing an inadequate job of securing the credit card data they hold. That’s their fault and it seems there should be policy solutions that require better security and exact penalties for lapses and bad practice to encourage better behaviour. Credit card fraud online and offline is a problem, and unfortunately it sometimes effectively punishes countries with risk by automatically denying cards—effectively leaving users in those countries without access to e-commerce.

On the good side, top universities around the world now offer online education, How is it transforming the education system?

Like many analog institutions that are adopting digital resources, it’s unclear what will happen. Hopefully it will lower prices, increase learning opportunities, and improve learning all in a sustainable way. We can’t deny, however, the role of in-person interaction whether it’s while seeing friends, dating or doing business and learning is no different.

Looking at trends, laptops began replacing desktops and now tablets are becoming a preferred personal computing device. What’s next?

A decade ago it was laptops or mobiles, and the price of laptops came down, but the mobile network proliferated even faster. Smartphones continued to drop in price and increase in potential, laptops are lighter than ever, tablets have come up, even operating systems are beginning to converge. Now, immersive experiences like Google Glass are coming. It’s hard to know what’s next, but I hope that device convergence will serve as an enabler rather than a limiter.

For more details visit https://cis-india.org/news/livemint-ruchita-saxena-march-13-2013-responding-to-govt-requests-is-a-challenge-for-online-firms

Respite from Internet Censorship?

praskrishna — 2012-08-10T15:51:30Z

Of late, a lot of the blocked websites have started reappearing. So should we sit back and relax? We take a look at how it's not really the start of something beautiful...writes Nimish Sawant. Sunil Abraham is quoted.

Published in thinkdigit on June 2, 2012

In April, Chennai based Copyrights Labs got a John Doe order (An order against no one in particular) from Madras High Court which ordered ISPs to block several video hosting websites such as Vimeo and Dailymotion along with a string of torrent sites such as Isohunt and Pirate Bay. The motive was to prevent illegal sharing of the movies 3 and Dhammu. The ISPs went on this whole website blocking spree welcoming users with messages such as, “This website has been blocked as per instructions from the Department of Telecom (DoT)”.

In June, the Madras High Court issued an order which made it mandatory for complainants to provide exact URLs where they find illegal content, such that ISPs could block only that content and not the entire site.

This order is definitely a relief for Indian internet users, who were facing a variety of blocked websites for a couple of months. In the May-June period there was a lot of media coverage around Internet censorship and then there was the much-hyped Anonymous protest (http://goo.gl/YCQod) that saw a not-so-great participation. Just like most media stories, it is slowly departing from the public conciousness. So does this mean our censorship woes are behind us?

Far from it.

The dark cloud of Intermediaries Guidelines
The Information Technology (Intermediaries Guidelines) Rules 2011 were added to the IT Act 2000. According to it, the intermediaries (website, domain registrar, blog owner and so on) guidelines allows the government to pull up any website that hosts “objectionable” content. It gives anyone the right to send “content removal notice” to an intermediary, asking it to be removed within 36 hours. Terms describing such content - grossly harmful, harassing, blasphemous, defamatory, obscene - are those that are open to interpretation. So, Facebook can be hauled up for derogatory content or pages on its site. Hell, even if you own a blog and someone else posts a derogatory comment, you can be pulled up.

This is a rather smart move by the government to force self-censorship down our throats. Just try imagining - Every 60 seconds: on YouTube there are 48 hours worth of videos uploaded; Wordpress users publish 347 blogs; Twitter users send over 100,000 tweets among others. (Source: http://goo.gl/U7qT8) How on earth is monitoring such a vast amount of data even possible?

Karnika Seth, Cyberlaw Expert	"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Karnika Seth, Cyberlaw Expert

"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Every site has internal checks and balances in the form of a 'Report Abuse' option, where users raise flags against content which they may find objectionable and the site takes a call. But with the intermediary rules, the content has to be removed within 36 hours. And here's the kicker – the content can be removed without informing the owner or giving him or her a chance to defend. A political cartoon website cartoonsagainstcorruption.com was a victim of such rules. In March this year, Rajya Sabha MP, P. Rajeeve, had moved a motion calling for the annulment of the intermediaries rules sometime in April. This motion, as would be expected, was defeated by a voice vote.

“Any content which is illegal can be blocked by the ISP or on directions of a court. A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access,” said cyberlaw expert Karnika Seth. When asked if there is a clause in the IT Act which enables a person to drag the government or the ISP for blocking access to their harmless content on the web, Seth said, “No specific section in the IT Act entitles a person to sue in such cases . However, freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court.”

So what should one do if his or her content is blocked due to the blanket ban on websites? “If I am blocked access to my content on the web (say by blocking sites such as Vimeo or Blogspot for instance) I should file an appeal against the John Doe order in the higher court or to the division bench of High court if earlier order has been passed by single bench of the same High court. These provisions are there for any citizen in Procedural Law of India. The IT Act, 2000 need not be invoked,” says Advocate Prashant Mali, President, Cyber Law Consulting.

Google Transparency report clearly established a link between internet censorship and the government. According to the report, between January and June 2011 Google received 1739 requests for disclosure of user data from the Indian government whereas from July to December 2011, the number of requests by the government went up to 2207. Thankfully Google's compliance rate has come down, but the requests will keep increasing. And this is just Google products we are talking about. Is it then right for just the government to go ahead and draft the rules regarding internet usage? Are there provisions for you, the user to play a part in drafting of these rules. According to Advocate Mali, laws are generally put up for debate on various Government websites. But in the case of the Intermediaries Guidelines, the government used the two-thirds majority to pass the rules.

According to Sunil Abraham, Director, Centre for Internet and Society – a Bangalore-based internet advocacy group, we are very far in terms of Internet policies. “Dr. Gulshan Rai of CERT-IN has not taken even the public feedback process seriously and does not hold public consultations. This is very unlike TRAI, the telecoms regulator that has a very sophisticated approach towards transparent and participatory policy formulation.” He says that in India there is little transparency in some areas of policy articulation and our representatives do not seem sufficiently interested in protecting the public interest.

Also according to Adv. Mali, the recent Madras High Court directive asking the ISPs to block only the ‘pirated content’ and not the entire website, is just half the battle won for the ISPs. “If ISP's feel they have won, then that's just half the victory, because if they don't implement the order with full might and even if one copyright gets infringed because of there weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup,” he says.

“The Madras High Court judgement which essentially directs ISPs to block “pirated content”, and not the website as a whole, is a good judgment with respect to Internet users, but implementing it selectively would be a mammoth task for ISP's. If ISP's feel they have won, then it's just half the battle won, because if they don't implement the order with full might and even if one copyright gets infringed because of weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup."

Advocate Prashant Mali, President, Cyber Law Consulting

Is the Anonymous way, the right way?
In June, we saw the global hactivist organisation - Anonymous attacking a string of Government websites and that of ISPs such as Reliance communications, which had blocked access to websites. On June 9, there was a street protest across various metros in India. While the participation was not very encouraging, the sympathy for what Anonymous hackers were doing to those opposing Internet censorship was immense.

According to Advocate Mali, though the agenda of Anonymous was good, their means of achieving that end were wrong. “One cannot put a gun on the Government’s head in a democracy. If they keep doing this, they will be outlawed. If Anonymous really wants to work for the netizens, they should find better ways to protest instead of those which are cognizable cyber crimes in India.” said Mali.

According to Abraham, Anonymous are embracing the civil disobedience movement to protest against unjust laws. He feels that it is pertinent for Anonymous to retain the moral high ground. “Breaking into servers, leaks of personal information and defacement of websites is both illegal and also unlikely to win them more supporters from within the policy formulation space,” concurs Abraham.

Sunil Abraham, Executive Director, Centre for Internet & Society

“The government ie. the government in power, does only frame subsidiary rules. For example – the draconian rules related to reasonable security measures, cyber cafes and intermediaries were drafted in April last year. The main Act in this case the Information Technology Act is framed in the Lok Sabha and Rajya Sabha. Even though the elected government may dominate the proceedings, if they have a clear majority, the opposition parties must debate every detail especially in laws that affect our civil liberties. Unfortunately, since the Internet is not used by the majority of the population it is politically still an insignificant issue. The private sector cannot frame laws that regulate itself – that would be a contradiction in terms. Citizens cannot be asked to vote in referendums each time laws have to be passed, that would just be too slow. Transparency representative democracy is the online option – unfortunately in India there is little transparency in some areas of policy articulation and our representatives don't seem to be sufficiently interested in protecting the public interest.”

Where do we go from here?
So it is safe to say that even though the issue of censorship is not making headlines everyday, it will never will be behind us. “This is just a temporary lull in the storm. Governments are always keen to crack down on free speech and privacy online,” feels Abraham. According to him, projects such as Unique Identification (UID) and National Intelligence Grid (NATGRID) means the death of anonymity and pseudonymity for Internet and mobile users in the country.

On the other hand, Adv. Mali says that so long as the Intermediaries guidelines are part of the IT Act, it will only mean bad news for regular netizens. “Till the rules are effective, censorship and blocking would be a weapon in the hands of the Government, even though it may violate certain Fundamental Rights enshrined by Indian Constitution to Indian Citizens,” he said.

“Indian Internet users have to be very vigilant – if not, we will loose all our rights and freedoms one by one,” warns Abraham.

We can just hope that the issue does not get completely out of hand.

For more details visit https://cis-india.org/news/www-thinkdigit-com-nimish-sawant-02-06-2012-respite-from-internet-censorship

Research Initiative: Women in India's IT Industry

jdine — 2013-03-06T10:31:48Z

CIS has begun a brief research project which will examine indicators of female economic empowerment in the IT industry in India. Though the gathering of quantitative and qualitative data from the six largest publicly-traded Indian software companies, we hope to provide insight into state of female employment in one of the most important and rapidly growing economic sectors in the country.

The recent events and subsequent discussions surrounding the brutal gang rape and murder of a young Delhi woman on a bus last December in Munirka, New Delhi, have prompted dialogue in mainstream discourses about the position of women in India, and have lead many to scrutinize the treatment of women within various spheres of Indian society. What has become increasingly apparent following the events of December 16^th is that effective longterm change for Indian women cannot be achieved by harsher consequences or more rigorous transport regulations, but instead through widespread recognition of the routine discrimination faced by Indian women in their public, private and professional lives. The latter sphere is of particular interest to the Indian context, as although the last two decades have seen an unprecedented number of Indian women enter the formal workforce, issues of female economic empowerment tend to get downplayed when juxtaposed against the entirety of the system of discrimination and violence faced by women in India.

As a brief foray into the reality of female economic empowerment in India, CIS has decided to carry out a small though hopefully telling research project on some of the largest corporate players in the Indian IT industry. The aim of this research is to gain a better understanding of the state of female employment, gender equality and the qualitative experience of being a working woman in one of the most important and rapidly growing economic sectors in the country.

Using NASSCOM's annual industry ratings from 2007-2012,[1] we put together a list of the six software companies headquartered in India that appeared in the top five spots at least twice between the years 2007-2012. These companies are Tata Consultancy Services Ltd., Infosys Ltd., Wipro Ltd., HCL Tech Ltd., Tech Mahindra and Mahindra Satyam. Through formal requests for data and a handful of qualitative interviews, we will be gathering information from these companies and their employees that will eventually by compiled into a short report that will be publicly available on our website.

(A brief explanation of why we chose to use NASSCOM's industry list can be found at the end of this article,[2] along with some notes on the change of ownership of Mahindra Satyam and its merger with Tech Mahindra).[3]

Why the IT Industry?

In 2012, an international consulting and management firm called Booz & Company released “The Third Billion”, a global ranking of the level of economic empowerment attained by woman on 128 countries. The indicators used included equal pay for equal work, non-discrimination policies, the male-to-female-male employee ratio, and equality in terms of female managers and senior business leaders.[4] India rated quite poorly at spot 115.[5] Further, the International Labour Force recently reported that the rate of female participation in the total labour force[6] in India has fallen from 37% in 2004-05 to 29% in 2009-10, leaving India at the 11th lowest spot out of 131 countries.[7] Despite these declining rates, it was estimated in 2010 that approximately 5.5 million Indian women were entering the formal workforce each year at that period in time,[8] and though the aforementioned statistics likely indicate that a larger proportion of men are entering the formal workforce each year than women, this is a significant amount of employees, many of whom will be facing a unique set of challenges in the workplace simply because of their gender. In fact, research done by the Centre for Talent Innovation has found that 55% of female Indian employees routinely encounter such severe bias in the workplace that they disengage from their work or consider dropping out altogether.[9]

This is where the IT industry comes in. From an aggregate revenue of USD 3.9 billion in Fiscal Year (FY) 1998[10] to more than USD 100 billion in FY2012,[11] the Indian IT-BPO industry has been growing exponentially over the last 15 years, and it continues to be one of the fastest growing sectors in the Indian economy. Further, it has rapidly become one of the most economically significant industries in India in terms of share of total exports (approximately 25% for FY2012)[12] export revenue (USD 69.1 billion and growing by more than 16%)[13] and proportion of national GDP (from 1.2% in FY1998 to 7.5% in FY2012).[14] IT services alone account for more than half of the software and services exports in the industry, and is the fastest growing segment of the sector at 18%.[15] Further, NASSCOM estimates that the sector will create 230,000 jobs in FY2012,[16] increasing the number of individuals employed directly in India's IT-BPO industry to about 2.8 million individuals.[17] The industry is estimated to indirectly employ another 8.9 million people.[18]

Because the IT industry in India is such an important source of employment for young Indian professionals (the median age of IT-BPO employees in India was about 24[19] in 2011), and because an unprecedented amount of those young professionals are women (women made up 42% of India's college graduates in 2010, and that figure was expected to continue to rise),[20] IT companies have the potential to become leading examples of women-friendly employers. However, according to DataQuest's Best Employer Survey 2012, the percentage of women employed in the IT industry in India has actually decreased from 26% in 2010 to 22% in 2012[21] even though the number of jobs created in this sector continues to increase annually. Again, these statistics most likely point to a larger number of males available for employment than females (and therefore a larger proportion of men being employed), but they also show that the number of women employed in the IT sector is not significantly increasing (or even increasing at all).

Considering, then, how important the IT industry may be for the employment of young female professionals (and if it is not now, it will be soon), the responsibility to create nondiscriminatory and comfortable workplace environments should fall heavily on the largest and most economically significant companies in the software sector, as they have the opportunity to set precedents not only for the rest of the industry but for Indian employers as a whole.

How are these industry giants faring in terms of the treatment of their female employees?

To commence this research, I have collected some basic facts about the Board of Directors and executive management teams of the six Indian IT companies off of their websites and annual reports. This brief preliminary foray into the industry has revealed that although many of these companies promote gender equality in the workplace and women in senior positions of authority, the Indian software sphere continues to be almost entirely male-dominated.

The collected statistics on Board members and executive management teams are listed below. It bears keeping in mind that while the information on the Board of Directors may be quite reliable (depending on how recently each company has updated their website) and therefore appropriate to use as a tool of comparative analysis, the information on the executive management teams can be misleading, as each company appears to have a different criteria of what constitutes a senior management team (for example, Tata Consultancy Services lists two individuals, their CEO and CFO, as their executive management team, but Wipro Ltd. lists 24 individuals from a variety of different departments).

Because we were not certain of how recently each company had updated its website, we have prioritized the data on the Boards from their annual Investor's Reports over the information available on their websites.

Tata Consultancy Services Limited
TCS' annual report for the 2011-2012 fiscal year reports a 14 member Board of Directors with one female non-executive director. This woman is not Indian. The report also lists a 28-member strong management team with two female members, and their website lists

Number of women on the Board: 1/14

Number of women holding executive management positions: 2/30

Infosys Limited
Infosys Ltd. has 15 Board members: six executive members, none of which are women; one male chairperson; and eight non-executive independent members, one of whom is a woman, but not an Indian woman.

Further, Infosys lists 14 individuals in their executive management team,[22] one of whom is a woman. It is interesting to note that this female member is the group head of Human Resources as well as being one of five senior Vice Presidents.[23] Infosys also has an Executive Council made up of 13 members, including one Indian woman.

Number of women on the Board: 1/15
Number of women holding executive management positions: 1/14

Wipro Limited
Wipro's Board of Directors is made up of 12 men: one executive chairman, two executive directors, and nine independent directors.

As for their executive management team, the website lists 24 executive leaders, two of whom are women.[24] Wipro also has a Corporate Executive Council of six men.

Number of women on Board: 0/12

Number of women in executive management team: 2/23

HCL Tech Limited
HCL's Board has nine members, two of whom are executive members. The other seven members are listed as being independent, non-executive members. One of these non-executive members is a woman; she is not Indian.

On their website[25] they list 18 members of their leadership team, none of whom are female.

Number of women on Board: 1/9

Number of women holding executive management positions: 0/18

Tech Mahindra
On Tech Mahindra's Board of Directors sits a non-executive chairman, one executive member, six non-executive independent members, and three non-executive directors. None of these individuals are female. On their website, seven employees appear to make up the leadership team of this company, one of whom is a woman. Interestingly, this individual is also the head of HR.[26]

Number of women on Board: 0/11

Number of women holding executive management positions: 1/7

Mahindra Satyam
According to their 2011-2012 annual report, Mahindra Satyam's Board of Directors boosts 6 members: a male chairman, one male CEO, and four non-executive board members, one of whom is an Indian woman.

Further, there appears to be six members of the leadership team[27] including the CEO, none of whom are female.

Number of women on Board: 1/6

Number of women holding executive management positions: 0/6

Summary of Board of Director Data

Number of female chairpersons in the 6 largest IT companies in India: 0/6

Number of women seated on the Board of Directors of the top 6 IT companies in India: 4/67

Executive (excluding chairmen/vice-chairmen): 0/14

Non-Executive (excluding chairmen/vice-chairmen): 4/47

Female Indian members: 1/4

Number of female employees in senior management positions: 6/98

While these numbers may be sobering, they are not exceptionally low, or even below average. According to The Globe and Mail's 11^th annual Board Games report on corporate governance, the percentage of Board seats held by women on Boards of Directors in the Indian corporate sector in 2012 was 5.3%, meaning that, at an approximately 6% of seats held by female members, our very small sample size is actually sitting just above the Indian average. However, when compared to the other BRIC countries at 5.1%, 5.9% and 8.5% respectively,[28] India is still lagging behind when it comes to having women in positions of senior authority in the corporate world.

Further, considering that these are the largest corporate IT companies in the industry, and the majority carry out activities across the globe, they probably have, on average, larger and more diverse Boards of Directors than our average mid- to large-sized Indian software company. Further, two out of six companies do not even have one female member on their Board. As for those remaining four, it is likely that these companies may be the exception and not the rule when it comes to the number of women on the Boards in the Indian IT.

As for executive management, the world average for the percentage of women in senior management roles was 21% in 2012, a meagre increase from the global average of 19% in 2004.[29] The same study that produced these figures also found that the proportion of women holding senior management positions in India was 14%, placing the data from our sample size way below the curve at approximately 6%. However, due to issues discussed earlier in this post, this figure is not an accurate representation of the executive management teams of all six companies; future research will hopefully provide us with more factual statistics.

This is not to say that the IT sector in India is the only industry that should be concerned with its low rates of female employment and attainment of seniority, nor should its industry giants be the only corporate entities publicly scrutinized in this manner. The economic empowerment of women in India is an on-going struggle that is played out in many spheres in the Indian society, including the non-profit sector. In fact, if we perform a similar breakdown of CIS' Board of Directors and staff, the results are comparable to those of the IT companies:

According to our 2011-2012 annual report, our Board of Directors boosts 8 members, two of whom are executive members of CIS' management team. One of these individuals is an Indian woman.

Further, of our 14 staff members, four are women.

[1]. NASSCOM. 2012. Industry Rankings: Top 20 Players in IT Services. [online] Retrieved from http://www.nasscom.org/industry-ranking on January 21st, 2013.

[2]. The NASSCOM industry ranking is a well-regarded annual ranking of the IT sector in India that is often used as a resource in various research initiatives and similar publications, and it appears to be widely accepted as a legitimate ranking by both those within the industry and by entities from other sectors. The ranking is determined using revenue information provided by each company for their activities in India, which we thought was a strong indicator of their significance to the industry and the Indian economic engine as a whole. Finally, NASSCOM carries out this ranking each year, which will allow us to use a similar methodology in choosing our research subjects should we choose to reproduce this research annually.

[3]. If you look at the NASSCOM list of top 20 for 2007-2008, you will see that a company called Satyam Computer Services. This company was taken over by the Mahindra Group in 2009, and was rebranded as Mahindra Satyam to reflect its new parent company. This is why Mahindra Satyam is included in our list, though it first appeared on the NASSCOM Industry Rankings for the 2011-2012 fiscal year; we counted the appearance of Satyam Computer Services in the fourth spot in the rankings for 2007-2008 as a point towards Mahindra Satyam.

Further, it was announced in March of 2012 that Mahindra Satyam and Tech Mahindra would be merging; however, this had not yet happened by the end of the 2012 fiscal year and therefore we will treat Mahindra Satyam and Tech Mahindra as separate and independent entities in this research project.

[4]. Aquirre, D., Hoteit, L., Rupp, C., & Sabbaugh, K. 2012. Empowering the Third Billion: Women and the World of Work in 2012. [pdf] Booz & Company. Accessible at: http://bit.ly/SXdZ6P

[5]. ibid.

[6]. The rate of female labour participation indicates the proportion of the female population above the age of 15 that supplies labour for the production of goods and services on the formal market in a given time period.

[7]. International Labour Organization. February 13, 2013. India: Why is Women's Labour Force Participation Dropping? [online] Retrieved from http://bit.ly/11EGYCM on February 22^nd, 2013.

[8]. Hewlett, S. A., Fredman, C., Leader-Chivee, L., & Rashid, R. 2010. The Battle for Female Talent in India. New York: Center for Work-Life Policy.

[9]. Hewlett, S. A. November 1, 2012. “More Women in the Workforce Could Raise GDP by 5%.” Harvard Business Review. [online] Retrieved from http://bit.ly/YrxyFA February 23^rd, 2013.

[10]. Embassy of India. 2007. India's Information Technology Industry. [online] Retrieved from http://www.indianembassy.org/indiainfo/india_it.htm on February 23^rd, 2013.

[11]. NASSCOM. 2012. Indian IT-BPO Industry. [online] Retrieved from http://www.nasscom.in/indian-itbpo-industry on February 24^th, 2013.

[12]. ibid.

[13]. ibid.

[14]. ibid.

[15]. NASSCOM. 2012. IT Services. [online] Retrieved from http://www.nasscom.in/it-services on February 25^th, 2013.

[16]. NASSCOM. 2012. Indian IT-BPO Industry. [online] Retrieved from http://www.nasscom.in/indian-itbpo-industry on February 24^th, 2013.

[17]. ibid.

[18]. ibid.

[19]. Business Standard. January 31, 2011. Employee Retention Key Challenge for IT, BPO Cos. [online] Retrieved from http://bit.ly/13sCizA on February 24^th, 2013.

[20]. Hewlett, Sylvia A. & Rashid, Ripa. December 3, 2010. “India's Crown Jewels: Female Talent.” Harvard Business Review. [online] Retrieved from http://bit.ly/gpv7CQ on February 23^rd, 2013.

[21]. Sharma, P. October 29, 2012. “Gender Inclusivity, Still a Key Challenge.” DataQuest. [online] Retrieved from http://bit.ly/TPkz1F on February 19^th, 2013.

[22]. Information retrieved from: http://infy.com/cVfEwp

[23]. According to the Grant Thornton International Business Report for 2012, the majority of women employed in senior management positions are heads/directors of Human Resources (21%). It has been argued that women tend to get employed in Human Resources due to a perceived “natural transfer of skills”--meaning that women are believed to be pre-disposed to excel at Human Resources-related tasks and responsibilities simply because of the experiences and norms of their gender. For a more profound discussion of this phenomenon, please visit: http://www.hreonline.com/HRE/view/story.jhtml?id=533345673

[24]. Information retrieved from: http://bit.ly/13sBtXJ

[25]. Information retrieved from: http://bit.ly/Kdm0vP

[26]. Please see footnote 23

[27]. Information retrieved from: http://bit.ly/148kLsv

[28]. Information retrieved from: http://bit.ly/XVvpp3

[29]. Grant Thornton. 2012. “Women in Senior Management: Still Not Enough.” in Grant Thornton International Business Report 2012. Grant Thornton. [pdf] Accessible at: http://bit.ly/HCjKTG

For more details visit https://cis-india.org/internet-governance/blog/women-in-indias-it-industry

Research Advisory Network Meeting

praskrishna — 2014-07-03T06:39:38Z

All sessions will take place at the OECD Headquarters, located at 2 Rue André Pascal, 75016, Paris, France. Sunil Abraham is participating in the event.

For agenda and other details, click here.

Hosting of the Event

The Organisation for Economic Co-operation and Development (OECD) has agreed to host this meeting of the Global Commission on Internet Governance’s Research Advisory Network (RAN). The OECD will provide meeting space and logistical support, and is committed to engaging the project in the development of evidence-based policy recommendations for the future of Internet governance.

Meeting Participant List

Special Guests

James Kaplan
Bill Woodcock

OECD Staff

Aaron Martin
Anne Carblanc
Sam Paltridge
Alexia Gonzalez Fanfalone
Lorrayne Porciuncula

Commission Secretariat

Caroline Baylon
Eric Jardine
Mark Raymond
Aaron Shull
Brenda Woods

Research Advisory Network Biographies

Sunil Abraham / @sunil_abraham

Sunil Abraham is the executive director of the Centre for Internet and Society (CIS). CIS is a five year old policy and academic research organization focusing on accessibility, access to knowledge, Internet governance, telecom, digital natives and digital humanities. He founded Mahiti in 1998, a social enterprise that provides technology to civil society for which he was elected an Ashoka fellow in 1999. Between June 2004 and June 2007, Sunil also managed the International Open Source Network, a project of UNDP serving 42 countries in the Asia-Pacific region.

Subimal Bhattacharjee / @subimal

Subimal Bhattacharjee is an independent consultant on defence and cyber issues, working primarily with government and private sector advisory panels in India. He is the former India country director for General Dynamics International Corporation. Subimal is a columnist and internationally respected speaker on issues of Internet governance and cyber security.

Bertrand de La Chapelle / @bdelachapelle

Bertrand de La Chapelle is the Director of the Internet & Jurisdiction Project, a global multistakeholder dialogue process developing a due process framework to handle the diversity of national laws in cross-border online spaces. He served as a Director on the ICANN Board from 2010 to 2013. From 2006 to 2010, he was France’s Thematic Ambassador and Special Envoy for the Information Society, participating in all WSIS follow-up activities and Internet governance processes, including in particular the Internet Governance Forum (IGF), and was a Vice-Chair of ICANN’s Governmental Advisory Committee (GAC). Bertrand is a graduate of Ecole Polytechnique, Sciences Po Paris and Ecole Nationale d’Administration.

Laura DeNardis / @LauraDeNardis

A scholar of Internet architecture and governance, Dr. Laura DeNardis is a CIGI senior fellow and professor at American University. She is an affiliated fellow at Yale Law School’s Information Society Project and previously served as its Executive Director. She is the Director of Research for the Global Commission on Internet Governance and is the author of The Global War for Internet Governance (Yale University Press 2014).

Patrik Fältström / @patrikhson

Patrik Fältström is head of research and development at Netnod. Previously, he was a distinguished engineer at Cisco, technical specialist at Tele2, systems manager at the Royal Institute of Technology, researcher at Bunyip Information Systems and a programmer in the Royal Swedish Navy. He has been a member of numerous advisory groups and investigations related to the Internet, both public and private sector. Patrik holds an M.Sc. in mathematics from the University of Stockholm.

Paul Fehlinger / @PaulFehlinger

Paul Fehlinger is the co-founder and manager of the Internet & Jurisdiction Project, a global multi-stakeholder dialogue process developing a due process framework to enable the coexistence of diverse national laws in cross-border online spaces. He started working on Internet governance at Sciences Po Paris and the Max Planck Institute for the Study of Societies. He is since actively engaged in the UN Internet Governance Forum, EuroDIG and other global Internet fora.

Fen Hampson

Fen Osler Hampson is a distinguished fellow and director of the Global Security & Politics Program at the Centre for International Governance Innovation (CIGI). He has served as director of the Norman Paterson School of International Affairs and is concurrently chancellor’s professor at Carleton University. He is the recipient of various awards and honours and is a frequent commentator and contributor to international media.

Clem Herman / @clemherman

Clem Herman is a senior lecturer in the Department of Computing and Communications at the UK Open University, and was previously director of the Manchester Women’s Electronic Village Hall (WEVH) pioneering the use of ICTs to empower women. She has published widely on gender issues in technology and is the founder and editor-in-chief of the International Journal of Gender Science and Technology.

Konstantinos Komaitis / @kkomaitis

Konstantinos Komaitis is a policy advisor at the Internet Society, focusing primarily on the field of digital content and intellectual property. Before joining the Internet Society in July 2012, he was a senior lecturer at the University of Strathclyde in Glasgow. Konstantinos holds a Ph.D. in law and his thesis focused on issues of intellectual property and the Internet, with particular focus on the intersection of trademarks and domain names. He is the author of The Current State of Domain Name Regulation.

Young-eum Lee

Young-eum Lee is a professor in the Department of Media Arts and Sciences at Korea National Open University. She has been involved in various Internet governance policy making processes of the Korean domain name .kr at KISA (KRNIC), and has also been involved in global Internet governance activities at ICANN. Since 2003, she has been a council member of the ccNSO representing .kr in the Asia-Pacific region. Young-eum received her M.A. in Communication Science at Northwestern University and her doctorate in Communication from the University of Michigan.

Tim Maurer

Tim Maurer is a research fellow at the New America Foundation’s Open Technology Institute. He focuses on cyberspace and international affairs, namely Internet governance, cyber-security, and human rights online. In October 2013 and February 2014, he spoke about cyber-warfare at the United Nations. Tim’s research has been published and featured by national and international print, radio and television media, including Harvard University, Foreign Policy, CNN and Slate among others. He conducts academic research as a non-resident research fellow at the University of Toronto’s Citizen Lab.

Emily Taylor / @etaylaw

Emily Taylor is a renowned expert in the field of Internet law and governance, and provides research services in areas including security, IPv6 deployment, internationalised domain names, the domain name industry, and global policy development. Her roles in the Internet sphere include chair of the WhoIs Review Committee for ICANN 2012, member of the Multistakeholder Advisory Group to the IGF (2006-2012), director of Synetergy (providing Sunrise Dispute resolution services to the largest gTLD applicant, Donuts), and several ongoing non-executive directorships.

Rolf H. Weber

Rolf H. Weber is professor for civil, commercial and European law at the University of Zurich Law School. Since 2008, he is the director of the Information and Communication Law Center at the University of Zurich, a member (now Vice-Chairman) of the Steering Committee of the Global Internet Governance Academic Network (GigaNet) as well as a member of the European Dialogue on Internet Governance (EuroDIG). Since 2009, he has been a member of the High-level Panel of Advisers of the Global Alliance for Information and Communication Technologies and Development (GAID) and author of frequent publications on Internet Governance.

Andrew Wyckoff

Andrew W. Wyckoff is the director of the OECD’s Directorate for Science, Technology and Industry. Prior to the OECD, he was a program manager of the Information, Telecommunications and Commerce program of the US Congressional Office of Technology Assessment, an economist at the US National Science Foundation and a programmer at the Brookings Institution. Andrew holds a Master of Public Policy from the JFK School of Government, Harvard University.

Special Guest Biographies

James M. Kaplan

James M. Kaplan is a partner at McKinsey & Company in New York. He convenes McKinsey's global practices in IT infrastructure and cyber-security. He has assisted leading institutions in implementing cyber-security strategies, conducting cyber-war games, optimizing enterprise infrastructure environments and exploiting cloud technologies. James led McKinsey's collaboration with the World Economic Forum on "Risk & Responsibility in a Hyper-Connected World," which was presented at the Forum's recent Annual Meeting in Davos. He published on a variety of technology topics in the McKinsey Quarterly, the Financial Times, the Wall Street Journal and the Harvard Business Review Blog Network.

Bill Woodcock

Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system. Since entering the Internet industry in 1985, Bill has helped establish more than one hundred and fifty Internet exchange points. In the early 1990s, Bill developed the anycast routing technique that now protects the domain name system. In 2002 he co-founded INOC-DBA, the security-coordination hotline system that interconnects the network operations centers of more than three thousand ISPs around the world. And in 2007, Bill was one of the two international liaisons deployed by NSP-Sec to the Estonian CERT during the Russian cyber-attack.

For more details visit https://cis-india.org/news/research-advisory-network-meeting

Request for Specifics: Rebuttal to UIDAI

hans — 2016-10-30T15:06:31Z

Responding to the Unique Identification Authority of India’s article that found “serious mathematical errors” in “Flaws in the UIDAI Process” (EPW 12 March 2016), the main mathematical argument used to arrive at the number of duplicates in the biometric database is explained.

The article was published in the Economic & Political Weekly on September 3, 2016, Vol.51, Issue No.36.

The author of a technical paper will be alarmed when he is convicted of “serious mathematical errors” by someone who has not bothered himself with “going too deep into the mathematics” used. The man must possess miraculous powers of divination one feels: fears rather. The UIDAI seems to have even such formidable diviners in their employ: who have dismissed just so peremptorily, in their rebuttal, the calculations made in my paper titled Flaws in the UIDAI process. The paper appeared in the issue of this journal dated to February 27 of this year. The rebuttal was published in the issue dated to the 12th of March. The interested reader can confirm that I have only repeated what was said there. The rebuttal does not specify, in any way, the mathematical mistakes I am supposed to have made. So I shall rehearse the relevant calculations very broadly: and the experts of the UIDAI will then exhibit, I trust, the specific mistakes they impute to me.[*]

[*]My reply to the UIDAIs attempted rebuttal was sent in to the EPW a few days after that appeared in print: and published as a “web exclusive” article in Volume 51, Issue Number 36 of the EPW, on 03/09/2016.

Read the Full Article

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics

Report: From Oppression to Liberation: Reclaiming the Right to Privacy

Admin — 2018-12-05T02:48:31Z

Eva Blum-Dumontet, Research Officer at Privacy International, published her report on gender and privacy on November 28, 2018. The report, titled 'From Oppression to Liberation: Reclaiming the Right to Privacy', traces the history of privacy as a tool of oppressing women across different spheres, eventually calling for a feminist reclamation of privacy. Ambika Tandon was quoted.

Whose privacy are we fighting for when we say we defend the right to privacy? In this report we take a hard look at the right to privacy and its reality for women, trans and gender diverse people. We highlight how historically privacy has been appropriated by patriarchal rule and systems of oppression to keep women, trans and gender diverse people in the private sphere.

For us, this report is also an opportunity to show how surveillance and data exploitation are also uniquely affecting women, trans and gender diverse people. We demonstrate how patriarchy and systems of oppression rely on surveillance to perpetuate themselves and how surveillance and data exploitation need the rigid and gender-normative categories of patriarchy to function. We conclude by presenting how protecting the right to privacy can address some of these challenges.

We hope this report will be read as a call for action: privacy needs to be reclaimed by women, trans and gender diverse people.

Download the report

For more details visit https://cis-india.org/internet-governance/news/report-from-oppression-to-liberation-reclaiming-the-right-to-privacy

Report on Understanding Aadhaar and its New Challenges

Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock — 2019-03-16T04:42:52Z

The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.

Report: Download (PDF)

This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural issues with passage of the Act
Status of related litigation

3. National Identity Projects in Other Jurisdictions

Pakistan
United Kingdom
Estonia
France
Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication
Architectures of Identification
Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion
Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A Workshop Agenda

Annexure B Workshop Participants

1. Brief Background of the UID Project

In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.

The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.

2. Legal Status of the UIDAI Project

In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.

Procedural Issues with Passage of the Act

The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.

The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. [1].

where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”

However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.

Status of Related Litigation

A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of KS Puttuswamy v. Union of India [2] which limited the use of Aadhaar. We have reproduced the presentation below.

KS Puttuswamy v. Union of India - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.
Sudhir Vombatkere & Bezwada Wilson [3] - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.
Aruna Roy & Nikhil Dey [4] - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:
Col. Mathew Thomas [5] - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).
Nagrik Chetna Manch [6] - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial inclusion.
S. Raju [7] - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.
Beghar Foundation - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.
Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.
Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.
Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.
Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.

Relevant Orders of the Supreme Court

There are six orders of the Supreme Court which are noteworthy.

Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.
Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.
Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of UIDAI v CBI [8] wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.
Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.
Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.
Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.

Status of these orders
The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.

3. National Identity Projects in Other Jurisdictions

A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.

Pakistan

The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:

Voting
Obtaining a passport
Purchasing vehicles and land
Obtaining a driver licence
Purchasing a plane or train ticket
Obtaining a mobile phone SIM card
Obtaining electricity, gas, and water
Securing admission to college and other post-graduate institutes
Conducting major financial transactions

Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)

United Kingdom

The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”

Estonia

The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:

As a national ID card for legal travel within the EU for Estonian citizens
As the national health insurance card
As proof of identification when logging into bank accounts from a home computer
For digital signatures
For i-voting
For accessing government databases to check one’s medical records, file taxes, etc.
For picking up e-Prescriptions
(This system is also operational in the country and has not been removed)

France

The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.

Argentina

Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)

4. Technologies of Identification and Authentication

The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.

Use of Biometric Information for Identification and Authentication

The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.

Architectures of Identification

The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.

Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.

The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.

The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.

Under the UID Project, for the purpose of information security, Authentication User Agencies (“AUA”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.

All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.

Security Infrastructure of CIDR

The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.

The security and privacy infrastructure of UIDAI has the following main features:

2048 bit PKI encryption of biometric data in transit
End-to-end encryption from enrolment/POS to CIDR
HMAC based tamper detection of PID blocks
Registration and authentication of AUAs
Within CIDR only a SHA 1 Hash of Aadhaar number is stored
Audit trails are stored SHA 1 encrypted. Tamper detection?
Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)
Authentication requests have unique session keys and HMAC
Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys
All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)
All accesses through a hardware security module
All analytics carried out on anonymised data

The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.

The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.

5. Aadhaar for Welfare?

The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.

Social Welfare: Modes of Access and Exclusion

Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries [9]. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.

Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.

In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.

The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.

It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.
The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.

A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.

Financial Inclusion and Direct Benefits Transfer

The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.

The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.

6. Surveillance and UIDAI

The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.

There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.

It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.

7. Strategies for Future Action

The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.

Prepare and compile an anthology of articles as an output of this workshop.
Prepare position papers on specific issues related to the UID Project
Prepare pamphlets/brochures on issues with the UID Project for public consumption
Prepare counter-advertisements for Aadhaar
Publish existing empirical evidence on the flaws in Aadhaar.
Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.
Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.
Create groups dedicated to research and advocacy of specific aspects of the UID Project.
Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.
Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance.
The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project
Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.
Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues.
Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project.
Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media.
Plan a national social audit and public hearing on the working of UID Project in the country.
File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court.
Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.
Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.

Annexure A – Workshop Agenda

May 26, 2016

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Session 1: Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Session 2: Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Session 3: Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Session 4: Aadhaar - International Dimensions Joshita Pai, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in Other Parts of the World Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea

May 27, 2016

9:30-11:00	Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:00	Session 6: Aadhaar - Broad Issues I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-14:00	Lunch
14:00-15:30	Session 7: Aadhaar - Broad Issues II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Session 8: Conclusion
16:00-18:00	Informal Meetings

Annexure B – Workshop Participants

Anjali Bhardwaj, Satark Nagrik Sangathan

Dr. Anupam Saraph

Arjun Jayakumar, Software Freedom Law Centre

Ashok Rao, Delhi Science Forum

Prof. Chinmayi Arun, National Law University, Delhi

Prof. Dinesh Abrol, Jawaharlal Nehru University

Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai

Dr. Gopal Krishna, Citizens Forum for Civil Liberties

Prof. Himanshu, Jawaharlal Nehru University

Japreet Grewal, the Centre for Internet and Society

Joshita Pai, National Law University, Delhi

Malini Chakravarty, Centre for Budget and Governance Accountability

Col. Mathew Thomas

Prof. MS Sriram, Indian Institute of Management, Bangalore

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Prabir Purkayastha, Knowledge Commons and Free Software Movement of India

Pukhraj Singh, Bhujang

Rajiv Mishra, Jawaharlal Nehru University

Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai

Dr. Reetika Khera, Indian Institute of Technology, Delhi

Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali

S. Prasanna, Advocate

Sanjay Kumar, Science Journalist

Sharath, Software Freedom Law Centre

Shivangi Narayan, Jawaharlal Nehru University

Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi

Sumandro Chattapadhyay, the Centre for Internet and Society

Dr. Usha Ramanathan, Legal Researcher

Note: This list is only indicative, and not exhaustive.

[1] Civil Appeal No. 4853 of 2014

[2] WP(C) 494/2012

[3] . WP(C) 829/2013

[4] WP(C) 833/2013

[5] WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)

[6] WP (C) 932/2015

[7] Transferred from Madras HC 2013.

[8] SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.

[9] See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners

For more details visit https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges

Report on the Sixth Privacy Roundtable Meeting, New Delhi

prachi — 2013-08-30T15:04:51Z

In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.

CIS was a member of the Justice A.P. Shah Committee which drafted the "Report of Groups of Experts on Privacy". CIS also drafted a Privacy (Protection) Bill 2013 (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: April 13, 2013
Bangalore Roundtable: April 20, 2013
Chennai Roundtable: May 18, 2013
Mumbai Roundtable: June 15, 2013
Kolkata Roundtable: July 13, 2013
New Delhi Roundtable: August 24, 2013
New Delhi Final Roundtable and National Meeting: October 19, 2013

This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. The Personal Data (Protection) Bill, 2013 was discussed at the Roundtable.

The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to Personal Data (Protection) Bill from the more expansive – Privacy (Protection) Bill.

Chapter I – Preliminary

Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.

Religion and Caste

A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –

Whether religion and caste should be categorized as sensitive personal data or personal data?
Whether it is impracticable to include it in either category?
If included as sensitive personal data, how should it be implemented?

The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.

Political Affiliation

Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.

Conviction Data

The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.

Financial and Credit Information

From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.

Conclusion

The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:

The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.
Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.
While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.
Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law.

Chapter II – Regulation of Personal Data

This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.

The main issues under consideration with regard to this part were –

The scope of the protection provided
Whether the exemptions should be expanded or diminished.

A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in Kharak Singh v. The State of U.P. (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.

The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.

Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.

Conclusion

The overall conclusion of the discussion on this Chapter was –

All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.
Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise.

Chapter III – Protection of Personal Data

This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.

Collection of Personal Data

Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.

Collection of Data with Prior Informed Consent

Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.

The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.

Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3^rd party.

Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3^rd party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3^rd party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3^rd party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3^rd party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3^rd party.

Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.

Collection of Data without Consent

Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -

“(a) necessary for the provision of an emergency medical service to the data subject;
(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;
(c) necessary to prevent a reasonable threat to national security, defence or public order; or
(d) necessary to prevent, investigate or prosecute a cognisable offence”

Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as Maneka Gandhi v. Union of India (1978) and PUCL v. Union of India (1997).

Storage and Processing of Personal Data

Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.

The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.

Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.

With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.

Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.

The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.

Conclusion

Mediated collection of data should be qualified on the basis of purpose and intent of collection.
The issue of cost to company (C2C) was not given adequate consideration in the Bill.
The need to lay down Procedures at all stages of handling personal data.
Special exemptions need to be provided for journalistic sources.

Meeting Conclusion

The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ Personal Data (Protection) Bill, 2013. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi

Report on the Fourth Internet Governance Forum for Commonwealth IGF

pranesh — 2012-02-29T05:42:27Z

This report by Pranesh Prakash reflects on the question of how useful the IGF is in the light of meetings on the themes of intellectual property, freedom of speech and privacy.

The first Internet Governance Forum was held in Athens in 2006, as a follow on to the 2005 Tunis World Summit on the Information Society, and to fulfil the principles drawn up at there. Its explicit objective is to “promote and assess, on an ongoing basis the embodiment of WSIS principles in Internet governance processes”. Those principles still form the basis of the talks that happen at the IGF, and are frequently referred to by the various groups that attend the IGF as the basis for their positions and claims. Sometimes, some of the values promoted by the principles are claimed by opposing groups (child safety vs. freedom of expression). Thus, in a way the negotiation of those principles were what really set the tone for the IGF, which in and of itself is a process by which those principles could be furthered. The one question that formed part of people’s conversations through the fourth Internet Governance Forum (IGF) at Sharm el Sheik, as it had in third IGF at Hyderabad, and no doubt ever since the first edition, was “How
useful is the IGF?” This report shall reflect on that question, particularly based on the workshops and meetings that happened around the themes of intellectual property, freedom of speech, and privacy.

There are not many meetings of the nature of the IGF. It is not a governmental meeting, though it is sponsored by the United Nations. It is not a meeting of civil society groups, nor of academics nor industry. It is a bit like the Internet: large and unwieldy, allowing for participation of all while privileging those with certain advantages (rich, English-speaking), and a place where a variety of interests (government, civil society, academia and industry) clash, and where no one really has the final word. While the transformational potential of the Internet and the World Wide Web have been felt by a great many, the potential of the Internet Governance Forum is still to be felt. This report, in part, seeks to present an apology of the IGF process, though it is the belief of this reporter that it could do with a few modifications.

DAY 0 (Saturday, November 14, 2009)

This reporter arrived with his colleagues at Sharm el Sheik late in the afternoon on Saturday, November 14, 2009, with the IGF set to begin the next day. Though we had been advised to register that evening itself, the fatigue of travel (in the case of my colleagues) and the requirement of purchasing new clothes to replace those in the suitcase that had been lost (in my case) kept us from doing so.

DAY 0 (Sunday, November 15, 2009)

The IGF began on Sunday, November 15, 2009, with a large delay. The registration desks seemed to have a bit of difficulty handling the number of people who were pouring in for registration that morning. By the time this reporter was done with registration, the first set of workshops were already under way, and nearing completion, leaving not much time before the commencement of Workshop 361 (Open Standards: A Rights-Based Framework), which was being organized by this reporter.

That workshop had as speakers Sir Tim Berners-Lee (World Wide Web Consortium), Renu Budhiraja (Department of IT, Government of India), Steve Mutkoski (Microsoft), Rishab Ghosh (UNU-MERIT), and Sunil Abraham (Centre for Internet and Society), with Aslam Raffee (Sun Microsystems, formerly with the Government of South Africa) chairing the session thus representing government, industry, civil society, and academia. The theme of the workshop (rights-based framework for open standards) was explored in greatest depth by Tim Berners-Lee, Sunil Abraham, and Rishab Ghosh, while Renu Budhiraja and Steve Mutkoski decided to explore the fault-lines, and the practicalities of ensuring open standards (as well as the interoperability, e-governance, and other promises of open standards). Rishab Ghosh pointed out that while a government could not make it a requirement that your car be a Ford to be granted access to the parking lot of the municipality, it often made such arbitrary requirements when it came to software and electronic access to the government.

Open standards, most of the panellists agreed, had to be royalty-free, and built openly with free participation by anyone who wished to. This model, Sir Tim pointed out, was what made the World Wide Web the success that it is today. This would ensure that different software manufacturers could ensure interoperability which would encourage competition amongst them; that all governments -- even the less developed ones -- would have equal access to digital infrastructure; that citizen-government and intragovernment interaction would be made much more equitable and efficient; and that present-day electronic information would be future-proofed and safeguard against software obsolescence.

Renu Budhiraja in a very useful and practically-grounded presentation pointed out some of the difficulties that governments faced when deciding upon definitions of “open standards”, as well as the limited conditions under which governments may justify using proprietary standards. She spoke of the importance of governments not following the path laid out by market forces, but rather working to lead the market in the direction of openness. Governments, she reminded the audience, are amongst the foremost consumers of software and standards, and have to safeguard the interests of their citizens while making such decisions. Steve Mutkoski challenged the audience to not only think about the importance of open standards, but also think of the role it plays in ensuring efficient e-governance. Standards, he contended, are but one part of e-governance, and that often the reason that e-governance models fail are not because of standards but because of other organizational practices and policies. Pointing to academic studies, he showed that open standards by themselves were not sufficient to ensure

Sunil Abraham pointed out examples of citizens’ rights being affected by lack of open standards, and pointed out the concerns made public by ‘right to information’ activists in India on the need they perceived for open standards. He also pointed out an example from South Africa where citizens wishing to make full use of the Election Commission’s website were required to use a particular browser, since it was made with non-standard proprietary elements that only company’s browser could understand. Since that browser was not a cross-platform browser like Firefox, users also had to use a particular operating system to interact with the government. The session ended with a healthy interaction with the audience.

The importance of having this discussion at the IGF was underscored by Rishab Ghosh who noted that issues of defining and choosing technical standards are often left to technical experts, while they have ramifications much further than that field. That, he opined, is the reason that discussing open standards at a forum like the IGF is important. A more complete report of this workshop may be found at <http://cis-india.org/advocacy/openness/blog/dcos-workshop-09>.

Post the workshop was the opening ceremony which had Mr. Sha Zukang, U.N. Under-Secretary General for Economic and Social Affairs, Tarek Kamel, the Egyptian Minister for Communications and Information Technology, Dr. Ahmed Nazif, the Prime Minister of Egypt, Tim Berners-Lee, and Jerry Yang. The theme of this year’s IGF was the rather unwieldy “access, diversity, openness, security, and critical Internet resources”. The spread of the Internet, as noted by Sha Zukang, is also quite revealing: In 2005, more than 50% of the people in developed regions were using the Internet, compared to 9% in developing regions, and only 1% in least developed countries. By the year 2009, the number of people connecting in developing countries had expanded by an impressive 475 million to 17.5%, and by 4 million in LDCs to 1.5%, while Internet penetration in developed regions increased to 64%. All in all (Jerry Yang pointed out), around 1.6 billion people, or about 25 per cent of the world, is online. Mr. Kamel noted that “the IGF has
proved only over four years that it is not just another isolated parallel process but it has rather managed to bring on board all the relevant stakeholders and key players”.

Of importance in many of the speeches were the accountability structures of the Internet due to the Affirmation of Commitment that the U.S. Department of Commerce signed with ICANN, and the growing internationalisation of the World Wide Web due to ICANN’s decision to allow for domain names in multiple languages. Tim Berners-Lee again pointed out the need to keep the Web universal, and in particular highlighted the role that royalty-free open standards play in building the foundations of the World Wide Web. Other than small remarks, privacy and freedom of expression did not really figure greatly in the opening ceremony. Jerry Yang, through his talk of the Global Net Initiative, was the one who most forcefully pointed out the need for both online. The Prime Minister of Egypt, in passing, pointed out the need to safeguard intellectual property rights online, but that note was (in a sense) countered by Sir Tim’s warning about the limiting effect of strong intellectual property would have on the very foundations of the World Wide Web and the Internet.

DAY 2 (Monday, November 16, 2009)

On the second day was begun by attending the Commonwealth IGF Open Forum. This open forum was most enlightening as in it one truly got to see Southern perspectives on display. Speakers (both on the dais as well as from the audience) were truly representative of the diversity of the Commonwealth, which presently includes 54 states and around 2.1 billion people (including 1.1 billion from India). Issues of concern included things such as the lack of voice of whole regions like East and West Africa in the international IG policy-making arena. Some of the participants noted that issues such as music piracy, which is a favourite topic of conversation in the West, is of no relevance to most in Africa where the pressing copyright- related issues those of education, translation rights, etc. One participant noted that “Intellectual property issues need developing countries to speak in one voice at international fora; the Commonwealth IGF might allow that.”

A number of people also brought up the issue of youth, and pointing towards children as both the present and the future of the Internet. This attitude also showed up in the session that was held later that day at Workshop 277 (IGF: Activating and Listening to the Voice of Tweens) in which not only were youth and IG issues discussed, but the discussion was also by youth. The formation of the new Dynamic Coalition on Youth and Internet Governance with Rafik Dammak as the coordinator also underlines the importance of this issue which came up at the CIGF open forum.

Other concerns were that of sharing ICT best practices and examples, and the need to urgently bridge the rural-urban divide that information and communication technologies often highlight, and sometimes end up precipitating. This divide is, in many ways, similar to the divide between developing and developed nations, and this point was also highlighted by many of the participants. One strength that the CIGF has as a platform, which the IGF possibly lacks, is the commonality of the legal systems of most of the Commonwealth countries, and hence the possibility that arises of joint policy-making. It was heartening to see that British Parliamentarians, apart from bureaucrats from many countries, were in attendance. This strong focus on developing countries and Southern perspective is, this reporter believes, one of the strengths of the CIGF, which needs to be pushed into the global IGF.

The next workshop attended was Workshop 92: A Legal Survey of Internet Censorship and Filtering, which was organized by UNESCO. A large number of very interesting people presented here, and panellists included IFLA/Bibliotheca Alexandrina (whose Sohair Washtawi was surprisingly critical of the Egyptian government), UNESCO (Mogens Schmidt), Freedom House (Robert Guerra), and Frank La Rue, U.N. Special Rapporteur for Freedom of Opinion and Expression. What came of this workshop was the need to engage with to study the online state of freedom of expression as fully as “offline” state of press freedoms are studied, as an interesting fact that came out of this workshop was that there are currently more online journalists behind bars around the world than traditional journalists. A critique of the Freedom House’s online freedom report, which was not sufficiently voiced at the workshop itself, is that it represents a very Western, state-centric idea of freedom of speech and expression, and often looks at the more direct forms of censorship (state censorship) rather than private censorship (via advertising revenue, copyright law, and “manufactured consent”) and self-censorship. This reporter also intervened from the audience to point out that copyright is often a way of curbing freedom of speech (as was the case with the newspaper scholarly reprints of Nazi-era newspapers in Germany recently, or with the Church of Scientology wishing
to silence its critics). The panellists, including Mogens Schmidt and Frank La Rue agreed, and responded by noting that this dimension of copyright requires greater reflection by those groups involved in promoting and safeguarding freedom of speech and expression both online and offline.

The time before the meeting of the Dynamic Coalition on Open Standards was spent listening to Bruce Schneier, Marc Rotenberg, Frank La Rue, Namita Malhotra, and others at the Openness, Security and Privacy Session. Bruce Schneier, one of the most astute and insightful thinkers on issues of security and privacy, focussed on a topic that anyone who reads his blog/newsletters would be familiar with: that openness, security and privacy are not really, contrary to popular perception, values that are inimical to each other. Mr. Schneier instead sees them as values that complement each other, and argued that one cannot ensure security by invading privacy of citizens and users. He noted that “privacy, security, liberty, these aren’t salient. And usually whenever you have these sort of non-salient features, the way you get them in society is through legislation.” On the same note, he held the view that privacy should not be a saleable commodity, but an inalienable fundamental right of all human beings (a position that Frank La Rue agreed with).

Apart from the traditional focus area of states, there was also a lot of focus on corporations and their accountability to their users. On the issue of corporations versus states, Frank La Rue made it clear that he believed the model that some corporations were advocating of first introducing technologies into particular markets, expanding, and then using that to push for human rights, was not a viable model. Human rights, he reiterated, were not alienable, and stated: “You [internet companies] strengthen democracy and democratic principles and then you bring up the technology. Otherwise, it will never work, and it is a self defeating point.”

The meeting of the Dynamic Coalition on Open Standards was next. This meeting served as a ground to build a formal declaration from Sharm el Sheik for DCOS. The meeting was held in the room Luxor, the seating in which was rectangular, promoting a vibrant discussion rather than making some people “presenters” and the rest “audience”. Many of the members of the Dynamic Coalition on Accessibility and Disability were in attendance, seeing common purpose with the work carried out by DCOS. There was spirited discussion on how best to move from a formulation of open standards as “principles” to more citizen- centric “rights”. This shift, pointed out as an important one because they allow for claims to be made in a way that principles and concessions do not. One of the participants helped re-draft the entire statement, based on suggestions that came from him and the rest of the participants. This was, in a sense, the IGF’s multi-stakeholderism (to coin a phrase) at its best.

Because of the late ending to the DCOS meeting, this reporter arrived late for the Commonwealth IGF follow-up meeting. It seemed that the meeting took its time in finding its raison d’être. It was, for a long while, unclear what direction the meeting was headed in because the suggestions from the audience members were of different types: programmatic actionable items, general thematic focus area suggestions, as well as general wishlists. However, in the end, this came together and became productive thanks to the focus that the chairperson and the rapporteur brought to the discussion. Furthermore, it was a great opportunity to connect with the various young people who had been brought together from various backgrounds to attend the IGF by the CIGF travel bursary. It will be interesting to see the shape that CIGF’s future work takes.

Day 3 (Tuesday, November 17, 2009)

The first session attended on the third day was the meeting on “Balancing the Need of Security with the Concerns for Civil Liberties”. The speakers included Alejandro Pisanty (Workshop Chair), Wolfgang Benedek, Steve Purser, Simon Davies, and Bruce Schneier. Once again, the one point that everyone agreed on is that those pitting security against privacy are creating a false dichotomy, and that for security to exist, privacy must be safeguarded. Steve Purser pointed out that common sense takes a long while to develop and that we, as a human collective, have not yet developed “electronic common sense”. Simon Davies’ main point was that accountability must necessarily be appended to all breaches of privacy in the name of security. Indeed, he lamented that oftentimes the situation is such that people have to justify their invocation of privacy, though the state’s invocation of security to trample privacy does not require any such justification. Security, he pointed out, is not something that is justified by the government, judged by the people, and to which the government is held accountable for its breaches of civil liberties.

Bruce Schneier, as usual, was quite brunt about things. He noted that only identity-based security have anything to do with privacy, and that there are a great many ways of ensuring security (metal detectors in a building, locks in a hotel room) that do not affect privacy. At the meeting, this reporter made a comment noting that a lot of debate is happening at a theoretical level, and that while a lot of good ideas are coming out of that discussion, those ideas have to be translated into good systems of governance in countries like India. Some organizations internationally are trying to make human readable privacy signs such as the human readable copyright licences used by Creative Commons. Concerning citizens’ privacy, a lot of systems (such as key escrow) that have been discredited by knowledgeable people (such as Bruce Schneier) are still being considered or adopted by many countries such as India (where this blew up because of a perceived security threat due to RIM BlackBerry’s encryption). National ID schemes are also being considered in many countries, without their privacy implications being explored. In the name of combatting terrorism, unregistered open wireless networks are being made illegal in India. While there have been informed debates on these issues at places like the IGF, these debates need to find actual recognition in the governance systems. That translation is very important.

The next session this reporter attended was the meeting of the Dynamic Coalition on Freedom of Expression of the Media on the Internet. Amongst the other items of discussion during the session, the site Global Voices Online was showcased, and many of the speakers gave their opinions on whether freedom of speech online required a new formulation of the rights, or just new applications of existing rights. The consensus seemed to be that tying up with the Internet Rights and Principles DC would be useful, but that the project need not be one of reformulation of existing rights, since the existing formulations (as found in a variety of international treaties, including the UDHR) were sufficient. One of the participants stressed though that it was important to extend freedom of press guarantees to online journalists (in matters such as defamation, or copyright violation, where news organizations might be granted protection over and above that which an ordinary citizen would receive). Citizen-led initiatives for circumventing censorship were also discussed.

Two very important points were raised during the Openness main session on Day 2 when someone noted that the freedom of expression was not only an individual right but it also a collective right: the right of peoples to express not only ideas but to express their cultures, their traditions, their language and to reproduce those cultures and languages and traditions without any limitation or censorship. This aspect of the freedom of expression finds much resonance in many Southern countries where collective and cultural rights are regarded as being as important as individual and civil-political rights. Secondly, Frank La Rue pointed out that freedom of speech and expression went beyond just giving out information and opinion: it extended to the right to receive information and opinion. Excessively harsh copyright regimes harm this delicate balance, and impinge on the free speech.

One of the issues that was not explored sufficiently was that of the changes wrought by the Internet on the issues raised by the participants. For instance, while there was much talk about defamation laws in many countries and their grave faults (criminal penalties, defamation of ideas and not just persons), there was no talk of issues such as forum-shopping that arises due to online defamation being viewable around the world with equal ease. Thankfully, the coordinators of the Dynamic Coalition urged people to register on the DC’s Ning site (http://dcexpression.ning.com) and keep the conversation alive there and on the DC’s mailing list.

The session held on Research on Access to Knowledge and Development, organized by the A2K Global Academy was most informative. It brought together many recent surveys of copyright law systems from around the world and their provisions for access to knowledge, including the Africa Copyright and Access to Knowledge project with which this reporter is very familiar. The three main focus areas of discussion were Access to Education (A2E), Open Source Software (OSS) and Access to Medicines (A2M). The best presentation of the day was that made by Carlos Affonso of FGV (Brazil) who made an impassioned case for access to knowledge in the developing world, showcasing many practical examples from Brazil. He noted that many of the examples he was showing were plainly illegal under Brazilian laws, which had very limiting limitations and exceptions. He showcased the usage of Creative Commons licensing, Technobrega music, usage of common ICT infrastructure (such as cybercafes), which are often only semi-legal, and the general acceptance of commons-based peer production. The conclusion of the Egyptian study was that more work is needed to expand access to educational materials, including expansion of the limitations and
exceptions to copyright law for educational purposes. The overall consensus of all the various studies was that open source software was playing a very useful and crucial role in promotion of access to knowledge, but pointed out that the main barrier that open source software was facing was that of anti-competitive practices and not something related to copyright law.

Day 4 (Wednesday, November 18, 2009)

On the last day, this reporter was a presenter in a workshop on the “Global State of Copyright and Access to Knowledge”. This session had the following panellists: Tobias Schonwetter, Faculty of Law, University of Cape Town; Bassem Awad, Chief Judge at the Egyptian Ministry of Justice and IP Expert; Perihan Abou Zeid, Faculty of Legal Studies and International Relations, Pharos University; Pranesh Prakash, Programme Manager, Centre for Internet and Society; Jeremy Malcolm, Project Coordinator, Consumers International; and Lea Shaver, Associate Research Scholar and Lecturer in Law at Yale Law School.

This workshop was the result of the merger of workshops proposed by the African Copyright and Access to Knowledge project, and by Consumers International (to showcase their IP Watch List). Lea Shaver noted that the purpose of copyright law is to encourage creativity and the diffusion of creative works, and not as an industrial subsidy. If copyright law gets in the way of creativity and access to knowledge, then it is in fact going against its purpose. She asserted that copyright law should be assessed by touchstones of access, affordability and participation. “Copyright shapes affordability and access because as the scope of rights expands, the more control is centralised and the less competition. It also shapes participation, because under current law the amateur who wants to build upon existing works is at a disadvantage, and risks running afoul of others’ rights.” Rent-seeking behaviour is what is driving the expansion that we see globally in the coverage of copyright law, and not the costs of production and distribution (which are ever becoming cheaper).

Dr. Abou Zeid noted that technology grants copyright holders (and even non-holders) great control over knowledge, and that strong safeguards are required against this control in the form of limitations to technological protection methods (TPMs). Further, copyright law must take advantage of the benefits offered by technology, such as distance education, granting access to the disabled, and must extend present day E&L to cover these as well. Tobias Schonwetter presented the findings of the ACA2K project, and noted that most countries granted greater protection to rights holders than international law required. Amongst the survey countries, none dealt with distance and e-learning, and only one (Uganda) dealt with the needs of the disabled. He hoped that the extended dissemination phase would assist other projects to build on ACA2K’s work. Thus, “legal systems worldwide are not meeting consumers’ needs for access to knowledge. A better legal system, the research suggests, would support non-commercial sharing and reuse of material, which in turn would drive down costs and increase sales of licensed material, and could also increase consumers’ respect for the law overall.”

The present reporter started by asking why this abstract phrase “access to knowledge” is so important. A2K actually effects almost all areas of concern to citizens and consumers: education, industry, food security, health, amongst many more areas. Mark Getty notes that “IP is the oil of the 21st century”. By creating barriers through IP, there is less scope for expansion and utilization of knowledge, and this most affect “IP poor” nations of the South. In India, there is a new copyright amendment that will introduce DRMs, even though India is not bound by international law to do so. There is also a very worrisome movement to pass state-level criminal statutes that class video pirates in the same category as “slum lords, drug peddlers and goonda”, which includes measures for preventative detention without warrant.

One tool to help change the mindsets of the public is the Consumers International IP Watch List, which can help policy makers and academics and advocates compare the best and worst practices of various countries. At an earlier session, Carlos Affonso of FGV had used the Watch List to demonstrate the weakness of Brazil’s copyright law on the educational front. Copyright is often characterised as a striking of balance between the interests of creators and consumers, but this rhetoric might be misplaced. In fact creators often benefit from freer sharing by users. Knowledge is an input into creation of works, not just an output from it. Given this, it is important to counter IP expansionism by using laws promoting freedom of speech, competition law, consumer law, privacy law, while framing them within the context of development (as appropriate in various countries), to eventually produce a change in mindsets of people.

Stock-Taking

As Jeremy Malcolm of Consumers International notes in his response to the formal stock-taking process, “the IGF is yet to develop from a simple discussion forum into a body that helps to develop public policy in tangible ways.” This reporter, writing for the Dynamic Coalition on Open Standards, also voted for the continuation of the IGF, “in order to ensure that the WSIS Declaration of Principles, specifically in the important area of open standards, be realised through a multi-stakeholder process.” The IGF is, in a sense, the least bureaucratic of the UN’s endeavours. But certain rules, evolved in inter-governmental settings, might require careful reconsiderations to suit the multi-stakeholder approach that the IGF embodies. The IGF also needs to reach out from being a conference for a few to becoming a place/process for the many.

General Reflections

While this year there were more remote participation hubs (13) than last (11), and the Remote Participation Working Group seems to have done much work and some serious reflection on that work, individual experiences sometimes did not match up with what was perceived as the collective experience (via RPWG’s feedback survey). As a workshop organizer, this reporter was not provided any information about the remote participation tools, nor was there any screening of remote participants’ comments. With the shift from a single (open-source) product DimDim, to two products, WebEx (sponsored by Cisco) and Elluminate, much confusion was created even amongst those in the know since there were two separate tools being used. It is this reporter’s perception that live captioning from the main sessions has been a great success, and will have to be used much more extensively, especially if places where the bandwidth to download streaming video does not exist. Further, they help create very useful quasi-official records of the various workshops and open fora that are held at the IGF. That apart, the suggestions offered by the
RPWG (live video feedback from the remote hubs, dedicated remote participation chair in each workshop,
etc.) should be worked upon this year to enable those who cannot travel to Vilnius to participate more effectively.

All the sessions that happened around intellectual property rights were highly critical of the present state of IP laws around the world, and were calling for a reversal of the IP expansionism we see from various perspectives (access to knowledge, competition law, etc.) However, it was often felt by this reporter that these workshops were cases of the choir being preached to. Of course, many new people were being introduced to these ideas, but generally there was appreciation but not as much opposition as one is used to hearing outside the IGF. An exception (in the IP arena) was the workshop on open standards, in which there was much heat as well as illumination. Perhaps, a greater effort could be made to engage with people who are critical of the Access to Knowledge movement, those who are critical of privacy being regarded as a fundamental right, and those who believe that cultural relativism (for instance) must find a central place while talking about the right to free speech. After all, when one leaves the IGF, these voices
are heard. Those voices must be engaged with at the IGF itself, and a way forward (in terms of concrete policy recommendations, whether at the local level or the international level) must be found. Of course, the problem with the above suggestion is that many of these values are embedded in the WSIS principles, and are taken as a granted. But, still, if such debate is not had at the IGF, it might become something much worse than a ‘talking shop’: a forum where not much meaningful talk happens.

Appendix I: Tweets and Dents During the IGF

This is list of some posts made by the reporter on the microblogging sites Twitter
(http://twitter.com/pranesh_prakash) and Identi.ca (http://identi.ca/pranesh) during the IGF.
# @leashaver: Recording of yesterday’s session by the Access to Knowledge ♺ Global Academy:
http://trunc.it/3dldl #a2kga #IGF09 #yaleisp 8:55 PM Nov 18th, 2009
# “Great possibilities of #foss, but a disabling, anti-competitive environment has stunted growth of
open source software in #Egypt.” #igf09 6:47 PM Nov 17th, 2009
# Excellent set of resources on Access to Knowledge, from @YaleISP: http://tr.im/F8At #igf09 6:37 PM
Nov 17th, 2009
# “Tecno brega in Brazil can only be bought from street vendors: good relationship between artists
and street vendors.” #igf09 6:30 PM Nov 17th, 2009
# “There is not even a private copying exception in Brazil”, but is still part of “axis of IP evil” for
rightsholders #igf09 6:26 PM Nov 17th, 2009
# Tobias: “Even though s/w patents are not allowed by SA law, some large MNC s/w comps found
ways of bypassing that & getting patents” #igf09 6:19 PM Nov 17th, 2009
# Case studies from SA: CommonSense project, Freedom to Innovate SA, OOXML v. ODF struggle #igf09
6:18 PM Nov 17th, 2009
# 2 new studies on #a2k from Brazil (http://tr.im/F8tI)and SA (http://tr.im/F8uJ). Also see ACA2K’s
outputs: http://tr.im/F8uQ #igf09 6:13 PM Nov 17th, 2009
# ♺ @sunil_abraham: RT @mathieuweill: #igf09 Dardailler : Internet standards are open standards
and that makes a difference! 3:57 PM Nov 17th, 2009
# Oops. Wrong URL. It should be: http://threatened.globalvoicesonline.org/ #igf09 3:46 PM Nov 17th,
2009
# Mogens Schmidt of UNESCO praises Global Voices Online. Says defamation & libel laws should not
be *criminal* offences. #igf09 3:40 PM Nov 17th, 2009
# http://threatened.globalvoices.org/ helps report on FoE issues with bloggers through crowdsourcing.
#igf09 3:24 PM Nov 17th, 2009
# “Along with the right to give out information and opinion is the right to receive information and
opinion”: Frank La Reu #a2k #igf09 3:13 PM Nov 17th, 2009
# Schneier: “Before we die, we will have a US President who’ll send a lolcat to the Russian PM” #igf09
2:06 PM Nov 17th, 2009
# Privacy vs. security is a false dichotomy. But any privacy that is taken away in name of security
must be turned into accountability. #igf09 1:50 PM Nov 17th, 2009
# All wireless networks now have to be registered in India, and we talk of privacy? @schneier #igf09
1:47 PM Nov 17th, 2009
# RT @rmack Free Expression Online dynamic coalition meeting at 11:30am Egypt time in Siwa Room.
http://dcexpression.ning.com #igf09 1:36 PM Nov 17th, 2009
# @OWD: E Daniel, (http://bit.ly/3oFYqu), takes on the myth of the Digital Native, ♺ reveals the shallowness
of their native knowledge. #igf09 12:05 AM Nov 17th, 2009
# Commonwealth IGF’s follow-up meeting took time to find out its raison d’etre, but ended on a productive
note. #igf09 11:34 PM Nov 16th, 2009
# #schneierfact : Bruce Schneier actually exists! I can see him! 6:53 PM Nov 16th, 2009
# @timdavies: You might then be interested at a report by @cis_india on a different take at DNs:
http://tr.im/F3tk 3:29 PM Nov 16th, 2009 from Gwibber in reply to timdavies
# Estonia & Georgia DDoS are famous, but individual NGOs are also being targetted by DoSes. #igf09
3:08 PM Nov 16th, 2009
# Now more online journalists are behind bars than offline ones. #freespeech #igf09 3:07 PM Nov 16th,
2009
# ♺ @aslam: if you get an email from nigeria people will block it because they think that it is spam -
reputation #fail #igf09 2:14 PM Nov 16th, 2009
# Many are saying: listen to children; document and share best ICT practices and examples; bridge
rural-urban divide as also devel’d-devel’g. 1:57 PM Nov 16th, 2009
# Several British Parliamentarians in the room at the Commonwealth IGF event #igf09 1:56 PM Nov
16th, 2009
# CIGF should look at gaps at IGF and speak to them. Our common legal systems allow for focus on legislations
(ie, on data protection) #igf09 1:36 PM Nov 16th, 2009
# “We need to get to a point where access to the Internet is seen as a human right” #igf09 1:27 PM
Nov 16th, 2009
# “Intellectual property issues need developing countries to speak in one voice at intl fora. Commonwealth
IGF might allow that.” #igf09 1:24 PM Nov 16th, 2009
# “Music aspects of the Internet debates, which gets so much focus, doesn’t have as much relevance
in W. Africa as education & health.” #igf09 1:21 PM Nov 16th, 2009
# Commonwealth covers more than 2 billion people. Some whole regions, like E. & W. Africa “have no
voice in Geneva & global IGF” #igf09 1:18 PM Nov 16th, 2009

For more details visit https://cis-india.org/internet-governance/blog/report-on-fourth-IGF

Report on the 5th Privacy Round Table meeting

maria — 2013-07-26T08:24:27Z

This report entails an overview of the discussions and recommendations of the fifth Privacy Round Table in Calcutta, on 13th July 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of seven multi-stakeholder round table meetings on “privacy” from April 2013 to October 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the seven Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Roundtable: 24 August 2013
New Delhi Final Roundtable and National Meeting: 19 October 2013

Following the first four Privacy Round Tables in Delhi, Bangalore, Chennai and Mumbai, this report entails an overview of the discussions and recommendations of the fifth Privacy Round Table meeting in Kolkata, on 13th July 2013.

Presentation by Mr. Reijo Aarnio – Finnish Data Protection Ombudsman

The fifth Privacy Round Table meeting began with a presentation by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman. In particular, Mr. Aarnio initiated his presentation by distinguishing privacy and data protection and by emphasizing the need to protect both equally within a legal framework. Mr. Aarnio proceeded by highlighting that 96 percent of the Finnish community believes that data protection is necessary, especially since it is considered to play an essential role in the enhancement of the self-determination of the individual. Fuerthermore, Mr. Aarnio pointed out that the right to privacy in Finland in guaranteed under section 10 of the Finnish constitution.

The Finnish Data Protection Ombudsman argued that in order for India to gain European data protection adequacy, the implementation of a regulation for data protection in the country is a necessary prerequisite. Mr. Aarnio argued that although the draft Privacy (Protection) Bill 2013 provides a decisive step in regulating the use of data, the interception of communications and surveillance in India, it lacks in defining the data controller and the data subject, both of which should be legally specified.

In order to support his argument that India needs privacy legislation, the Ombudsman clarified the term “data protection” by stating that it relates to the following:

individual autonomy
the right to know
the right to live without undue interference
the right to be evaluated on the basis of correct and relevant information
the right to know the criteria automatic decision-making systems are based on
the right to trust data security
the right to receive assistance from independent authorities
the right to be treated in accordance with all other basic rights in a democracy
the right to have access to public documents
the freedom of speech

In addition to the above, Mr. Aarnio argued that the reason why data protection is important is because it ensures the respect for human dignity, individual autonomy and honor.

The Finnish Data Protection Ombudsman gave a brief overview of the development and history of data protection, by citing the oathe of Hippokrates, the Great Revolutions and World War II, all throughout which data protection has gained increased significance. Mr. Aarnio pointed out that as a result of the development and proliferation of technology, societies have evolved and that data protection is a major component of the contemporary Information Society. The Ombudsman stated that in the Information Society, information is money and open data and big data are products which are being commercialised and commodified. Hence, in order to ensure that human rights are not commericalised and commodified in the process, it is necessary to establish legal safeguards which can prevent potential abuse.

Article 8 of the European Charter of Fundamental Rights guarantees the protection of personal data. Mr. Aarnio argued that the Parliament is the most important data protection authority in Europe and that privacy is legally guaranteed on three levels:

Protection of personal life: The Criminal Code (chapter 24) addresses and protects freedom of speech and secrecy regulations
Communication: Protection of content and traffic data
Data Protection: The Personal Data Act creates Right to Know and to affect/impact, the right to organise one's personal life, automatic processing of personal data and maintenance of register

The Ombudsman also referred to the Directive 95/46/EC of the European Parliament of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Mr. Aarnio argued that in the contemporary ecosystem of the Information Society, countries need “Privacy by Design”, which entails the description of the processing of personal data and the evaluation of its lawfulness. In particular, the purpose for the collection and processing of data should be legally defined, as well as whether such data will be shared with third parties, disclosed and/or retained. The Ombudsman argued that India needs to define its data controllers and to legally specify their roles, in order to ensure that the management of data does not result in the infringement upon the right to privacy and other human rights.

The Finnish Data Protection Ombudsman concluded his presentation by stating that data security is not only a technological matter, but also – and in some cases, mostly – a legal issue, which is why India should enact the draft Privacy (Protection) Bill 2013.

Discussion of the draft Privacy (Protection) Bill 2013

Chapter I: Definitions

The discussion of the draft Privacy (Protection) Bill 2013 commenced with a debate on whether such a Bill is necessary at all, given that section 43 of the IT Act is considered (by participants at the round table) to regulate the protection of data. It was pointed out that although section 43 of the Information Technology Act provides some rules for data protection, the Committee has stated that these rules are inadequate. In particular, India currently lacks statutory provisions dealing with data protection and rules are inadequate because they are subject to parliamentary debate, and the Parliament does not have the right to vote on rules. The Parliament does not have the right to amend rules, which means that it does not have the right to amend the rules on data protection under the IT Act. Since the rules under section 43 of the IT Act are not subject to parliamentary review, India needs a seperate privacy statutue. Hence, the round table reached a consensus on the discussion of the draft Privacy (Protection) Bill 2013.

Personal data is defined in the draft Privacy (Protection) Bill 2013 as any data which relates to a natural person, while sensitive personal data is defined as a subset of personal data, such as biometric data, medical history, sexual preference, political affiliation and criminal history. It was pointed out that race, religion and caste are not included in the Bill's definition for sensitive personal data because the Government of India refuses to acknowledge these types of information as personal data. According to the Government, the collection of such data is routine and there have been no cases when such data has been breached, which is why race, religion and caste should not be included in the definition for sensitive personal information. However, the last caste sensus took place in 1931 and since then there has been no caste sensus, because it is considered to be a sensitive issue. This contradictory fact to the government's position was pointed out during the round table meeting.

A participant argued that financial information should be included within the definition for sensitive personal data. This was countered by a participant who argued that India has the Credit Information Companies Act which covers credit information and sets out specific information for the protection of credit data by banks and relevant companies. Yet the question of whether general financial information should be included in the definition for sensitive personal data was further discussed, and many participants supported its inclusion in the definition.

The question of whether IP addresses should be included in the definition for personal data was raised. The response to this question was that IP addresses should be included in the definition since they relate to the identification of a natural person. However, the question of whether a specific IP address is considered personal data, as many individuals use the Web through the same IP address, remained unclear. Other participants raised the question of whether unborn humans and deceased persons should have privacy rights. The response to this was that in India, only the court can decide if a deceased person can have the right to privacy.

The controversy between the UID project and the protection of biometric data under the definition for sensitive personal information was discussed in the round table. In particular, it was pointed out that because the UID scheme requires the mass biometric collection in India is contradictory to the protection of such data under the Bill. As the UID scheme remains unregulated, it is unclear who will have access to the biometric data, who it will be shared with, whether it will be disclosed and retained and if so, for how long. All the questions which revolve around the implementation of the UID scheme and the use of the biometric data collected raise concerns in regards to what extent such data can realistically be protected under privacy legislation.

On this note, a participant mentioned that under EU regulation, an ID number is included in the definition for sensitive personal information and it was recommended that the same is added in India's draft Privacy (Protection) Bill 2013. Furthermore, a participant recommended that fingerprints are also included in the definition for sensitive personal data, especially in light of the NPR and UID scheme.

A participant argued that passwords should also be included in the definition for sensitive personal data, as well as private keys which are used for encryption and decryption. It was pointed out that section 69 of the IT Act requires the disclosure of encryption keys upon the request from authorities, which potentially can lead to the violation of privacy and other human rights. Hence the significance of protecting passwords and encryption keys which can safeguard data was highly emphasized and it was argued that they should definitely be included in the definition for sensitive personal data. This position was countered by a participant who argued that the Government of India should have access to private encyrption keys for national security purposes.

On the definition of sensitive personal data, it was emphasized that this term should relate to all data which can be used for discrimination, which is why it needs to be protected. It was further emphasized that it took Europe twelve years to reach a definition for personal data, which is why India still needs to look at the issue in depth and encounter all the possible violations which may potentially occur from the non-regulation of various types of data. Most participants agreed that financial information, passwords and private encryption keys should be added in the definition for sensitive personal data.

The fifth round table entailed a debate on whether political affiliation should be included in the definition for sensitive personal data. In particular, one participant argued that political parties disclose the names of their members and that in many cases they are required to do in order to show their source of income. Hence, it was argued that political affiliation should not be included in the definition for sensitive personal data, since it is not realistic to expect political parties to protect their members' privacy. This was countered by other participants who argued that anonymity in political communications is important, especially when an individual is in a minority position, which is why the term political affiliation should be included in the definition for sensitive personal data.

The discussion on the definitions in the draft Privacy (Protection) Bill 2013 concluded with comments that the definiton for surveillance is very exclusive of many types of surveillance. In particular, it was argued that the definition for surveillance does not appear to cover artificial intelligence, screen shots and various other forms of surveillance, all of which should be regulated.

Chapter II: Right to Privacy

Section 4 of the draft Privacy (Protection) Bill 2013 states that all natural persons have a right to privacy. Section 5 of the Bill includes exemptions to the right to privacy. On this note, it was pointed out that during the round table that there is no universal definition of privacy and thus it is challenging to define the term and to regulate it. Furthermore, the rapid pace at which technology is proliferating was emphasized, along with its impact on the right to privacy. For example, it was mentioned that emails were not covered by privacy legislation in the past, but this needs to be amended accordingly. The European Data Protection Directive was established in 1995 and does not regulate many privacy issues which arise through the Internet, which is why it is currently being reviewed. Similarily, it was argued that privacy legislation in India should encompass provisions for potential data breaches which may occur through the Internet and various forms of technology.

A participant argued that the draft Privacy (Protection) Bill 2013 should include provisions for data subjects, which enable them to address their rights. In particular, it was argued that data subjects should have the right to access information collected and retained about them and that they should have the right to make corrections. The reponse to this comment was that the Bill may be split into two seperate Bills, where the one would regulate data protection and the other would regulate the interception of communications and surveillance, while the data subject would be addressed extensively. Furthermore, participants raised questions of how to define the data controller and the data subjects within the Indian context.

Other questions which were raised during the round table included whether spam should be addressed by the Bill. Several participants argued that spam should not be regulated, as it is not necessarily harmful to data subjects. Other participants argued that the isse of access to data should be addressed prior to the definition of privacy. Another argument was that commerical surveillance should not be conducted within restrictions, which is why it should not be inlcuded in the exemptions to the right to privacy. It was also pointed out that residential surveillance should be allowed, as long as the cameras are pointed inwards and do not capture footage of third parties outside of a residence. On this note, it was argued that surveillance in the work place should also be exempted from the right to privacy, as that too can be considered the private property of the owner. Moreover, it was emphasized that the surveillance of specific categories of people should also be excluded from the exemptions to the right to privacy.

A participant argued that in some cases, NGOs may be collecting information for some “beneficial purpose” and that such cases should be excluded from the exemptions to the right to privacy. Other participants argued that in many cases, data needs to be collected for market research and that the Bill should regulate what applies in such cases. All such arguments were countered by a participant, who argued that Section 5 of the Bill on the exemptions to the right to privacy should be deleted, as it creates to many complications. This recommendation was backed up by the example of a husband capturing a photograph of his wife and then publishing the image without her consent.

During this discussion, a participant raised the question of to what extent the right to privacy applies to minors. This question was supported by the example of Facebook, where many minors have profiles but the extent to which this data is protected remains ambiguous. Furthermore, it was pointed out that it remains unclear whether privacy legislation can practically safeguard minors who choose to share their data online. A participant responded to these concerns by stating that Facebook is a data controller and has to comply with privacy law to protect its customers' data. It was pointed out that it does not matter if the data controller is a company or an NGO; in every case, the data controller is obliged to comply with data protection law and regulations.

Furthermore, it was pointed out that Facebook allows for minors aged 13 to create a profile, while it remains unclear how minors can enforce their privacy rights. In particular, it remains unclear how the mediated collection of minors' data can be regulated and it was recommended that this is addressed by the Bill. A participant replied to this by stating that Indian laws rule in favour of minors, but that this simultaneously remains a grey area. In particular, it was pointed out that rules under section 43 of the Information Technology (IT) Act cover Internet access by minors, but this still remains an unclear area which needs further debate and analysis.

The question which prevailed at the end of the discussion of Chapter 2 of the Bill was on the social media and minors, and on how minors' data can be protected when it is being published immediately through the social media, such as Facebook. Furthermore, it was recommended that the Bill addresses the practical operationalisation of the right to privacy within the Indian context.

Chapter III: Protection of Personal Data

The discussion of Chapter 3 of the draft Privacy (Protection) Bill 2013 on the protection of personal data commenced with a reference to the nine privacy principles of the Justice AP Shah Justice Committee. The significance of the principles of notice and consent were outlined, as it was argued that individuals should have the right to be informed about the data collected about them, as well as to have the rigt to access such data and make possible corrections.

Collection of Personal Data

The discussion on the collection of personal data (as outlined in Section 6 of Chapter 3 of the Bill) commenced with a participant arguing that a company seeking to collect personal data should always have a stated function. In particular, a company selling technological products or services should not collect biometric data, for example, unless it serves a specified function. It was pointed out that data collection should be restricted to the specified purposes. For example, a hospital should be able to collect medical data because it relates to its stated function, but an online company which provides services should not be eligible to collect such data, as it deviates from its stated function.

During the discussion, it was emphasized that individuals should have the right to be informed when their data is being collected, which data is being collected, the conditions for the disclosure of such data and everything else that revolves around the use of their data once it has been collected. However, a participant questioned whether it is practically feasible for individuals to provide consent to the collection of their data every time it is being collected, especially since the privacy policies of companies keep changing. Moreover, it was questioned whether companies can or should resume the consent of their customers once their privacy policy has changed. On this note, a participant argued that companies should be obliged to notify their customers every time their privacy policy changes and every time the purpose behind their data collection changes.

On the issue of consent for data collection, a participant argued that individuals should have the right to withdraw their consent, even after their data has been collected and in such cases, such data should be destroyed. This was countered by another participant who argued that it is not realistic to expect companies to acquire individual consent every time the purpose behind data collection changes, nor is it feasible to allow for the withdrawal of consent without probable cause.

The issue of indirect consent to the collection of personal data was raised and, in particular, several participants argued that the Bill should have provisions which would regulate circumstances where indirect consent can be obtained for the collection of personal data. Furthermore, it was emphasized that the Bill should also include a notice for all potential purposes of data collection which may arise in the future; if the purpose for data collection changes based on conditions specified, then companies should not be mandated to notify individuals. Moreover, a participant argued that the Bill should include provisions which would enable individuals to opt-in and/or opt-out from data collection.

On the issue of consent, it was further outlined that consent provides a legitimate purpose to process data and that the data subject should have the right to be informed prior to the collection of his or her data. However, it was emphasized that the draft Privacy (Protection) Bill 2013 is a very strict regulation, as consent cannot always be acquired prior to data collection, because there are many cases where this is not practically feasible. It was pointed out that in the European Data Protection Directive, it is clear that consent cannot always be acquired prior to data collection. The example of medical cases was mentioned, as patients may not always be capable to provide consent to data collection which may be necessary.

In particular, it was highlighted that the European Data Protection Directive includes provisions for the processing of personal data, as well as exceptions for when consent is not required prior to data collection. The Directive guarantees the legitimate interest of the data controller and data processing is based upon the provisions of privacy legislation. The outsourcing of data is regulated in the European Union, and it was recommended that India regulates it too. Following this comment, it was stated that the recent leaks on the NSA's surveillance raise the issue of non-consentual state collection of data and non-consentual private disclosure of data and a brief debate revolved around these issues in the round table.

On the issue of mediated data collection, the situations in which collected data is mediated by third parties was analysed. It was recommended that the law is flexible to address the various types of cases when collected data is mediated, such as when a guardian needs to handle and take decisions for data of a mentally disabled person being collected. However, it was pointed out that mediated data collection should be addressed sectorally, as a doctor, for example, would address mediated data in a different manner than a company. It was emphasized that specific cases – such a parent taking a mediated decision on the data collection of his or her child – should be enabled, whereas all other cases should be prohibited. Thus it was recommended that language to address the mediated collection of data should be included in the Bill.

A participant raised the question of whether there should be seperate laws for the private collection of data and state collection of data. It was mentioned that this is the case in Canada. Another question which was raised was what happens when state collectors hire private contractors. The UID was brought as an example of state collection of data, while private contractors have been hired and are involved in the process of data collection. This could potentially enable the collection and access of data by unauthorised third parties, to which individuals may have not given their consent to. Thus it was strongly recommended that the Bill addresses such cases and prevents unauthorised collection and access of data.

The discussion on the collection of personal data ended with an interesting test case study for privacy: should the media have the right to disclose individuals' personal data? A debate revolved around this question and participants recommended that the Bill regulates the collection, processing, sharing, disclosure and retention of personal data by the media.

Retention of Personal Data

The discussion on the retention of personal data commenced with the statement that there are various exceptions to the retention of data in India, which are outlined in various court cases. It was pointed out that data should be retained in compliance with the law, but this is problematic as, in various occasions, a verbal order by a policeman can be considered adequate, but this can potentially increase the probability for abuse. A question which was raised was whether an Act of Parliament should allow for the long term storage of data, especially when there is inadequate data to support its long-term retention. It was pointed out that in some cases there are laws which allow for the storage of data for up to ten years, without the knowledge – let alone the consent – of the individual. Thus, the issue of data retention in India remains vague and should be addressed by the draft Privacy (Protection) Bill 2013.

Questions were raised on the duration of data retention periods and on whether there should be one general data retention law or several sectoral data retention laws. The participants disagreed on whether an Act of Parliament should regulate data retention or whether data retention should be regulated by sectoral authorities. A participant recommended “privacy by design” and stated that the question of data retention should be addressed by data controllers. Other participants raised the question of purpose limitation, especially for cases when data is being re-retained after the end of its retention period. A participant recommended that requirements for the anonymisation of data once it has exceeed its retention period should be established. However, this proposal was countered by participants who argued that the pracitcal enforcement of the anonymisation of retained data is not feasible within India.

Destruction of Personal Data

The retention of personal data can be prevented once data has been destroyed. However, participants argued that various types of data are being collected through surveillance products which are controlled by private parties. In such cases, it was argued that it remains unclear how it will be verified that data has indeed being destroyed.

A participant argued that the main problem with data destruction is that even if data has been deleted, it can be retrieved up to seven times; thus the question which arises is how can individuals know if their data has been permanently destroyed, or if it is being secretly retrieved. Questions were raised on how the permanent retention of data can be prevented, especially when even deleted data can be retrieved. Hence it was recommended that information security experts cooperate with data controllers and the Privacy Commissioner, to ensure that data is permanently destroyed and/or that data is not being accessed after the end of its retention period. Such experts would ensure that data is actually being destroyed.

Another participant pointed out the difference between the wiping of data and the deletion of data. In particular, the participant argued that data is being deleted when it is being overwritten by other data, and can potentially be recovered. Wiping of data, on the other hand, involves the wiping out of data which can never be recovered. The participant recommended that the Bill explicitly states that data is wiped out in order to ensure that data is not being indirectly retained.

Processing of Personal Data

The dicsussion on the processing of personal data began with the question of national archives. In particular, participants argued that if the processing of data is strictly regulated, that would restrict access to national archives and the draft Privacy (Protection) Bill 2013 should address this issue.

Questions were raised on the non-consentual processing of personal data and on how individual consent should be acquired prior to the processing of personal data. It was pointed out that the Article 29 Working Party has published an Opinion on purpose limitation with regards to data processing and it was recommended that a similar approach is adopted in India.

Furthermore, it was stated that IT companies are processing data from the EU and the U.S., but it remains unclear how individual consent can be obtained in such cases. A debate evolved on how to bind foreign data processors to meet the data requirements of India, as a minimum prerequisite to ensure that outsourced data is not breached. In light of the Edward Snowden leaks of NSA surveillance, many questions were raised on how Indian data outsourced and stored abroad can be protected.

It was highlighted during the round table that all data processing in India requires certification, but since the enforceability of the contracts relies on individuals, this raises issues of data security. Moreover, questions were raised on how Indian companies can protect the data of their foreign data subjects. Thus, it was recommended that the processing of data is strictly regulated through the draft Privacy (Protection) Bill 2013 to ensure that outsourced data and data processed in the country is not breached.

Security of Personal Data

On the issue of data security, the participants argued that the data subject should always be informed in cases when the confidentiality of their personal data is violated. Confidentiality is usually contractually limited, whereas secrecy is not, which is why both terms are included in the draft Privacy (Protection) Bill 2013. In particular, secrecy is usually used for public information, whereas confidentiality is not.

Participants argued that the Bill should include restrictions on the media, in order to ensure that the confidentiality and integrity of their sources' data is preserved. Several participants stated that the Bill should also include provisions for whistleblowers which would provide security and confidentiality for their data. The participants of the round table engaged in a debate on whether the media should be strictly regulated in order to ensure the confidentiality of their sources' data. On the one hand, it was argued that numerous data breaches have occured as a result of the media mishandling their sources' data. On the other hand, it was stated that all duties of secrecy are subject to the public interest, which is why the media reports on them and which is why the media should not be restricted.

Disclosure of Personal Data

The discussion on the disclosure of personal data commenced with participants pointing out that the draft Privacy (Protection) Bill 2013 does not include requirements for consent prior to the disclosure of personal data, which may potentially lead to abuse. Questions were raised on the outsourcing of Indian data abroad and on the consequences of its foreign disclosure. Once data is outsourced, it remains unclear how the lawful disclosure or non-disclosure of data can be preserved, which is why it was recommended that the Bill addresses such issues.

A participant argued that there is a binding relationship between the data controller and the data subject and that disclosure should be regulated on a contractual level. Another participant raised the question of enforcement: How can regulations on the disclosure of personal data be enforced? The response to this question was that the law should focus on the data controller and that when Indian data is being outsourced abroad, the Indian data controller should ensure that the data subjects' data is not breached. However, other participants raised the question of how data can be protected when it is outsourced to countries where the rule of law is not strong and when the country is considered inadequate in terms of data protection.

With an increased transnational flow of information, questions arise on how individuals can protect their information. A participant recommended that it should be mandatory for companies to state in their contracts who they are outsourcing data to and whether such data will be disclosed to third parties. However, this proposal as countered by a participant who argued that even if this was inforced, it is still not possible to enforce the rights of an Indian data subject in a country which does not have a strong rule of law or which generally has weak legislation. A specific example was mentioned, where E.G. Infosys and Wipro Singapore have a contractual agreement and Indian data is outsourced. It was pointed out that if such data is breached, it remains unclear if the individual should address this issue to Wipro India, as well as which law should apply in this case and whether companies should be liable.

A participant suggested that the data controller discloses data without having acquired prior consent, if the Government of India requests it. However, this was countered by a participant who argued that even in such a case, the question of regulating access to data still remains. Other participants argued that the Right to Information Act has been misused and that too much information is currently being disclosed. It was recommended that the Right to Information Act is amended and that the Bill includes strict regulations for the disclosure of personal data.

Meeting Conclusion

The fifth Privacy Round Table meeting commenced with a presentation on privacy and data protection by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, and proceeded with a discussion of the draft Privacy (Protection) Bill 2013. The participants engaged in a heated debate and provided recommendations for the definitions used in the Bill, as well as for the regulation of data protection. The recommendations for the improvement of the draft Privacy (Protection) Bill 2013 will be considered and incorporated in the final draft.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-5th-privacy-round-table

Report on the 4th Privacy Round Table meeting

maria — 2013-07-12T11:04:25Z

This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting

Report on the 3rd Privacy Round Table meeting

maria — 2013-07-12T11:35:22Z

This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18^th May 2013.

Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´

The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.

The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.

In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers choose to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.

The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.

The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.

The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.

Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.

Co-regulation was once again supported by the DSCI through the argument that customers choose to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of incentives companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter II

The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.

The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.

The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.

Discussion of “Protection of Personal Data”: Chapter III

The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers.

Issue of Consent

The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.

Outsourcing of Data

It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.

Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.

Data Retention

Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.

It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.

Data Processing

The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.

Data Disclosure

The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.

According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.

Discussion of “Interception of Communications”: Chapter IV

The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.

Meeting conclusion

The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting

We are anonymous, we are legion

Response to RTI on Decisions of the Cyber Regulation Advisory Committee

Response to GCSC on Request for Consultation: Norm Package Singapore

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

Responding to govt requests is a challenge for online firms: Colin Maclay

Respite from Internet Censorship?

Research Initiative: Women in India's IT Industry

Why the IT Industry?

How are these industry giants faring in terms of the treatment of their female employees?

Research Advisory Network Meeting

Hosting of the Event

Meeting Participant List

Research Advisory Network Committees

Special Guests

OECD Staff

Commission Secretariat

Research Advisory Network Biographies

Request for Specifics: Rebuttal to UIDAI

Report: From Oppression to Liberation: Reclaiming the Right to Privacy

Report on Understanding Aadhaar and its New Challenges

Report: Download (PDF)

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural Issues with Passage of the Act

Status of Related Litigation

Relevant Orders of the Supreme Court

3. National Identity Projects in Other Jurisdictions

Pakistan

United Kingdom

Estonia

France

Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication

Architectures of Identification

Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion

Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A – Workshop Agenda

May 26, 2016

May 27, 2016

Annexure B – Workshop Participants

Report on the Sixth Privacy Roundtable Meeting, New Delhi

Introduction

Chapter I – Preliminary

Religion and Caste

Political Affiliation

Conviction Data

Financial and Credit Information

Conclusion

Chapter II – Regulation of Personal Data

Conclusion

Chapter III – Protection of Personal Data

Collection of Personal Data

Collection of Data with Prior Informed Consent

Collection of Data without Consent

Storage and Processing of Personal Data

Conclusion

Meeting Conclusion

Report on the Fourth Internet Governance Forum for Commonwealth IGF

DAY 0 (Saturday, November 14, 2009)

DAY 0 (Sunday, November 15, 2009)

DAY 2 (Monday, November 16, 2009)

Day 3 (Tuesday, November 17, 2009)

Day 4 (Wednesday, November 18, 2009)

Stock-Taking

General Reflections

Appendix I: Tweets and Dents During the IGF

Report on the 5th Privacy Round Table meeting

Presentation by Mr. Reijo Aarnio – Finnish Data Protection Ombudsman

Discussion of the draft Privacy (Protection) Bill 2013

Chapter I: Definitions

Chapter II: Right to Privacy

Chapter III: Protection of Personal Data

Meeting Conclusion

Report on the 4th Privacy Round Table meeting

Discussion of the Draft Privacy (Protection) Bill 2013