We are anonymous, we are legion

Privacy, security and surveillance: tackling international dilemmas and dangers in the digital realm

praskrishna — 2014-12-15T12:56:49Z

Pranesh Prakash was a panelist in the session "Beyond the familiar: how do other countries deal with security and surveillance oversight?" The event was organized by Wilton Park between November 17 and 19, 2014.

Complete details of the programme can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/wilton-park-november-17-19-privacy-security-surveillance

Privacy, Free/Open Source, and the Cloud

elonnai — 2012-03-22T05:50:10Z

A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture.

Introduction

Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.

There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.

Privacy Concerns:

Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?

These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.

How are privacy, free/open source, and the cloud related ?

Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.

Is free/open software the solution?

Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.

Conclusion

Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing

Privacy, By Design

praskrishna — 2011-04-12T06:45:36Z

The Centre for Internet and Society invites people and organizations in the business of 'privacy online' to engage with it in Privacy, By Design — an open space discussion that brings together coders, developers, users and entrepreneurs interested in the design of privacy online.

Is Privacy something we are born with or is it constructed for us? Different actors like governments, markets, cultural negotiators, are often attributed the responsibility of defining what it means to be 'private'. In our rapidly digitizing world, Internet and digital technologies have emerged as new factors that influence the design of privacy. Ranging from social networking systems to e-governance projects and economic transactions to interpersonal relationships, the design of privacy online has become a central concern.

Privacy, By Design is a part of The Identity Project (TIP), a collaboration between the Centre for Internet and Society and the Centre for the Study of Culture and Society. It is a research inquiry that hopes to consolidate multiple perspectives, and ideas in an attempt to initiate a dialogue between people who are in the business of designing platforms and applications that pivot around privacy. For instance: How do the platforms we use define our understanding of privacy? What does privacy in the cloud look like? What are the parameters by which privacy is defined within the digital world? What role do digital technologies play in producing the 'privacy effect?'

For more details visit https://cis-india.org/events/privacy-by-design

Privacy, Autonomy, and Sexual Choice: The Common Law Recognition of Homosexuality

bhairav — 2015-08-23T12:20:52Z

In the last few decades, all major common law jurisdictions have decriminalised non-procreative sex – oral and anal sex (sodomy) – to allow private, consensual, and non-commercial homosexual intercourse.

Download PDF

Anti-sodomy statutes across the world, often drafted in the same anachronistic vein as section 377 of the Indian Penal Code, 1860 (“IPC”), have either been repealed or struck down on the grounds that they invade individual privacy and are detrimentally discriminative against homosexual people.

This is not an examination of India’s laws against homosexuality, it does not review the Supreme Court of India’s judgment in Suresh Koushal v. Naz Foundation (2014) 1 SCC 1 nor the Delhi High Court’s judgment in Naz Foundation v. Government of NCT Delhi 2009 (160) DLT 277, which the former overturned – in my view, wrongly. This note simply provides a legal history of the decriminalisation of non-procreative sexual activity in the United Kingdom and the United States. Same-sex marriage is also not examined.

In the United Kingdom

The Wolfenden Report

In England, following a campaign of arrests of non-heterosexual persons and subsequent protests in the 1950s, the government responded to public dissatisfaction by appointing the Departmental Committee on Homosexual Offences and Prostitution chaired by John Frederick Wolfenden. The report of this committee (“Wolfenden Report”) was published in 1957 and recommended that:

“…homosexual behaviour between consenting adults in private should no longer be a criminal offence.”

The Report further observed that it was not the function of a State to punitively scrutinise the private lives of its citizens:

“(T)he law’s function is to preserve public order and decency, to protect the citizen from what is offensive or injurious, and to provide sufficient safeguards against exploitation and corruption of others… It is not, in our view, the function of the law to intervene in the private life of citizens, or to seek to enforce any particular pattern of behaviour.”

The Sexual Offences Act, 1967

The Wolfenden Report was accepted and, in its pursuance, the Sexual Offences Act, 1967 was enacted to, for the first time in common law jurisdictions, partially decriminalise homosexual activity – described in English law as ‘buggery’ or anal sex between males.
Section 1(1) of the original Sexual Offences Act, as notified on 27 July 1967 stated –
"Notwithstanding any statutory or common law provision, but subject to the provisions of the next following section, a homosexual act in private shall not be an offence provided that the parties consent thereto and have attained the age of twenty one years."
A ‘homosexual act’ was defined in section 1(7) as –
“For the purposes of this section a man shall be treated as doing a homosexual act if, and only if, he commits buggery with another man or commits an act of gross indecency with another man or is a party to the commission by a man of such an act.”
The meaning of ‘private’ was also set forth rather strictly in section 1(2) –
“An act which would otherwise be treated for the purposes of this Act as being done in private shall not be so treated if done –
(a) when more than two persons take part or are present; or
(b) in a lavatory to which the public have or are permitted to have access, whether on
payment or otherwise.”
Hence, by 1967, English law permitted:

as between two men,
both twenty-one years or older,
anal sex (buggery),
and other sexual activity (“gross indecency”)
if, and only if, a strict prescription of privacy was maintained,
that excluded even a non-participating third party from being present,
and restricted the traditional conception of public space to exclude even lavatories.

However, the benefit of Section 1 of the Sexual Offences Act, 1967 did not extend beyond England and Wales; to mentally unsound persons; members of the armed forces; merchant ships; and, members of merchant ships whether on land or otherwise.

Developments in Scotland and Northern Ireland

Over the years, the restrictions in the original Sexual Offences Act, 1967 were lifted. In 1980, the Criminal Justice (Scotland) Act, 1980 partially decriminalised homosexual activity in Scotland on the same lines that the Act of 1967 did for England and Wales. One year later, in 1981, an Irishman Jeffrey Dudgeon successfully challenged the continued criminalisation of homosexuality in Northern Ireland before the European Court of Human Rights (“ECHR”) in the case of Dudgeon v. United Kingdom (1981) 4 EHRR 149. Interestingly, Dudgeon was not decided on the basis of detrimental discrimination or inequality, but on the ground that the continued illegality of homosexuality violated the petitioner’s right to privacy guaranteed by Article 8 of the 1950 European Convention on Human Rights (“European Convention”). In a 15-4 majority judgement, the ECHR found that “…moral attitudes towards male homosexuality…cannot…warrant interfering with the applicant’s private life…” Following Dudgeon, the Homosexual Offences (Northern Ireland) Order, 1982 came into effect; and with it, brought some semblance of uniformity in the sodomy laws of the United Kingdom.

Equalising the age of consent

However, protests continued against the unequal age of consent required for consensual homosexual sex (21 years) as opposed to that for heterosexual sex (16 years). In 1979, a government policy advisory recommended that the age of consent for homosexual sex be reduced to 18 years – two years older than that for heterosexual sex, but was never acted upon. In 1994, an attempt to statutorily equalise the age of consent at 16 years was defeated in the largely conservative House of Commons although a separate legislative proposal to reduce it to 18 years was carried and enacted under the Criminal Justice and Public Order Act, 1994. Following this, the unequal ages of consent forced a challenge against UK law in the ECHR in 1994; four years later, in Sutherland v. United Kingdom [1998] EHRLR 117, the ECHR found that the unequal age of consent violated Articles 8 and 14 of the European Convention – relating to privacy and discrimination. Sutherland was significant in two ways – it forced the British government to once again introduce legislation to equalise the ages of consent; and, significantly, it affirmed a homosexual human right on the ground of anti-discrimination (as opposed to privacy).

To meet its European Convention commitments, the House of Commons passed, in June 1998, a bill for an equal age of sexual consent but it was rejected by the more conservative House of Lords. In December 1998, the government reintroduced the equal age of consent legislation which again passed the House of Commons and was defeated in the House of Lords. Finally, in 1999, the government invoked the statutory superiority of the House of Commons, reintroduced for the third time the legislation, passed it unilaterally to result in the enactment of the Sexual Offences (Amendment) Act, 2000 that equalised the age of sexual consent for both heterosexuals and homosexuals at 16 years of age.

Uniformity of equality

However, by this time, different UK jurisdictions observed separate legislations regarding homosexual activity. The privacy conditions stipulated in the original Sexual Offences Act, 1967 remained, although they had been subject to varied interpretation by English courts. To resolve this, the UK Parliament enacted the Sexual Offences Act, 2003 which repealed all earlier conflicting legislation, removed the strict privacy conditions attached to homosexual activity and re-drafted sexual offences in a gender neutral manner. A year later, the Civil Partnership Act, 2004 gave same-sex couples the same rights and responsibilities as a civil marriage. And, in 2007, the Equality Act (Sexual Orientation) Regulations came into force to prohibit general discrimination against homosexual persons in the same manner as such prohibition exists in respect of grounds of race, religion, disability, sex and so on.

In the United States

Diversity of state laws

Sodomy laws in the United States of America have followed a different trajectory. A different political and legal system leaves individual US States with wide powers to draft and follow their own constitutions and laws. Accordingly, by 1961 all US States had their own individual anti-sodomy laws, with different definitions of sodomy and homosexuality. In 1962, Illinois became the first US State to repeal its anti-sodomy law. Many States followed suit over the next decades including Connecticut (1971); Colorado and Oregon (1972); Delaware, Hawaii and North Dakota (1973); Ohio (1974); New Hampshire and New Mexico (1975); California, Maine, Washington and West Virginia (1976); Indiana, South Dakota, Wyoming and Vermont (1977); Iowa and Nebraska (1978); New Jersey (1979); Alaska (1980); and, Wisconsin (1983).

Bowers v. Hardwick

However, not all States repealed their anti-sodomy laws. Georgia was one such State that retained a statutory bar to any oral or anal sex between any persons of any sex contained in Georgia Code Annotated §16-6-2 (1984) (“Georgia statute”) which provided, in pertinent part, as follows:

“(a) A person commits the offense of sodomy when he performs or submits to any sexual act involving the sex organs of one person and the mouth or anus of another… (b) A person convicted of the offense of sodomy shall be punished by imprisonment for not less than one nor more than 20 years”

In 1982, a police officer arrested Michael Hardwick in his bedroom for sodomy, an offence which carried a prison sentence of up to twenty years. His case went all the way up to the US Supreme Court which, in 1986, pronounced its judgement in Bowers v. Hardwick 478 US 186 (1986). Although the Georgia statute was framed broadly to include even heterosexual sodomy (anal or oral sex between a man and a woman or two women) within its ambit of prohibited activity, the Court chose to frame the issue at hand rather narrowly. Justice Byron White, speaking for the majority, observed at the outset –

“This case does not require a judgment on whether laws against sodomy between consenting adults in general, or between homosexuals in particular, are wise or
desirable. It raises no question about the right or propriety of state legislative decisions to repeal their laws that criminalize homosexual sodomy, or of state-court decisions invalidating those laws on state constitutional grounds. The issue presented is whether the Federal Constitution confers a fundamental right upon homosexuals to engage in sodomy…”

Privacy and autonomy

Interestingly, Hardwick’s case against the Georgia statute was not grounded on an equality-discrimination argument (since the Georgia statute prohibited even heterosexual sodomy but was only enforced against homosexuals) but on a privacy argument that sought to privilege and immunise private consensual non-commercial sexual conduct from intrusive State intervention. To support this privacy claim, a long line of cases was relied upon that restricted the State’s ability to intervene in, and so upheld the sanctity of, the home, marriage, procreation, contraception, child rearing and so on [See, Carey v. Population Services 431 US 678 (1977), Pierce v. Society of Sisters 268 US 510 (1925) and Meyer v. Nebraska 262 US 390 (1923) on child rearing and education; Prince v. Massachusetts 321 US 158 (1944) on family relationships; Skinner v. Oklahoma ex rel. Williamson 316 US 535 (1942) on procreation; Loving v. Virginia 388 US 1 (1967) on marriage; Griswold v. Connecticut 381 US 479 (1965) and Eisenstadt v. Baird 405 US 438 (1972) on contraception; and Roe v. Wade 410 US 113 (1973) on abortion]. Further, the Court was pressed to declare a fundamental right to consensual homosexual sodomy by reading it into the Due Process clause of the Fourteenth Amendment to the US Constitution.

The 9-judges Court split 5-4 down the middle to rule against all of Hardwick’s propositions and uphold the constitutionality of the Georgia statute. The Court’s majority agreed that cases cited by Hardwick had indeed evolved a right to privacy, but disagreed that this privacy extended to homosexual persons since “(n)o connection between family, marriage, or procreation on the one hand and homosexual activity on the other has been demonstrated…”. In essence, the Court’s majority held that homosexuality was distinct from procreative human sexual behaviour; that homosexual sex could, by virtue of this distinction, be separately categorised and discriminated against; and, hence, homosexual sex did not qualify for the benefit of intimate privacy protection that was available to heterosexuals. What reason did the Court give to support this discrimination? Justice White speaking for the majority gives us a clue: “Proscriptions against that (homosexual) conduct have ancient roots.” Justice White was joined in his majority judgement by Chief Justice Burger, Justice Powell, Justice Rehnquist and Justice O’Connor. His rationale was underscored by Chief Justice Burger who also wrote a short concurring opinion wherein he claimed:

“Decisions of individuals relating to homosexual conduct have been subject to state intervention throughout the history of Western civilization. Condemnation of those practices is firmly rooted in Judeo-Christian moral and ethical standards. Blackstone described “the infamous crime against nature” as an offense of “deeper malignity” than rape, a heinous act “the very mention of which is a disgrace to human nature,” and “a crime not fit to be named.” … To hold that the act of homosexual sodomy is somehow protected as a fundamental right would be to cast aside millennia of moral teaching.”

The majority’s “wilful blindness”: Blackmun’s dissent

The Court’s dissenting opinion was delivered by Justice Blackmun, in which Justice Brennan, Justice Marshall and Justice Stevens joined. At the outset, the Justice Blackmun disagreed with the issue that was framed by the majority led by Justice White: “This case is (not) about “a fundamental right to engage in homosexual sodomy,” as the Court purports to declare…” and further pointed out that the Georgia statute proscribed not just homosexual sodomy, but oral or anal sex committed by any two persons: “…the Court’s almost obsessive focus on homosexual activity is particularly hard to justify in light of the broad language Georgia has used.”. When considering the issue of privacy for intimate sexual conduct, Justice Blackmun criticised the findings of the majority: “Only the most wilful blindness could obscure the fact that sexual intimacy is a sensitive, key relationship of human existence, central to family life, community welfare, and the development of human personality…” And when dealing with the ‘historical morality’ argument that was advanced by Chief Justice Burger, the minority observed:

“The assertion that “traditional Judeo-Christian values proscribe” the conduct involved cannot provide an adequate justification for (§)16-6-2 (of the Georgia Statute). That certain, but by no means all, religious groups condemn the behavior at issue gives the State no license to impose their judgments on the entire citizenry. The legitimacy of secular legislation depends instead on whether the State can advance some justification for its law beyond its conformity to religious doctrine.”

The states respond, privacy is upheld

Bowers was argued and decided over five years in the 1980s. At the time, the USA was witnessing a neo-conservative wave in its society and government, which was headed by a republican conservative. The HIV/AIDS issue had achieved neither the domestic nor international proportions it now occupies and the linkages between HIV/AIDS, homosexuality and the right to health were still unclear. In the years after Bowers, several more US States repealed their sodomy laws.

In some US States, sodomy laws that were not legislatively repealed were judicially struck down. In 1998, the Georgia State Supreme Court, in Powell v. State of Georgia S98A0755, 270 Ga. 327, 510 S.E. 2d 18 (1998), heard a challenge to the same sodomy provision of the Georgia statute that was upheld in by the US Supreme Court in Bowers. In a complete departure from the US Supreme Court’s findings, the Georgia Supreme Court first considered whether the Georgia statute violated individual privacy: “It is clear from the right of privacy appellate jurisprudence…that the “right to be let alone” guaranteed by the Georgia Constitution is far more extensive that the right of privacy protected by the U.S. Constitution…”

Having established that an individual right to privacy existed to protect private consensual sodomy, the Georgia Court then considered whether there was a ‘legitimate State interest’ that justified the State’s restriction of this right. The justifications that were offered by the State included the possibility of child sexual abuse, prostitution and moral degradation of society. The Court found that there already were a number of legal provisions to deter and punish rape, child abuse, trafficking, prostitution and public indecency. Hence: “In light of the existence of these statutes, the sodomy statute’s raison d’ etre can only be to regulate the private sexual conduct of consenting adults, something which Georgians’ right of privacy puts beyond the bounds of government regulation.” By a 2-1 decision, Chief Justice Benham leading the majority, the Georgia Supreme Court struck down the Georgia statute for arbitrarily violating the privacy of individuals. Interestingly, the subjects of the dispute were not homosexual, but two heterosexual adults – a man and a woman. Similar cases where a US State’s sodomy laws were judicially struck down include:

Campbell v. Sundquist 926 S.W.2d 250 (1996) – [Tennessee – by the Tennessee Court of Appeals on privacy violation; appeal to the State Supreme Court expressly denied].
Commonwealth v. Bonadio 415 A.2d 47 (1980) – [Pennsylvania – by the Pennsylvania Supreme Court on both equality and privacy violations];
Doe v. Ventura MC 01-489, 2001 WL 543734 (2001) – [Minnesota – by the Hennepin County District Judge on privacy violation; no appellate challenge];
Gryczan v. Montana 942 P.2d 112 (1997) – [Montana – by the Montana Supreme Court on privacy violation];
Jegley v. Picado 80 S.W.3d 332 (2001) – [Arkansas – by the Arkansas Supreme Court, on privacy violation];
Kentucky v. Wasson 842 S.W.2d 487 (1992) [Kentucky – by the Kentucky Supreme Court on both equality and privacy violations];
Massachusetts v. Balthazar 366 Mass. 298, 318 NE2d 478 (1974) and GLAD v. Attorney General 436 Mass. 132, 763 NE2d 38 (2002) – [Massachusetts – by the Superior Judicial Court on privacy violation];
People v. Onofre 51 NY 2d 476 (1980) [New York – by the New York Court of Appeals on privacy violation]; and,
Williams v. Glendenning No. 98036031/CL-1059 (1999) – [Maryland – by the Baltimore City Circuit Court on both privacy and equality violations; no appellate challenge].

Lawrence v. Texas

These developments made for an uneven field in the matter of legality of homosexual sex with the sodomy laws of most States being repealed by their State legislatures or subject to State judicial invalidation, while the sodomy laws of the remaining States were retained under the shade of constitutional protection afforded by Bowers. Texas was one such State which maintained an anti-sodomy law contained in Texas Penal Code Annotated § 21.06(a) (2003) (“Texas statute”) which criminalised sexual intercourse between two people of the same sex. In 1998, the Texas statute was invoked to arrest two men engaged in private, consensual, non-commercial sodomy. They subsequently challenged the constitutionality of the Texas statute, their case reaching the US Supreme Court. In 2003, the US Supreme Court, in Lawrence v. Texas 539 US 558 (2003) pronounced on the validity of the Texas statute. Interestingly, while the issue under consideration was identical to that decided in Bowers, the Court this time around was presented with detailed arguments on the equality-discrimination aspect of same-sex sodomy laws – which the Bowers Court majority did not consider. The Court split 6-3; the majority struck down the Texas statute. Justice Kennedy, speaking for himself and 4 other judges of the majority, found instant fault with the Bowers Court for framing the issue in question before it as simply whether homosexuals had a fundamental right to engage in sodomy.

Privacy, intimacy, home

This mistake, Justice Kennedy claimed, “…discloses the Court’s own failure… To say that the issue in Bowers was simply the right to engage in certain sexual conduct demeans…the individual…just as it would demean a married couple were it to be said marriage is simply about the right to have sexual intercourse. Their penalties and purposes (of the laws involved)…have more far-reaching consequences, touching upon the most private human conduct, sexual behavior, and in the most private of places, the home.” Justice Kennedy, joined by Justice Stevens, Justice Souter, Justice Ginsburg and Justice Breyer, found that the Texas statute violated the right to privacy granted by the Due Process clause of the US Constitution:

“The petitioners are entitled to respect for their private lives. The State cannot demean their existence or control their destiny by making their private sexual conduct a crime. “It is a promise of the Constitution that there is a realm of personal liberty which the government may not enter.”” [The quote is c.f. Planned Parenthood of Southeastern Pa. v. Casey 505 US 833 (1992)]

Imposed morality is defeated

With the privacy argument established as controlling, Justice Kennedy went to some length to refute the ‘historical morality’ argument that was put forward in Bowers by then Chief Justice Burger: “At the outset it should be noted that there is no longstanding history in this country of laws directed at homosexual conduct as a distinct matter… The sweeping references by Chief Justice Burger to the history of Western civilization and to Judeo-Christian moral and ethical standards did not take account of other authorities pointing in an opposite direction.” To illustrate these other authorities, Justice Kennedy references the ECHR’s decision in Dudgeon supra which was reached five years before Bowers: “Authoritative in all countries that are members of the Council of Europe (21 nations then, 45 nations now), the decision (Dudgeon) is at odds with the premise in Bowers that the claim put forward was insubstantial in our Western civilization.”.

The Court then affirmed that morality could not be a compelling ground to infringe upon a fundamental right: “Our obligation is to define the liberty of all, not to mandate our own moral code”. The lone remaining judge of the majority, Justice O’Connor, based her decision not on the right to privacy but on equality-discrimination considerations. Interestingly, Justice O’Connor sat on the Bowers Court and ruled with the majority in that case. Basing her decision on equal protection grounds allowed her to concur with the majority in Lawrence but not overturn her earlier position in Bowers which had rejected a right to privacy claim. It also enabled her to strike down the Texas statute while not conceding homosexuality as a constitutionally guaranteed private liberty. There were three dissenters: The chief dissent was delivered by Justice Scalia, in which he was joined by Chief Justice Rehnquist and Justice Thomas. Bowers was not merely distinguished by the majority, it was overruled:

“Bowers was not correct when it was decided, and it is not correct today. It ought not to remain binding precedent. Bowers v. Hardwick should be and now is overruled.”

For more details visit https://cis-india.org/internet-governance/blog/privacy-autonomy-sexual-choice-common-law-recognition-of-homosexuality

Privacy worries cloud Facebook's WhatsApp Deal

sunil — 2014-03-20T05:59:28Z

Privacy activists in the United States have asked the competition regulator or the Federal Trade Commission to put on hold Facebook's acquisition of WhatsApp. Why have they done this when Facebook has promised to leave WhatsApp untouched as a standalone app?

Read the original published in the Economic Times on March 14, 2014

Activists have five main concerns.

Facebook has a track record of not keeping its promises to users.
The ethos of both companies when it comes to privacy is diametrically opposite.
The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
Facebook slurping WhatsApp's large repository of phone numbers.
Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-march-14-2014-sunil-abraham-privacy-worries-cloud-facebook-whatsapp-deal

Privacy Round Table, New Delhi (October 2013)

praskrishna — 2013-09-28T02:52:26Z

The Centre for Internet and Society (CIS), Federation of Indian Chambers of Commerce and Industry (FICCI), and DSCI cordially invite you to a "Privacy Round Table" at the FICCI Federation House in Tansen Marg on October 19, 2013.

Click the below links to:

Download the event brochure
Download the latest version of the Draft Privacy Bill

Jacob Kohnstamm, Data Protection Authority, Netherlands and Chairman of the Article 29 Working Party, Chantel Bernier, Assistant Privacy Commissioner, Canada, and Christopher Graham, Information Commissioner, UK will make presentations:

Agenda

Time	Detail
10:00 10:30	Introduction and summary of previous Roundtables
10:30 11:00	“Data Protection in the European Union” Mr. Jacob Kohnstamm, Data Protection Authority, Netherlands and Chairman of the Article 29 Working Party
11:00 11:15	Tea
11:15 12:15	Regulatory Frameworks and Jurisdiction a. Co-Regulation vs. Self Regulation vs. Statutory Regulation b. Applicability of regulatory framework to domestic processing vs. multiple/international jurisdictions
12:15 12:45	“An Overview of the Canadian Privacy Regime” Ms. Chantal Bernier, Assistant Privacy Commissioner, Canada
12:15 13:30	The Privacy Commissioner a. Composition of the Office of the Privacy Commissioner (officers, funding, organizational structure) b. Powers of the Privacy Commissioner (investigation, audit, privacy impact assessment etc) c. Functions of the Office of the Privacy Commissioner
13:30 14:30	Lunch
14:30 15:30	Rights of the individual and exceptions to the right to privacy a. Rights of the individual including: notice, access, deletion etc. b. Exceptions to the right to privacy: national security, public order, public interest, prevention and detection of crime etc.
15:30 16:00	“An overview of the Privacy Regime in the UK” Mr. Christopher Graham, Information Commissioner, UK
16:00 16:15	Tea
16:15 17:00	Defining and protecting personal data and personal sensitive data a. Definitions and distinctions between personal data vs personal sensitive data b. Levels of protection for personal data vs. personal sensitive data c. Penalty and remedy for breach of personal data vs. personal sensitive data
17:00 18:00	Penalty and Redress a. Forms and extent of penalty: fine, public notice, shut down of services etc. b. Forms of redress for the individual c. Enforcement of penalty and redress

The Speakers

Jacob Kohnstamm	Before his appointment as Chairman of the Dutch Data Protection Authority in 2004, Jacob Kohnstamm was active in Dutch politics as member of the Lower House of the Dutch Parliament, as State Secretary for Internal Affairs and as member of the Senate of the Dutch Parliament (between 1981 and 2004). Before that, he worked as a lawyer in Amsterdam. Since February 2010, Jacob Kohnstamm is Chairman of the Art. 29 Working Party of European Data Protection Authorities. Since November 2011, Jacob Kohnstamm is also Chairman of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners.
Chantal Bernier	Chantal Bernier was appointed Assistant Privacy Commissioner of Canada in December 2008. Ms. Bernier started her career in the federal government as a lawyer in the Department of Justice, Canada. She went on to hold a directorship at the Privy Council Office before being appointed Assistant Deputy Minister at Indian and Northern Affairs Canada, and later on at Public Safety Canada. She holds a Bachelor of Civil Law from the University of Sherbrooke and a Masters in Public International Law from the London School of Economics and Political Science.
Christopher Graham	Christopher Graham became UK Information Commissioner in June 2009, with responsibility for overseeing the Freedom of Information Act and Data Protection Act regimes — upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. He is the Vice Chair of the Article 29 Working Party of the European Data Protection Authorities. Christopher was the director general of the Advertising Standards Authority (ASA) from April 2000 to June 2009. From 2003-5, he was chairman of the European Advertising Standards Alliance (EASA), the federation of advertising self-regulatory bodies across the EU Single Market. Prior to joining the ASA, Christopher was for three years Secretary of the BBC. Christopher first joined the broadcaster as a news trainee in 1973. He was a Current Affairs Producer for BBC Radio and TV before becoming Managing Editor of News Programmes for TV and Radio.

Confirmations and RSVP

Please send your email confirmations for attending the Delhi Privacy Round Table on October 19, 2013, to Elonnai Hickok (elonnai@cis-india.org)

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-delhi-october-19-2013

Privacy Round Table, New Delhi

praskrishna — 2013-08-12T10:41:08Z

The Centre for Internet and Society (CIS), FICCI and DSCI cordially invites you to attend the "Privacy Round Table" to be held at the FICCI, Federation House, Tansen Marg, New Delhi on Saturday, August 24, 2013, 10.30 a.m. to 5.00 p.m., to discuss the "Report of the Group of Experts on Privacy" by the Justice A.P. Shah Committee, the text of the "Citizen's Privacy (Protection) Bill, 2013, drafted by the Centre for Internet and Society, and "Strengthening Privacy Protection through Co-Regulation" by DSCI.

Featured Remote Presentation from Jamie Hine and Betsy Broder, Federal Trade Commissioner, US

The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Draft Agenda for the Roundtable Discussion

Time	Detail
10.30	Overview, explanation, and discussion: The Report of the Group of Experts on Privacy.
11.30	Overview, explanation, and discussion: Strengthening Privacy Protection through Co-regulation.
12.15	Tea
12.30	Overview, explanation, and discussion: The Citizens Privacy (Protection) Bill, 2013.
13.15	Lunch
14.15	In depth discussion and overview of discussions and feedback from previous Roundtables and subsequent amendments to the Citizens Privacy (Protection) Bill, 2013.
16.00	The US Privacy Framework: Remote Presentation from Jamie Hine and Betsy Broder, Federal Trade Commission, US.
17.00	Tea

Confirmations and RSVP:

Please send your email confirmations for attending the New Delhi Privacy Roundtable on August 24, 2013, to elonnai@cis-india.org

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-delhi

Privacy Round Table, Kolkata

praskrishna — 2013-07-10T06:11:59Z

The Centre for Internet and Society, the Federation for Indian Chambers of Commerce and Industry, and the Data Security Council of India cordially invite you to attend the "Privacy Round Table" in Kolkata on July 13, 2013, 10.30 a.m. to 4.00 p.m., to discuss the "Report of the Group of Experts on Privacy" by the Justice A.P. Shah Committee, the text of the "Citizen's Privacy (Protection) Bill, 2013, drafted by the Centre for Internet and Society, and "Strengthening Privacy Protection through Co-Regulation" by DSCI.

Reijo Aarino, Data Protection Ombudsman of Finland will be the featured guest for this event. The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Click below to download the documents:

Draft Agenda

Time	Detail
10.30	Introduction to privacy frameworks for India: The Draft 2011 Right to Privacy Bill, the Report of the Group of Experts on Privacy, and Strengthening Privacy Protection through Co-regulation.
11.30	Overview, explanation, and discussion: The Privacy Protection Bill 2013
13.00	Lunch
14.00	Open Discussion: Reijo Aarnio, Data Protection Ombudsman of Finland
16.15	Tea

Please send your confirmations for attending the Kolkata Roundtable Privacy on July 13, 2013, to Maria Xynou at maria@cis-india.org

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-kolkata

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback)

elonnai — 2013-07-12T10:50:22Z

In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.

Click to download the Privacy Protection Bill, 2013 with latest amendments (PDF, 196 Kb).

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback

Privacy Policy Research

vanya — 2016-01-03T09:40:37Z

The Centre Internet and Society, India has been researching privacy policy in India since the year 2010 with the following objectives.

Raising public awareness and dialogue around privacy,
Undertaking in depth research of domestic and international policy pertaining to privacy
Driving comprehensive privacy legislation in India through research.

India does not have a comprehensive legislation covering issues of privacy or establishing the right to privacy In 2010 an "Approach Paper on Privacy" was published, in 2011 the Department of Personnel and Training released a draft Right to Privacy Bill, in 2012 the Planning Commission constituted a group of experts which published The Report of the Group of Experts on Privacy, in 2013 CIS drafted the citizens Privacy Protection Bill, and in 2014 the Right to Privacy Bill was leaked. Currently the Government is in the process of drafting and finalizing the Bill.

Privacy Research -

1. Approach Paper on Privacy, 2010 -

The following article contains the reply drafted by CIS in response to the Paper on Privacy in 2010. The Paper on Privacy was a document drafted by a group of officers created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject.

CIS Responds to Privacy Approach Paper http://bit.ly/16dEPB3

2. Report on Privacy, 2012 -

The Report on Privacy, 2012 was drafted and published by a group of experts under the Planning Commission pertaining to the current legislation with respect to privacy. The following articles contain the responses and criticisms to the report and the current legislation.

The National Cyber Security Policy: Not a Real Policy http://bit.ly/16yLYFq

Privacy Law Must Fit the Bill http://bit.ly/19DNYjs

3. Privacy Protection Bill, 2013 -

The Privacy Protection Bill, 2013 was a legislation that aims to formulate the rules and law that governs privacy protection. The following articles refer to this legislation including a citizen's draft of the legislation.

The Privacy (Protection) Bill 2013: A Citizen's Draft http://bit.ly/1bXYbL6

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback) http://bit.ly/1efkgbe

Privacy (Protection) Bill, 2013: Updated Third Draft http://bit.ly/14WAgI7

The Privacy Protection Bill, 2013 http://bit.ly/1g3TwIX

The New Right to Privacy Bill 2011: A Blind Man's View of the Elephant http://bit.ly/17VSgCH

4. Right to Privacy Act, 2014 (Leaked Bill) -

The Right to Privacy Act, 2014 is a bill still under proposal that was leaked, linked below.

Leaked Privacy Bill: 2014 vs. 2011 http://bit.ly/QV0Y0w

For more details visit https://cis-india.org/internet-governance/blog/privacy-policy-research

Privacy Policy Framework for Indian Mental Health Apps

Chakshu Sang and Shweta Mohandas — 2025-01-10T00:11:24Z

This report analyses the privacy policies of mental health apps in India and provides recommendations for making the policies not only legally compliant but also user-centric

The report’s findings indicate a significant gap in the structure and content of privacy policies in Indian mental health apps. This highlights the need to develop a framework that can guide organisations in developing their privacy policies. Therefore, this report proposes a holistic framework to guide the development of privacy policies for mental health apps in India. It focuses on three key segments that are an essential part of the privacy policy of any mental health app. First, it must include factors considered essential by the Digital Personal Data Protection Act 2023 (DPDPA) such as consent mechanisms, rights of the data principal, provision to withdraw consent etc. Second, the privacy policy must state how the data provided by them to these apps will be used. Finally, developers must include key elements, such as provisions for third-party integrations and data retention policies.”

Click to download the full research paper here

For more details visit https://cis-india.org/internet-governance/blog/privacy-policy-framework-for-indian-metal-health-apps

Privacy Policy

praskrishna — 2013-07-01T06:25:37Z

Preliminary

This Privacy Policy ("Policy") states the internal policy of the Centre for Internet & Society ("CIS") with regard to the collection, storage, security, processing and disclosure of personal data.
This Policy constitutes compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011.

Collection of Personal Data

CIS will not collect any personal data that is not necessary for the achievement of a purpose that is connected to a stated CIS function.
CIS will not collect any personal data without obtaining the prior consent of the person to whom it pertains. CIS may obtain such consent in any manner, and through any medium, but will not employ threats, duress or coercion to obtain such consent.
Personal data collected in respect of a grant of consent by the person to whom it pertains will, if that consent is subsequently withdrawn for any reason, be destroyed or anonymised.

Storage of Personal Data

CIS will not store any personal data for a period longer than is necessary to achieve the purpose for which it was collected, or, if that purpose is achieved or ceases to exist for any reason, for any period following such achievement or cessation.
Any personal data collected in relation to the achievement of a purpose will, if that purpose is achieved or ceases to exist for any reason, be destroyed or anonymised.
CIS may store personal data for a period longer than is necessary to achieve the purpose for which it was collected, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation, if –
- the person to whom it pertains grants consent to such storage;
- it is required to be stored under the provisions of applicable law; or
- it is the subject of a pending legal proceeding.

Processing of Personal Data

CIS will not process any personal data that is not necessary for the achievement of the purpose for which it was collected unless the person to whom it pertains grants consent to such processing.

Security of Personal Data

CIS will not collect, store or process any personal data in the absence of measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure the confidentiality, secrecy, sanctity and safety of the personal data, including from theft, loss, damage or destruction.
Any person who collects, stores or processes any personal data on behalf of CIS will be subject to a duty of confidentiality and secrecy in respect of it.
CIS will, if the confidentiality, secrecy, sanctity or safety of any personal data collected, stored or processed by CIS is violated by theft, loss, damage or destruction, or as a result of any disclosure contrary to the provisions of this Policy, notify, to the extent possible, the person to whom the personal data pertains.

Disclosure of Personal Data

CIS will not disclose to any person to whom any personal data does not pertain, or otherwise cause any such a person to receive, the content or nature of that personal data, including any other details in respect thereof, unless the person to whom it pertains grants consent to such disclosure. CIS may obtain such consent in any manner, and through any medium, but will not employ threats, duress or coercion to obtain such consent.
CIS may disclose personal data with a person to whom it does not pertain, whether located in India or otherwise, for the purpose only of processing it to achieve the purpose for which it was collected, if such a disclosure is pursuant to an agreement that binds the person receiving it to same or stronger measures in respect of its storage, processing and disclosure as are contained in this Policy.
If the disclosure of any personal data is necessary to –
- prevent a reasonable threat to national security, defence or public order; or
- prevent, investigate or prosecute a cognisable offence;
CIS may, upon receiving an order in writing from a judicial authority or law enforcement officer, disclose the personal data that is the subject of the order without seeking the consent of the person to whom it pertains.
CIS may, to the extent possible, notify the person to whom any personal data pertains of its disclosure and the identity of the person it was disclosed to, and any other details in respect thereof.

Accuracy of Personal Data

CIS will reasonably afford any person whose personal data is collected, stored or processed by CIS the opportunity to review it and, where necessary, rectify anything that is inaccurate or not up to date.

For more details visit https://cis-india.org/about/policies/privacy-policy

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

elonnai — 2012-10-25T10:23:50Z

CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1^st through May 31^st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.

Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28^th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20^th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

For more details visit https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy

Privacy Meeting: Brussels – Bangalore

praskrishna — 2013-09-12T07:56:53Z

The Centre for Internet and Society, Bangalore welcomes you to a talk on privacy by Gertjan Boulet and Dariusz Kloza on August 14, 2013, 5.00 p.m. to 8.00 p.m.

Slides from the talk can be accessed here.

Draft Agenda

Time	Detail
17.00 17.15	Brief presentation of the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel (VUB), Belgium
17.15 18.15	Session on "new tools" to protect privacy and personal data. A case-study on (European) approach to privacy impact assessment This session will provide an overview to the main findings of the projects carried out by VUB-LSTS (predominantly) with regard to privacy impact assessments (PIA), starting with the EU co-funded PIAF (“A Privacy Impact Assessment Framework for data protection and privacy rights”; 2011-2012), which reviewed existing PIA frameworks worldwide, surveyed opinions of national data protection authorities (DPAs) on an optimal PIA policy and, finally, provided a set of recommendations for PIA policy-makers and practitioners. This session will be concluded by proposing adaptation of the so-called environmental democracy to the needs and reality of privacy. The points in this session will be contrasted with the experience of India.
18.15 18.45	Session on co-operation of data protection authorities "Improving Practical and Helpful cooperation between Data Protection Authorities", 2013-15. This session will provide a preliminary analysis of the (legal) factors that pose as obstacles to and/or encourage co-operation between DPAs worldwide in enforcing privacy and data protection laws. Such an analysis aims at creating a 'wish-list', i.e. at identifying what measures could be taken to reduce barriers and to further foster co-operation. This session will be concluded by discussing what DPAs' can learn about co-operation from European and international competition law. The points in this session will be contrasted with the experience of India.
18.45 19.00	Break
19.00 19.15	Small session on big data The focus of this session will be on the challenges posed to sovereignty by cross-border law enforcement access to big data. The Belgian Yahoo-case will be discussed as it is emblematic of a reality with broad national claims to access data in a trans-border context. Indian perspectives on this topic will be taken into account.
19.15 20.00	Open discussion

Materials

Wright, David, Kush Wadhwa, Paul De Hert, and Dariusz Kloza, A Privacy Impact Assessment Framework for Data Protection and Privacy Rights, 2011. http://piafproject.eu/ref/PIAF_D1_21_Sept2011Revlogo.pdf
Hosein, Gus, and Simon Davies, Empirical Research of Contextual Factors Affecting the Introduction of Privacy Impact Assessment Frameworks in the Member States of the European Union, 2012. http://piafproject.eu/ref/PIAF_deliverable_d2_final.pdf
De Hert, Paul, Dariusz Kloza, and David Wright, Recommendations for a Privacy Impact Assessment Framework for the European Union, 2012. http://piafproject.eu/ref/PIAF_D3_final.pdf
Kloza Dariusz, Moscibroda Anna, Boulet Gertjan, “Improving Co-operation Between Data Protection Authorities: First Lessons from Competition Law.” in Jusletter IT. Die Zeitschrift für IT und Recht, published by Weblaw AG. http://jusletter-it.weblaw.ch/issues/2013/20-Februar-2013/2128.html
Kloza Dariusz, “Public voice in privacy governance: lessons from environmental democracy”, in Erich Schweighofer (ed.), KnowRight 2012 conference proceedings [forthcoming].

Other resources

PHAEDRA project: http://www.phaedra-project.eu

PIAF project: http://piafproject.eu
PIAw@tch, the PIA observatory: http://piawatch.eu

The Speakers

Gertjan Boulet

Gertjan Boulet holds a joint LL.M/MPhil (2010) from Leuven University (Belgium) and Tilburg University (the Netherlands) where he successfully completed a Research Master of Laws programme focused on legal methods and interdisciplinary research. He started to work as a doctoral researcher at the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel in January 2013 for the EU-funded research project 'Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities' (PHAEDRA). Before, he was a freelance researcher at VUB, and became a member of the programming committee of the annual conference 'Computers, Privacy & Data Protection' (CPDP). Prior to joining the Vrije Universiteit Brussel, Gertjan worked for the Brussels Airport Company (2010) and the law firm DLA Piper (2011). He also completed internships at the Belgian Public Prosecutor (2007), the Constitutional Court of Belgium (2012) and the Belgian Privacy Commission (2013).

Gertjan Boulet

Dariusz Kloza

Dariusz (Darek) Kloza is a doctoral researcher at the Research Group on Law, Science, Technology, and Society (LSTS) and the Institute for European Studies (IES) at Vrije Universiteit Brussel (VUB). He holds both an LL.M. in Law and Technology (2010) from the Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University (with distinction) and a master degree in law from University of Białystok (2008). He was also an exchange student at University of Copenhagen (2007-2008). His research is focused on fundamental rights in the digital era (especially privacy and data protection), liability of intermediary service providers and private international law. His doctoral research focuses on positive procedural obligations for privacy and data protection from the European perspective.

He has been involved in researching privacy and data protection issues in a number of EU co-funded projects, such as PIAF (Privacy Impact Assessment Framework for data protection and privacy rights), PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities) and ADVISE (Advanced Video Surveillance archives search Engine for security applications). He has also contributed to the work of the European Commission’s Task Force for Smart Grids, aimed at ensuring high level of privacy and personal data protection in smart grids/metering.

Dariusz Kloza

For more details visit https://cis-india.org/internet-governance/events/privacy-meeting-brussels-bangalore

Privacy Meet

praskrishna — 2013-11-20T05:13:57Z

Bhairav Acharya was invited by Yahoo's Director of International Privacy, Laura Juanes Micas, to a dinner meeting on privacy at the Oberoi in New Delhi.

The meeting was attended by Justice A.P. Shah, Dr. Gulshan Rai, Dr. Kamlesh Bajaj and others. At this event, Bhairav spoke about the need to develop laws to regulate surveillance and personal data in India. Bhairav further spoke about both the commercial benefits that will accrue from data protection law as well as the national benefit from surveillance regulation and security law. Bhairav also spoke of the need to create a procedure that is just, fair and reasonable and, he highlighted the point that these laws would have to survive constitutional scrutiny by the Supreme Court of India. He also pointed out that meaningful protections lay in creating procedural law that allowed individuals the protection of natural justice and identified magistrates to authorise data collections and interceptions. He further made it clear that India's distinct security situation, both internal and external, warranted a robust surveillance framework that enables law enforcement and strengthens the criminal justice system in manner consistent with the rule of law.

Timings	Agenda
19.00 19.25	Handshakes and Introduction
19.25 19.30	Welcome Remarks by Laura Juanes Micas, Director – International Privacy, Yahoo Inc
19.30 19.35	Address by Manoj Joshi, Joint Secretary, Deptt of Personnel and Training
19.35 19.40	Address by Dr. Gulshan Rai, Director General, CERT-IN
19.40 19.45	Address by Dr. Kamlesh Bajaj, CEO – Data Security Council of India (DSCI)
19.45 19.50	Address by Bhairav Acharya, Legal Adviser, Centre for Internet and Society (CIS)
19.50 19.55	Address by Rajan Mathews, Director General, Cellular Operators Association of India (COAI)
19.55 20.00	Address by Justice A P Shah, Former Chief Justice, Delhi High Court and Chairman, Group of Experts
20.00 20.05	Address by Pavan Duggal, Advocate, Supreme Court
20.05 20.10	Address by Chinmayi Arun, Research Director – Centre for Communication Governance, National Law University - Delhi
20.10 20.15	Address by Prasanth Sugathan, Counsel, Software Freedom Law Centre (SFLC.IN)
20.15 20.20	Address by Dr. Subho Ray, President, Internet and Mobile Association of India (IAMAI)
20.20	Discussions (Along with Sit – Down Dinner)

For more details visit https://cis-india.org/news/privacy-meet-october-7-2013

We are anonymous, we are legion

Privacy, security and surveillance: tackling international dilemmas and dangers in the digital realm

Privacy, Free/Open Source, and the Cloud

Introduction

Privacy Concerns:

How are privacy, free/open source, and the cloud related ?

Is free/open software the solution?

Conclusion

Privacy, By Design

Privacy, Autonomy, and Sexual Choice: The Common Law Recognition of Homosexuality

In the United Kingdom

The Wolfenden Report

The Sexual Offences Act, 1967

Developments in Scotland and Northern Ireland

Equalising the age of consent

Uniformity of equality

In the United States

Diversity of state laws

Bowers v. Hardwick

Privacy and autonomy

The majority’s “wilful blindness”: Blackmun’s dissent

The states respond, privacy is upheld

Lawrence v. Texas

Privacy, intimacy, home

Imposed morality is defeated

Privacy worries cloud Facebook's WhatsApp Deal

Privacy Round Table, New Delhi (October 2013)

Agenda

The Speakers

Jacob Kohnstamm

Chantal Bernier

Christopher Graham

Confirmations and RSVP

Privacy Round Table, New Delhi

Draft Agenda for the Roundtable Discussion

Confirmations and RSVP:

Privacy Round Table, Kolkata

Draft Agenda

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback)

Privacy Policy Research

Privacy Policy Framework for Indian Mental Health Apps

Privacy Policy

Preliminary

Collection of Personal Data

Storage of Personal Data

Processing of Personal Data

Security of Personal Data

Disclosure of Personal Data

Accuracy of Personal Data

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

Current Status of the Shack Policy

Inside the policy:

Application Requirements

Operational Requirements

Enforcement

Other practices around security and identification in Goa

Will the 2012 – 2013 Beach Shack Policy have new implications?

Conclusion

Privacy Meeting: Brussels – Bangalore

Draft Agenda

Materials

Other resources

The Speakers

Gertjan Boulet

Dariusz Kloza

Privacy Meet