We are anonymous, we are legion

Q&A to the Report of the Group of Experts on Privacy

elonnai — 2012-11-09T10:20:48Z

In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding.

Executive Summary

The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.

Q: What are the salient features of the committee’s recommendations?

A: In its report the committee recommended that any privacy legislation passed should:

Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted.
Recognize the multiple dimensions of privacy including physical and informational privacy.
Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy.
Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors.
Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners.

Chapter 1: Constitutional Basis for Privacy

This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.

Q: What are the contexts of the cases covered?

A: This chapter covers cases that speak to the:

Right to privacy in the context of surveillance by the State
Balancing the ‘right to privacy’ against the ‘right to free speech’
The ‘right to privacy’ of HIV patients
Prior judicial sanctions for tapping telephones
The ‘search and seizure’ powers of revenue authorities

Chapter 2: International Privacy Principles

This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.

Q: Privacy principles from which countries were reviewed by the Committee?

A: The Committee reviewed privacy principles from the following countries and international organizations.

EU Regulations of January 2012
US Consumer Privacy Bill of Rights
OECD Privacy Principles
APEC Privacy Framework
Australia
Canada

Chapter 3: National Privacy Principles, Rationales, and Emerging Issues

This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.

Q: What could the principles apply to?

A: The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.

Q: Who could be brought under the scope of the principles?

A: The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.

Q: How could the National Privacy Principles impact individuals?

A: The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.

Q: Would the National Privacy Principles be binding for every data controller?

A: Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.

Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective

This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.

Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?

A: When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.

Q: How does the report understand the relationship between the freedom of expression and privacy?

A: Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.

Chapter 5: The Regulatory Framework

This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.

Q: Who are the main actors in the regulatory framework?

A: The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.

Q: What are the salient features of the regulatory framework?

A: The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act

Q: What are exceptions to the right to privacy? Are these blanket exceptions?

A: National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy

Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.

Q: What are the powers and responsibilities of the privacy commissioners?

A: The powers and responsibilities of the Privacy Commissioners are the following:

Responsibilities:

Enforcement of the Act
Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.
Evaluate and approve privacy principles developed by SRO’s
Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations

Powers:

Order privacy impact assessments on organisations
Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary )
Fine non-compliant data controllers

Q: How does Co-regulation work?

A: The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.

Q: What are data controllers? What are privacy officers? What are ombudsmen?

A: A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.

Q: When can an individual issue a complaint? Which body should individuals issue complaints to?

A: An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.

Q: Can an individual receive compensation for a violation of privacy:

A: Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.

Q: What offences does the report reccomend?

A: The following constitutes as an offence under the Act:

Non-compliance with the privacy principles
Unlawful collection, processing, sharing/disclosure, access, and use of personal data
Obstruction of commissioner
Failure to comply with notification issued by commissioner
- Processing data after receiving a notification
- Failure to appear before commissioner
- Failure to produce documents requested by commissioner
- Sending report to commissioner with false or misleading information

Chapter 6: The Multiple Dimensions of Privacy

This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.

Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?

A: No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.

Summary of Recommendations

This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.

Q: Are the recommendations in this chapter different from chapters above?

A: No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:

The Act should define and harmonize with existing laws in force.
The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India.
The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.
The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked.
If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply.

Report of the Group of Experts on Privacy [PDF, 1270 Kb]

For more details visit https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy

Pycon India 2019

Admin — 2019-08-27T00:04:03Z

K. Bhuvana Meenakshi gave a talk at BangPypers organized by Python Software Society in Bangalore on August 25, 2019. She spoke on Let the world experience WebXR!

For more info, click here

For more details visit https://cis-india.org/internet-governance/news/pycon-india-2019

Public Talk by Dr. Ian Brown on Privacy, Trust and Biometrics

nishant — 2011-04-04T07:15:29Z

Trust is hard to build, but easy to lose. What factors affect individuals' trust in new technologies? How can governments create citizen trust in biometric security tools? Can biometrics be designed to be privacy-friendly? And how did these questions lead to the cancellation of the UK's national identity scheme, after a decade of development costing tens of millions of pounds? About the speaker: Dr Ian Brown's research is focused on public policy issues around information and the Internet, particularly privacy and copyright. He also works in the more technical fields of communications security and healthcare informatics.

For more details visit https://cis-india.org/events/ian

Public Statement to Final Draft of UID Bill

elonnai — 2012-03-22T05:48:00Z

The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.

On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.

Architecture

The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.

Scope

The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits

Voluntary and not Mandatory

The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the Aadhaar number is truly voluntary.

Inadequate Privacy Safeguards

The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.

Unwarranted Data Retention

The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.

Lack of accountability for all Actors

The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced.

Lack of Exceptions

The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of Aadhaar numbers or authentication of transactions.

Lack of Anonymity

The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested.

Inadequacy of Penalties

The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.

Unaffordability of Fees

It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated.

Lack of Rollback and Ombudsman Office

The Bill does not provide adequate redress for system/transaction errors and fraud.

Inappropriate Structure and Governance

The Bill does not provide appropriate judicial and parliamentary oversight.

Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant:

Definition of Resident

Section 2 (q): “resident” means an individual usually residing in a village or rural area or town or ward or demarcated area (demarcated by the Registrar General of Citizen Registration) within ward in a town or urban area”

Comment: This section clarifies the definition of ‘resident’ from the draft Bill, which defined resident as an “individual usually residing within the territory of India”. By specifying that individuals in demarcated areas will not receive UID numbers, the definition of resident is brought into line with the scope of the Bill as laid out in the preamble. We see this change as a positive revision.

Prohibition of Dissemination of Information

Section 30 (3): “Notwithstanding anything contained in any other law and save as otherwise provided in this Act, the Authority or any of its officer or other employee or any agency who maintains the Central Identities Data Repository shall not, whether during his service as such or thereafter, reveal any information stored in the Central Identities Data Repository to any person”

Comment: This section prohibits the dissemination of any information that is stored in the Central Identities Data Repository. This prohibition extends to anyone or any entity that handles information, and supersedes other laws that might permit dissemination of information. We see this change as a positive revision.

Disclosure of Information in the Case of a National Security

Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”

Comment: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID

Public Panel Discussion: Digitalisation for Social Change

praskrishna — 2016-08-19T13:47:28Z

Sunil Abraham is participating as a panelist in a discussion co-organized by Mount Carmel College, Bangalore and Friedrich-Ebert-Stiftung, India Office in Bangalore on August 22, 2016.

Welcome Remarks by Sunanda BV , Mount Carmel College, Bangalore and Patrick Ruether, Friedrich-Ebert-Stiftung, India Office

On the Panel:

Digital Solutions to social problems and development challenges or Social Entrepreneurship and digital transformation: Sunil Abraham, Centre for Internet and Society
Gendered perspective on digital transformation: Anita Gurumurthy , IT for Change
India 2030 – the change I want Maureen Almeida, Student, Mount Carmel College
Technology as best practice: Anurag Shanker, NASVI, New Delhi

Note: Each panelist will give an input for about 5-7 minutes and this will be followed by Q&A session moderated by Rakhee Bakshee, Women's Feature Service

For more info contact: Jyoti Rawal, jyoti@fesindia.org

For more details visit https://cis-india.org/internet-governance/news/public-panel-discussion-digitalisation-for-social-change

Public Law and Jurisprudential Issues of Privacy: A Talk at CIS

praskrishna — 2013-12-30T12:39:23Z

On Friday, September 27, 2013, Abhayraj Naik will give a talk on public law and jurisprudential issues related to privacy. CIS will host the talk at its office in Bangalore from 4.30 p.m. to 6.00 p.m.

Abhayraj Naik

Abhayraj Naik is a graduate of the National Law School of India University, Bangalore, and the Yale Law School. He previously taught public law at the Jindal Global Law School of the OP Jindal Global University where he also co-directed the Centre for Public Law & Jurisprudence from September 2009 to July 2012.

Abhay is actively associated with the Environment Support Group, Bangalore (http://www.esgindia.org), and has also been associated with the Meiklejohn Civil Liberties Institute, Berkeley, USA; Universities Allied for Essential Medicines, USA; Culture Move, Bangalore and other national and international advocacy, activism and research groups for several years now.

Abhay's research interests include legal theory, philosophy, criminal justice reform, urban governance, ecology, and technology policy. His current research projects include interdisciplinary studies of urban street vending, information privacy, fiduciary duties, forgiveness, biopiracy, and criminal justice reform.

He enjoys cycling, travel, poetry, music, and radical educational and ecological activism.

Abhay currently teaches at the Azim Premji University in Bangalore.

VIDEO

For more details visit https://cis-india.org/internet-governance/events/public-law-and-jurisprudential-issues-of-privacy-talk-at-cis

Public Debate on 'Differential Pricing': Series 3

vidushi — 2016-01-28T13:53:12Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The third public debate will be held at India Habitat Centre, Lodhi Road near Air Force Bal Bharti School, New Delhi on February 5, 2016.

In light of the recent consultation paper released by the Telecom Regulatory Authority of India (TRAI), the objective of these debates will be to deconstruct the issue of differential pricing through a discussion on the variety of views this subject has attracted. Speakers will also discuss possible implications of differential pricing policy on questions of access, diversity, competition and entrepreneurship.

Each debate will comprise three rounds. In the first round, speakers will present the body of their arguments over 10 minutes each. The second round will be a rebuttal round, with each speaker being given 5 minutes. The third and final round will see the floor being opened to the audience who will engage the speakers with comments and questions.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/public-debate-on-differential-pricing-series-3

Public Debate on 'Differential Pricing': Series 2

vidushi — 2016-01-28T13:51:06Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The second public debate will be held at Pherozeshah Mehta Bhavan, Vidyanagari, Kalina, Mumbai on February 3, 2016.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/public-debate-on-differential-pricing-series-2

Public Debate on 'Differential Pricing': Series 1

vidushi — 2016-01-27T13:51:06Z

The Centre for Internet and Society, in association with ICRIER and the Department of Civics and Politics, University of Mumbai, is pleased to announce “A Series of Public Debates on Differential Pricing” in the cities of Bangalore, Mumbai and New Delhi. The first public debate will be held at the Centre for Internet & Society office in Bangalore on February 1, 2016.

Download the Invite

For more details visit https://cis-india.org/internet-governance/events/a-series-of-public-debates-on-differential-pricing-series-1

Public data on the Web leaves much to be desired

praskrishna — 2011-05-30T07:38:04Z

Making government data accessible to all is a vital challenge, says Deepa Kurup in her article published in the Hindu on May 28, 2011.

Tim Berners-Lee, chief architect and inventor of the World Wide Web and an ardent advocate of open data, said, earlier this year, that countries should be judged on their willingness to open up public data to their citizens. This, along with 'network neutrality', he considered as important as free speech, he had emphasised, adding that this was particularly critical for developing nations.

In January 2011, the British Government, led by Mr. Berners-Lee, launched www.data.gov.uk, a site aimed at creating a platform for disclosing data to citizens, civil society organisations and even private institutions from a wide range of government departments and processes.

In India, while ‘civic hackers' and non-governmental organisations are coming up with interesting initiatives that attempt to put government data in the form of mash-ups and easily readable content online, government data on the Web leaves much to be desired. Half a decade after the powerful and progressive Right to Information Act was implemented, accessing government data online is still a challenge. Given the huge amount of public information that has been generated this year through Census 2011, and some sections of these even being GIS mapped, it is imperative that government data be ‘set free', researchers say. They believe that this could not only aid governance and public planning but also increase citizen engagement in public processes.

Technology aid

A recent study by a research team at the Centre for Internet and Society, a Bangalore-based research organisation, finds that despite challenges, the Government and bureaucrats in India are receptive to using technology to open up more data to the public. Speaking to policymakers across the country, the report records various impediments and accessibility barriers, and surveys existing open data initiatives in the Government.

Drawing from these, the report presents a set of recommendations to help the Government move towards an open data ecosystem. These include re-examining the end goals and the end users of this data, involving volunteers and citizens in putting out the data in accessible forms, and seeking support from pre-existing ‘open content' communities such as Wikipedia editors or open street mappers, to name a few.

For a start

Nishant Shah, researcher at CIS, says it is heartening to see that governments, and policymakers, are already thinking along the lines of open government data. There are several initiatives, such as the Bhoomi project or Nemmadi of the Karnataka Government, that may not look at themselves as open data initiatives, but are certainly going that way, Mr. Shah points out. There are several critical infrastructure changes that are happening such as the use of computers at different levels of governance, setting up of community Internet centres in villages and various e-governance programmes; so there is a lot of hope that data will be accessible to more people, he adds.

Challenges

However, Mr. Shah points out that while there is talk about taking government data into the public domain, the larger ecosystem for this has not been worked out. The report points out that there is insufficient standardisation, while e-governance, to a large degree, has been far from perfect. System interoperability issues and the larger issues of privacy (in the absence of any existing law) are both challenges.

Speaking to The Hindu, a senior official from the department of e-governance said it was indeed on the Government's agenda to open up more data, and offer it in more accessible formats. He pointed out that interoperability of formats is a huge problem, one that he hopes the recently enforced National Policy on Open Standards will accurately address.

"However, it is a gargantuan process to get departments across the country, at different levels of governance, to comply. This may take time and effort. Another problem is that the input formats are not standardised, which means a lot of vital data is being offered in cumbersome formats that are barely useable," he says. However, a bigger concern is to provide the information ecosystem to take this to the millions that are left out of the Internet loop. That is a greater challenge, he points out.

Read the original story published by the Hindu here

For more details visit https://cis-india.org/news/public-data-on-web

Proxies and VPNs: Why govt can't ban porn websites?

pranesh — 2015-09-13T08:26:17Z

The government's move to block more than 800 pornographic websites has led experts to question whether this latest attempt to police the internet is even feasible.

The article by Siladitya Ray was published in the Hindustan Times on August 3, 2015. Pranesh Prakash was quoted.

Internet service providers (ISPs) have confirmed they received letters from the Department of Telecommunications (DoT) on Saturday that directed them to block certain websites. But can the government stop users from visiting porn sites?

The answer seems to be no.

"It is extremely easy to circumvent these blocks, using virtual private networks (VPNs) and proxies that anonymise your traffic," said Pranesh Prakash, policy director at the Centre for Internet and Society in Bengaluru.

A cursory Google search on how to unblock porn websites throws up millions of how-tos and guides on using proxies and VPNs to get around restrictions set by authorities. All these services anonymise users’ web traffic by routing them through foreign servers.

According to data from Pornhub, one of the world's biggest porn sites, India ranks fifth for the most daily visitors to the website. Pornhub saw a total of 78.9 billion video views globally in 2014.

The government can try to keep up with proxies and block them too. But as proxies change on a daily basis and there are always dozens of functioning proxies to choose from across, blocking all of them will be a near impossible task.

Tor, an anonymity network, is also a popular way to surf blocked sites.

But is it legal to circumvent blocks put in place by authorities by using VPNs and proxies?

There is no law in India that prohibits viewing pornography, experts say. Section 67 of the Information Technology Act only deals with "publishing obscene information in electronic form".

This provision has been interpreted as a measure to criminalise the posting of pornographic content online. However, accessing "obscene" content privately – such as within the four walls of a person’s home – is not illegal, say experts.

In July, while hearing a petition seeking the blocking of pornographic websites, Supreme Court Chief Justice HL Dattu wondered whether the court could restrain an adult from watching pornography within his home and described such a ban as a violation of Article 21 of the Constitution, which grants the right to personal liberty to its citizens.

But what about the legality of using VPNs and proxies? “There are no laws preventing the use of VPNs and proxies in India," said Prakash.

Are proxies and VPNs safe?

While the use of proxies and VPNs is very simple, they do come with their own set of problems. These services have access to all your browsing data and may push adware and other forms of malware.

Prakash advised that users should only choose services that are well known and have a good reputation.

"Sites like TorrentFreak put out annual lists of the top VPNs available," he said. These can be used as a guide to determine what services are safe.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-3-2015-siladitya-ray-proxies-and-vpns

Provide hacker details, outfit that claimed data leak told

praskrishna — 2017-06-07T12:14:13Z

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.

The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told

Protest@ censorship.com

praskrishna — 2012-06-05T04:23:19Z

Activism goes online as more angry young citizens decide to make their voices heard, writes Sandhya Soman in an article published in the Times of India. Pranesh Prakash is quoted in the article.

If there was a software code to ‘Invite All’, then Ashish D and friends would’ve called the world to land up at Gateway of India on June 9. The next best option for this netizen from Mumbai was to go online.

Hacktivism –– a form of activism for social change that uses computers and electronic networks –– is back. And the most recent protest is from hacker group Anonymous, which is trying to gather public support to stem internet censorship and blocking of websites in India by service providers and the government recently.

Since showing up in front of the town hall is not enough, Ashish has set up a Facebook page. Fellow netizens, irritated by the arbitrary blocking of sites and impressed by Anonymous OpIndia’s jabs at websites of political parties and corporates, are signing up to discuss the best possible venues to protest from.

Is there a better place than Marina beach in Chennai to make the maximum impact, wonders one user while another says it would be better to split up to cover more area in Mumbai. According to Pranesh Prakash, lawyer and programme manager at The Centre for Internet and Society, a Bangalore-based research organisation, a strong online presence helps protests to get publicity. A lot of the Jan Lokpal agitation happened online, he says.

“It is not enough to fast at Jantar Mantar. If you get 1,000 people to click ‘like’ or 40 people to retweet your tweet, then the site becomes the default area of protest,” he says. If those petitioners are 10 influential people, then it carries more weight with the media than a few hundred shouting slogans on the street.

“Also called electronic civil disobedience, hacktivism is geared to political ends,” writes Pramod K Nayar in his book ‘An Introduction to New Media and Cybercultures.’ Virtual sit-ins involving intellectuals and ordinary citizens and bombarding authorities with emails have been used by Mexican revolutionaries, Tamil separatists and protesters in Iran and the Middle East. “Hacktivism is clearly here to stay,” writes Nayar.

But it is not enough to collect a few digital signatures, says Nithin Manayath, one of the people behind the 2009 ‘Pink Chaddi’ campaign, which sought to protest in an irreverent manner the attacks against women by the radical Sri Ram Sena. Manayath and his friends sustained the campaign through a Facebook group, which saw thousands of pairs of pink underwear being sent to the office of the group that attacked women for what it considered ‘violations of Indian culture’.

“Marches, candlelight vigils and dharnas are something we do regularly. By the tenth dharna you will be so jaded that you go to the protest venue to meet friends,” says Manayath. After a while, this happens to online petitions also if you are not thinking about what you are doing. “What I liked about the ‘Pink Chaddi’ campaign was that we were responding to violence with a shameless act. It made me aware about many things and the novelty of the protest resonated with many people,” he says.

Though the current campaign is going the offline way on June 9, the hacking and denial of service attacks on websites by Anonymous have ensured that issue of blocking got publicity. “There is corporate and private censorship of internet and it is being done without enough proof of who is violating the copyrights of moviemakers. If these protests create awareness about the larger issues and developments in the areas of e-governance, IT Act and copyright law, then they could be helpful,” says Pranesh Prakash.

Meanwhile, Anonymous OpIndia, which is hoping for lifting of ban on websites, is already getting feelers from eager citizens on future issues. “Many people have requested us to protest other issues such gasoline price hike,” says a member. “And we always tell them that there are no strict rules, they can protest as per their needs.”

NET ANGST

Through Facebook, the ‘Pink Chaddi’ campaign of 2009 encouraged women to send undergarments to Sri Ram Sena. The right-wing group had attacked women for ‘violations of Indian culture’

Jan Lokpal campaign in 2011 had support from various online forums. They sent petitions to political parties and inundated a government website with e-mails.

Following the blocking of websites due to a court order to prevent copyright violations.

Anonymous OpIndia targeted government and corporate websites. It is mobilising people for protests in nearly 11 cities on June 9.

Read the original here

For more details visit https://cis-india.org/news/protest-at-censorship

Protection of Privacy in Mobile Phone Apps

Hitabhilash Mohanty and Edited by Leilah Elmokadem — 2016-12-15T14:18:43Z

The term “Fintech” refers to technology-based businesses that compete against, enable and/or collaborate with financial institutions. The year 2015 was a critical year for the Indian fintech industry, which saw the rise of numerous fintech start-ups, incubators and investments from the public and private sector.

According to NASSCOM, the Indian fintech market is worth an estimated USD 1.2 billion, and is predicted to reach USD 2.4 billion by 2020.[1] The services brought forth by Fintech, such as digital wallets, lending, and insurance, have transformed the ways in which businesses and institutions execute dayto-day transactions. The rise of fintech in India has rendered the nation’s market a point of attraction for global investment.[2] Fintech in India is perceived both as a catalyst for economic growth and innovation, as well as a means of financial inclusion for the millions of unbanked individuals and businesses. The government of India, along with regulators such as SEBI (Securities and Exchange Board of India) and RBI (Reserve Bank India), has consistently supported the digitalization of the nation’s economy and the formation of a strong fintech ecosystem through funding and promotional initiatives.[3]

The RBI has been pivotal in enabling the development of India’s fintech sector and adopting a cautious approach in addressing concerns around consumer protection and law enforcement. Its key objective as a regulator has been to create an environment for unimpeded innovations by fintech, expanding the reach of banking services for unbanked populations, regulating an efficient electronic payment system and providing alternative options for consumers. The RBI’s prime focus areas for enabling fintech have been around payment, lending, security/biometrics and wealth management. For example, the RBI has introduced “Unified Payment Interface” with the NPCI (National Payments Corporation of India), which has been critical in revolutionizing digital payments and pushing India closer to the objective of a cash-less society. It has also released a consultation paper on regulating Peer 2 Peer (P2P) lending market in India, highlighting the advantages and disadvantages of regulating the sector.[4]

The consultation paper offers a definition of P2P lending as well as a general explanation of the activity and the digital platforms that facilitate transactions between lenders and borrowers. It also provides a set of arguments for and against regulating P2P lending. The arguments against regulating the sector mainly pertain to the risk of stifling the growth of an innovative, efficient and accessible avenue for borrowers who either lack access to formal financial channels or are denied loans by them.[5]

This is the general consensus around the positive impact of the Fintech sector in India: its facilitation of financial inclusion and economic opportunity. However, the paper lists many more arguments for regulation than against. One of the main points made is with regards to P2P lending’s potential to disrupt the financial sector by challenging traditional banking channels. There is also the argument that, if properly regulated, the P2P lending platforms can more efficiently and effectively exercise their potential of promoting alternative forms of finance.[6]

The paper concludes that the balance of advantage would lie in developing an appropriate regulatory and supervisory toolkit that facilitates the orderly growth of the P2P lending sector in order to harness its ability to provide an alternative avenue for credit for the right borrowers[7]

The RBI’s regulatory framework for P2P lending platforms encompasses the permitted activity, prudential regulations on capital, governance, business continuity plan (BCP) and customer interface, apart from regulatory reporting.[8]

The Securities and Exchange Board of India (SEBI) is also a prominent regulator of the Indian fintech sector. They issued a consultation paper on “crowdfunding”, which is defined as the solicitation of funds (small amounts) from multiple investors through a web-based platform or social networking site for a specific project, business venture or social cause. P2P lending is then a form of crowdfunding, which can be understood as an umbrella term that covers fintech lending practices. SEBI’s paper aimed to provide a brief overview of the global scenario of crowdfunding including the various prevalent models under it, the associated benefits and risks, the regulatory approaches in different jurisdictions, etc. It also discusses the legal and regulatory challenges in implementing the framework for crowdfunding. The paper proposes a framework for ushering in crowdfunding by giving access to capital markets to provide an additional channel of early stage funding to Start-ups and SME’s and seeks to balance the same with investor protection.[9] Unlike RBI’s consultation paper on P2P lending, SEBI’s paper on crowdfunding was intended mainly to invite discussion and not necessarily to implement a framework for regulation.

Some of the benefits cited in SEBI’s crowdfunding paper pertain to the commonly mentioned advantages of fintech: economic opportunity for the SME sector and start-ups, alternative lending systems to keep SMEs alive when traditional banks crash, new investment avenues for the local economy and increased competition in the financial sector.[10]

The paper also lists a set of risks that suggest the need for a regulatory framework for crowdfunding. For example, it mentions the “substitution of institutional risk by retail risk”, meaning that individual lenders, who’s risk tolerance may be low, bear the risk of low/no return investors when they lend to SMEs without adequate assessment of credit worthiness. Also, there is the risk that the digital platform that facilitates lending and issues all the transactions, may not conduct proper due diligence. If the platform is temporarily shut down or closed permanently, no recourse is available to the investors.[11]

The SEBI paper mentions a long list of other risks associated with crowdfunding, mostly associated with systemic failures, loan defaults, fraud practices, and information asymmetry. Information asymmetry refers partially to the chance that lending decisions are made based on incomplete data sets that are based on social networking platforms. There is a lack of transparency and reporting obligations in issuers including with respect to the use of funds raised.[12]

Similar to the RBI consultation paper, SEBI makes a decent effort to weigh the costs and benefits of crowdfunding practices but only does this from an economic/financial perspective. Most of the cited risks, benefits and concerns tend to overlook information security and risks of privacy breaches of the implicated borrowers.

India Stack is a paperless and cashless service delivery system that has been supported by the Indian government as part of the fintech sector. It is a new technology paradigm that is designed to handle massive data inflows, and is poised to enable entrepreneurs, citizens and governments to interact with one another transparently. It is intended to be an open system to electronically verify businesses, people and services. It allows the smartphone to become the delivery platform for services such as digital payments, identification and digital lockers. The vision of India Stack is to shift India towards a paperless economy.[13]

The central government, based on its experience with the Aadhaar project, decided to launch the opendata initiative in 2012 supported by an open API policy, which would pave the way for private technology solutions to build services on top of Aadhaar and to make India a digital cash economy. Unified Payments Interface (UPI), which will make mobile payments card-less and completely digital, allows consumers to transact directly through their bank account with a unique UPI identity that syncs to Aadhaar’s verification and connects to the merchant, the settlement and the issuing bank to close transactions.[14]

It is suspected that India Stack will shift in business models in banking from low-volume, high-value, high-cost and high fees to high-volume, low-value, low cost and no fees. This well lead to a drastic increase in accessibility and affordability, and the market force of consumer acquisition and the social purpose of mass inclusion will converge.[15]

India Stack serves as an example of how the Government of India has supported initiatives that would promote the fintech sector while facilitating economic growth and financial opportunity for unbanked individuals. However, there is continuous discussion around India Stack’s attachment to the Aadhaar system, which can lead to the exclusion of unregistered individuals from the benefits that would otherwise be reaped from the open-data initiative. It can also result in many privacy and security breaches when records of individuals’ daily transactions are attached to their Aadhaar numbers, which carry their biometric information and is linked to other personal data that is held by the government such as health records.

Download the Full Report

[1]. KPMG: https://assets.kpmg.com/content/dam/kpmg/pdf/2016/06/FinTech-new.pdf

[2]. Id.

[3]. Id.

[4]. Id.

[5]. RBI 2P2 Consultation Paper, https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf

[6]. Id.

[7]. Id.

[8]. Id.

[9]. SEBI Crowdfunding consultation paper, http://www.sebi.gov.in/cms/sebi_data/attachdocs/1403005615257.pdf

[10]. Id.

[11]. Id.

[12]. Id.

[13]. Krishna, https://yourstory.com/2016/07/india-stack/

[14]. Id.

[15]. Nilekani, http://indianexpress.com/article/opinion/columns/the-coming-revolution-in-indian-banking-2924534/

For more details visit https://cis-india.org/internet-governance/blog/protection-of-privacy-in-mobile-phone-apps

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

Zaheer Merchant — 2019-03-20T15:56:51Z

“We respectfully call on you to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules in December. As published, the draft amendments would erode digital security and undermine the exercise of human rights globally.”

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]

For more details visit https://cis-india.org/internet-governance/news/medianama-march-18-2019-zaheer-merchant-proposed-intermediary-liability-rules-threat-privacy-and-free-speech