We are anonymous, we are legion

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

Privacy concerns multiply for Aadhaar, India’s national biometric identity registry

praskrishna — 2017-03-22T14:38:52Z

The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.

The article by Kaelyn Lowmaster was published by One World Identity on March 17, 2017, Sunil Abraham was quoted.

Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ biometric data and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.

Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.

The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s demonetization push over past year.

But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.

Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, more than 99% of Indian adults are now enrolled. Over three billion individual identity verifications have been conducted, and some reports indicate that the Indian government is saving a billion dollars per year now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.

Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.

Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government assurances that Aadhaar biometrics have never been misused or stolen.

“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 World Bank report.

A patchwork of rules outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.

“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore

This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called IndiaStack, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.

Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.

“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, told Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”

Further stoking fears of federal overreach, the Modi administration has attempted to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.

Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is helping market the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already on board, and Google is negotiating ways to get involved.

Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.

For more details visit https://cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?

Prashant Iyengar — 2012-12-14T10:29:12Z

How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.

What kinds of computer related activities impinge on privacy?

Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.

Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [1].

What provisions in the IT Act protect against violations of privacy?

At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [2]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.

Intrusions into computers and mobile devices

accessing

downloading/copying/extraction of data or extracts any data

introduction of computer contaminant[3];or computer virus[4]

causing damage either to the computer resource or data residing on it

disruption

denial of access

facilitating access by an unauthorized person

charging the services availed of by a person to the account of another person,

destruction or diminishing of value of information

stealing, concealing, destroying or altering source code with an intention

The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[5].

Bangalore techie convicted for hacking govt site (2009, Deccan Herald)[6]

In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).

Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.

The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.

The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.

Children's privacy online

As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.

Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.

Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.

The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.

In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [7]require ‘intermediaries’[8]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.

Electronic Voyeurism

Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [9]of any person without their consent, "under circumstances violating the privacy" [10] of that person.

This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.

Phishing – or Identity Theft

The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.

Two sections of the amended IT Act penalize these crimes:

Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [11] by means of any ‘communication device’[12] or 'computer resource'.

Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.

Mumbai Police Solves Phishing scam [13]

In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.

An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.

The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.

He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.

After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."

The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.

This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.

Spam and Offensive Messages

Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.

Section 66A of the IT Act attempts to address this situation by penalizing the sending of:

any message which is grossly offensive or has a menacing character
false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will
any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;

This offence is punishable with imprisonment upto three years and with a fine[14]

Hoax E-mails [15]

In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.

According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.

Minor Hoax Spells Major Trouble

Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.
Status: Patel was given a warning by a juvenile court
A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.
Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint against him, and the boy was allowed to go home after the police gave him a “strict warning”.
Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.
Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.
On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.
Status: After being grilled by the police, he was arrested, but let out on bail.

Lawful Interception and monitoring of electronic communications under the IT Act

In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.

The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.

Unlawful Intercept

In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [16].

The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [17].

In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".

"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69.

Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.

Who may lawfully intercept?

Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.

Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [18].

	Central Government	State/Union Territory
Ordinary Circumstances	Secretary in the Ministry of Home Affairs	Secretary in charge of Home Departments of State
Emergency	Head or second senior most officer of security and law enforcement	Authorized officer not below the rank of Inspectors General of Police

However, an exception is made in cases of emergency, either

in remote areas where obtaining prior directions from the competent authority is not feasible or

for ‘operational reasons’ where obtaining prior directions is not feasible.

In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.

Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.

Under what circumstances a direction to intercept may be issued?

Purposes for which interception may be directed

Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:

sovereignty or integrity of India,

defense of India,

security of the state,

friendly relations with foreign states or

public order or

preventing incitement to the commission of any cognizable offence relating to above or

for investigation of any offence.

Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[20] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.

Contents of direction

The reasons for ordering interception must be recorded in writing [21].

In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [22]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [23]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [24].

Duration of interception and periodic review

Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [25]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.

Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [26]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [27]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [28].

What powers of interception do they have?

The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[29].

Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:

provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

intercept, monitor, or decrypt[30] the information, as the case may be; or

provide information stored in computer resource.

The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [31]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [32].

In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [33].

How long can information collected during interception be retained?

Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.

What penalties accrue to intermediaries and subscribers for resisting interception?

Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.

Data Protection under the IT Act

Data Retention Requirements of 'Intermediaries'

Section 67C of the amended IT Act mandates ‘intermediaries’[34] to maintain and preserve certain information under their control for durations which are to be specified by law.

Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.

Liability for body-corporates under section 43A

The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure.

It is only the narrowly-defined ‘body corporates’ [35] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [36].

“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.

The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.

By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.

Mphasis BPO Fraud: 2005 [37]

In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs.

In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.

Draft Reasonable Security Practices Rules 2011 [38]

In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.

Sensitive Personal Information
Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:

password;

user details as provided at the time of registration or thereafter;

information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;

physiological and mental health condition;

medical records and history;(vi) Biometric information;

information received by body corporate for processing, stored or processed under lawful contract or otherwise;

call data records;

This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.

They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[40]

Mandatory Privacy Policies for body corporates

Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [41]. The policy must provide details of:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6 [42].

Prior Consent and Use Limitation during Data Collection

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[43] to ensure that the individual from whom data is collected is aware of :

the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.

During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [44]. They must also permit individuals to review and modify the information they provide "wherever necessary" [45]. Information collected is to be kept securely [46], used only for the stated purpose [47] and any grievances must be addressed by the body corporate “in a time bound manner” [48].

Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information

The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [49]. The body corporate or any person on its behalf shall not publish the sensitive personal information [50]. Any third party receiving this information is prohibited from disclosing it further [51]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [52].

Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [53].

Reasonable Security Practices

Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a comprehensive documented information security program; and

information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.

The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.

Penalties and Remedies for breach of Data Protection

Civil Liability for Corporates

As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

it is negligent in implementing and maintaining reasonable security practices, and thereby

causes wrongful loss or wrongful gain to any person;[54]

Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.

Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract

Section 72A of the IT Act imposes a penalty on any person [55] (including an intermediary) who

has obtained personal information while providing services under a lawful contract and

discloses the personal information without consent of the person,

with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [56]

Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.

Whom to call? Adjudicatory Mechanism and Remedies under the IT Act

This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?

As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.

Civil Damages and Compensation

Whom to approach?

Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [57].

However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [58].

Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.

When must a complaint be filed?

The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [59].

What is the procedure?

Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”

In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [60]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.

Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [61].

Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—

the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

the amount of loss caused to any person as a result of the default;

the repetitive nature of the default.

Where must a complaint be filed and in what format?

The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [62].

In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [63].

How long does the process take?

The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [64].

How much does it cost?

The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation

a) Upto Rs. 10,000	10% ad valorem rounded off to nearest next hundred
b) From 10001 to Rs.50000	Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred
c) From Rs.50001 to Rs.100000	Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred
d) More than Rs. 100000	Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred

Appeals to the Cyber Appellate Tribunal and the High Court

The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.

Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.

Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.

Can contraventions be compounded (compromised) with the offender?

Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[65].

Criminal Penalties

The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [66]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).

Whom to approach? Who can take cognizance of offences and investigate them?

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.

Many states have set up dedicated cyber crime police stations to investigate offences under this Act [67]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [68].

When must a complaint be lodged?

Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.

The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [69].

What is the procedure?

No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.

Can offences be compounded?

Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [70].

Bibliography

[1].The IT Act is only one of the various laws which safeguard citizens from violations of online privacy. In addition, in the domain of finance, for instance, various RBI regulations mandate strong security protocols with respect to data held by financial institutions. Since this is the subject of a different dispatch on banking and privacy which we have brought out, these regulations are omitted from this discussion.

[2].Section 2(k) of the IT Act defines ‘computer’ as any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

[3].Section 43 defines "computer contaminant" as any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;

[6].Section 66 of the IT Act. Anon, 2009. Bangalore techie convicted for hacking govt site. Deccan Herald. Available at: http://goo.gl/jCvAh. [Accessed March 29, 2011];

[7].The Information Technology (Due Diligence observed by Intermediaries Guidelines) Rules, 2011;

[8].‘Intermediary’ has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, “any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

[9].‘Private area’ has been defined in section 66E as “the naked or undergarment clad genitals, pubic area, buttocks or female breast”.

[10].Defined as “circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his or her private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place”. See explanation to Section 66E

[11]."Cheating by personation" is a crime defined under section 416 the Indian Penal Code. According to that section, “a person is said to "cheat by personation" if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is." The explanation to the section adds that "the offence is committed whether the individual personated is a real or imaginary person". Two illustrations to the section further elaborate its meaning: (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by personation (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.

[12].Communication device" has been defined to mean "cell phones, personal digital assistance (sic) or combination of both or any other device used to communicate send or transmit any text, video, audio or image".

[13].2005. Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police. Available at: http://www.cybercellmumbai.com/case-studies/case-of-fishing [Accessed March 23, 2011].

[14]. Although no maximum limit is prescribed for the fine under this section, Section 63 of the Indian Penal Code declares that “Where no sum is expressed to which a fine may extend, the amount of fine to which the offender is liable is unlimited, but shall not be excessive”.

[15].Hafeez, M., 2009. Crime Line: Curiosity was his main motive, say city police. Crime Line. Available at: http://mateenhafeez.blogspot.com/2009/05/curiosity-was-his-main-motive-say-city.html [Accessed March 23, 2011].

[16]. Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[18]. By contrast, rules framed under Section 69B designates only the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and IT as the “competent authority” to issue orders of interception.

[19].It is unclear what these “operational reasons” could mean. The text of the rules provide no useful guidance.

[20].“Cyber security breach” is defined as meaning “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly acceptable security policy resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or changes to date, information without authorization”. Rule 2(f) of the Monitoring and Collecting of Traffic Data Rules 2009.

[21].Rule 7 of the Interception Rules 2009; Rule 3(3) of the Monitoring and Collecting of Traffic Data Rules 2009

[22].Rule 8 of the Interception Rules 2009

[23]. Rule 9 of the Interception Rules 2009

[24].Rule 10 of the Interception Rules 2009;

[25].Rule 11 of the Interception Rules 2009

[26].Rule 7 of the Interception Rules 2009

[27].Rule 22 of the Interception Rules 2009

[28]. Ibid

[29].Section 69 of the IT Act.

[30].The intermediary is required to assist in the decryption only to the extent that the intermediary has control over the decryption key. See Sub-Rule 13(3) of the Interception Rules 2009. Rule 17 enjoins the holder of a decryption key to provide decryption assistance when directed to by the competent authority.

[31].Rule 16 of the Interception Rules 2009

[32].Rule 18 of the Interception Rules 2009

[33]. Rule 20 of the Interception Rules 2009; Rules 10 & 11 of the Monitoring and Collecting of Traffic Data Rules 2009. Failure to maintain secrecy of data may attract punishment under Section 72 of the Information Technology Act.

[34].Supra n. 6 for definition

[35].Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

[36].This does not necessarily mean that these entitles are exempt from taking reasonable care to safeguard information that they collect, maintain or control – only that remedies against the government must be sought under general common law, rather than under the IT Act.

[37].Anon, 2005. The MphasiS Scandal – And How it Concerns U.S. Companies Considering Offshore BPO. Carretek. Available at: http://www.carretek.com/main/news/articles/MphasiS_scandal.htm [Accessed March 29, 2011]. See also Anon, 2005. MphasiS case: BPOs feel need to tighten security. Indian Express. Available at: http://www.expressindia.com/news/fullstory.php?newsid=44856 [Accessed March 29, 2011].

[38]. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. Available at http://www.mit.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf, last accessed February 15th, 2011.

[39].Rule 5 of the Draft Rules.

[40]. This is perhaps a bit vague, since the potential ‘lawful uses’ are numerous and could be inexhaustible. It is unclear whether “lawful usage” is coterminous with “the uses which are disclosed to the individual at the time of collection”. In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.

[41].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[42]. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6.

[43].One wonders about the convoluted language used here when a simpler phrase like “take reasonable steps” alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

[44].Sub-Rule 5(7).

[45].Sub-Rule 5(6). It is unclear what would count as a ‘necessary’ circumstance and who would be the authority to determine such necessity.

[46].Sub-Rule 5(8).

[47].Sub-Rule 5(5).

[48].Sub-Rule 5(9).

[49]. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes “sensitive personal information”. The proviso to this rule includes the phrase “sensitive information”, which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information.

[50].Sub-Rule 6(3).

[51].Sub-Rule 6(4).

[52].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?

[53].This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

[54]. “Wrongful loss” and “wrongful gain” have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.” The section also includes this interesting explanation “Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property”. Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a “wrongful gain”.

[55]. Section 3(39) of the General Clauses Act defines a person to include “any company or association or body of individuals whether incorporated or not”. An interesting question here would be whether the State can be considered “a person” so that it can be held liable for unauthorized disclosure of personal information. In an early case of Shiv Prasad v. Punjab State AIR 1957 Punj 150, the Punjab High Court had excluded this possibility. However, the case law on this point has not been consistent. In Ramanlal Maheshwari v.Municipal Committee, the MP High Court held that the Municipal Council could be treated as a ‘person’ for the purpose of levying a fine attached to a criminal offence. Statutory corporate bodies (such as the proposed UID Authority of India) have been held to be ‘persons’ for purposes of law . See Commissioners, Port of Calcutta v. General Trading Corporation, AIR 1964 Cal 290. Here under the Calcutta Port Act, Port Commissioners were declared to be a “body corporate”, and hence were held to be a ‘person’.

[56].See supra n. 44.

[57]. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240> .

[58].See Section 46(1A).

[59].Schedule I, Part X of the Limitation Act “Suits for which there is no prescribed period.”

[60].The powers of the Cyber Appellate Tribunal under Section 58 include the powers of (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte.

[61].Information Technology (Qualification and Experience of Adjudicating Officers and Manner of holding Enquiry) Rules, 2003 [GSR 220(E)] Available at <http://cca.gov.in/rw/resource/notification-gsr220e.pdf?download=true>.

[62]. Ibid Rule 4(b).

[63]. Section 75.

[64]. Ibid, Rule 4(k).

[65]. Section 63 of the Act.

[66].Prior to amendment in 2008, contraventions listed in Section 43 were only liable to be compensated by damages through civil proceedings. Thus in 2007, the Madras High Court annulled an FIR lodged in a police station which listed an activity mentioned in 43(g). See S. Sekar vs The Principal General Manager < http://indiankanoon.org/doc/182565/> This position has however been changed with the new Section 66 which makes all actions listed in Section 43 an offence when committed with dishonest or fraudulent intent. Thus an FIR can be lodged with respect to these activities as well.

[67].An incomplete list of cyber crime cells of police in different states can be viewed at <http://infosecawareness.in/cyber-crime-cells-in-india>.

[68]. Home and Transport3 Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>.

[69]. Sections 468 and 469 of the Code of Criminal Procedure, 1973.

[70]. Section 77A of the Information Technology Act.

Click below to download files of your choice:

PDF [347 kb]
Open Office [51 kb]
Word File [55 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

Privacy and the Indian Copyright Act

praskrishna — 2013-08-06T13:37:27Z

India's Copyright Act was established in 1957, and is in the process of being placed before the Parliament in 2010. The provisions in the proposed Bill will work to make the Act WIPO Copyright Treaty (WCT) compliant. When looking at privacy in the context of copyright four key questions arise, says Elonnai Hickock as she analyses privacy in the context of the Indian Copyright Act.

How do DRM technologies undermine privacy and what safeguards are present in the Indian law to protect citizens’ right to privacy?

Technologies such as digital rights management technologies were developed to be used by hardware manufacturers, publishers, copyright holders and individuals to control the mode of use of certain digital devices and contents. DRM technologies pose as a privacy threat, because in their ability to monitor what is happening to a copyrighted work, they are also able to collect personal information and send it back to a host without knowledge of the user. The host is then able to use that data for marketing or commercial purposes. In the Copyright Act, 1957 there are no current provisions against DRM circumvention. In the proposed Copyright Bill 2010 there are two proposed provisions: to prevent anti circumvention of DRM technologies and one provision that clarifies what is a DRM technology.

Proposed Legislation

Section 2 (xa): Defines Rights Management Information – it is important to note that within the definition of RMI the provision specifically excludes any device or procedure intended to identify the user from the definition.

Section 65A (1) : Protection of Technological Measures - Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine includes that any person facilitating circumvention by another person of a technological measure, shall maintain a complete record of such other persons including his name, address and all relevant particulars necessary to identify him.

Section 65B: Protection of Rights Management Information – Any person who removes, or distributes, copies, or broadcasts any rights management information without authority shall be by punishable with imprisonment.

Recommendation: We find, not just exclusively to the Copyright Act, but that in all Indian legislation the privacy of an individual is brought into question, because there are no safeguards against the commercialization of information, and no formal process of redress if an individual discovers that his information is being used without his consent/prior knowledge. We would recommend that (perhaps appropriately in legislation on data protection) a provision be included to clearly articulate that the collection and commercialization of information and personal data is prohibited by DRM technologies and host companies, and a method of redress be put in place.

Under the copyright, does a person have the ability to expose privacy infringement?

Because DRM technologies have the ability to collect user information, which could potentially be done through the use of spyware, it is important that an individual has the ability to know if and when their information is being collected. To do this an individual can discover the technological principles of a device, object, or system through a process known as reverse engineering. Currently reverse engineering is permitted under provision 52 (ac). It is further supported by provision 65A (2) (f).

Current Legislation

Provision 52 (ac): Certain acts not to be in infringement of copyright include: the observation, study or test of functioning of the computer programs in order to determine the ideas and principles which underlie any elements of the program while performing such acts necessary for the functions for which the computer program was supplied. The following acts shall not constitute an infringement of copyright, namely:
65A (2) (f): Nothing in sub-section (1) shall prevent any person from, doing anything necessary to circumvent technological measures intended for identification or surveillance of a user.

Recommendation: We have no recommendation, but see this as a positive provision.

How does the proposed exception for the disabled undermine privacy?

In India under the current Copyright Act, 1957 there are no provisions for the benefit of disabled persons, thus currently permission from copyright holders needs to be exclusively sought every time the visually challenged person requires access. Under the Constitution of India and the Bernes Convention, India has committed to enshrining the rights of the disabled.

Proposed Legislation

Section 31B: will grant compulsory license in respect of publication of any copyrighted works not covered by the exception under section 52 (1) (zb). For this a registered intermediary organization that is recognized under The Persons with Disability Act shall apply to the Copyright Board for approval. The board will evaluate the applicant and application, and grant permission if it sees fit. The intermediary will then be responsible for monitoring the usage of the copyrighted work to ensure that copyright law is not violated.

Recommendation: Though currently the Indian legislation does not threaten the privacy of the disabled, we find it concerning that under the WIPO copyright treaty – the anonymity of the disabled would be compromised.

What is On the Horizon?

As copyright and IP is a constantly evolving issue, countries are consistently amending and changing their laws. With the flow of peoples across borders increasing, Indians will be affected by different international policies that could pose to infringe upon their privacy, for example cross-border checks or three strike regimes, which will punish a person if caught infringing copyright three times. For example: France has proposed cutting off Internet to those caught infringing on copyright three times.

Examples of Proposed Legislation: The Anti-Counterfeiting Trade Agreement:

ACTA is a proposed legislation. Its objective is to combat counterfeiting and piracy. Partners in the negotiations include: The United States, Australia, Canada, the European Union, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, and Switzerland. The treaty will oblige each contracting party to adopt, in accordance with its legal system, the measures necessary to ensure the application of the treaty. Though ACTA has not been enacted, many worry that ACTA would facilitate privacy violations by trademark and copyright holders against private citizens suspected of infringement activities without any sort of legal due process. The Act could allow for random searches of laptops, MP3 players, and cellular phones for illegally downloaded or ripped music and movies.

Recommendation: We find that copyright infringement does not appear to justify cross border searches or other forms of regulating. ACTA and other international treaties raise the question that if India became compliant with certain international standards, would the standards would be too stringent without safeguards, and pose as a risk to a person’s privacy.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-copyright-act

Privacy and Surveillance Roundtable

praskrishna — 2014-06-29T14:50:20Z

The Centre for Internet and Society and the Cellular Operators Association of India invite you to a roundtable at the India International Centre, New Delhi on July 4, 2014.

Background and Context to the Roundtables

In India, lawful interception of communications may be conducted by the state in three ways: firstly, intercepting telephone calls and other telecommunications may take place under powers listed in the Telegraph Act, 1885 and procedure set out in the Telegraph Rules, 1951; secondly, intercepting written communications transmitted through the postal service or by private couriers may occur under the Post Office Act, 1898; and, thirdly, intercepting, de-crypting, and monitoring email messages and other electronic communications may take place under the Information Technology Act, 1950 and two sets of Rules issued in 2008.

The government’s intention to create a Central Monitoring System to automate the existing process of telephone tapping is significant for a number of reasons. It will bypass private telephone service providers; currently the active cooperation of TSPs is required and compelled in order to intercept and monitor a telephone conversation. This creates an extra layer of compliance activity for TSPs which is cumbersome and expensive. Interception orders from the state often do not comply with the procedure required by law. This uncertainty is compounded by the lack of an indemnity for TSPs.

However, while the CMS will release TSPs from legal liability, it will leave the government free to conduct telephone interceptions in absolute secrecy and without a credible system of oversight and checks and balances. Amongst the world’s major democratic countries, India is alone in refusing to overhaul its telephone tapping regime. The legal requirements of probable cause, judicial sanction, and warrant-based interception – which are followed with exceptions in democracies around the world – are not adequately protected in India. The same principles also apply to the interception of postal and electronic communications.

There are several intelligence and police agencies in India that conduct interceptions of communications without central coordination. Previous cases in the Supreme Court of India and a few Indian High Courts reveal many cases of improper and even illegal surveillance. The sheer number of interested state agencies, the concerns of inadequate oversight, the lack of a credible legal regime, the constant leaks of private communications, and the poor legal protection given to TSPs and ISPs must be legally addressed.

Information about the Roundtables

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI). From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The Report of the Group of Experts on Privacy

In January 2012 Justice A.P. Shah formed a committee to create a report of recommendations for privacy legislation in India. The committee met seven times from January 2012 to September 2012. The Report is made up of six chapters and begins by reviewing the international best practices around privacy and the relevant Indian jurisprudence. The Report then recommends nine National Privacy Principles to be adopted by each sector in India. The Nine National Privacy Principles reflect international standards, as well as taking into consideration the Indian context. Along with the National Privacy Principles, the Report lays out a regulatory framework for privacy including privacy commissioners at the regional and national level, self regulating organizations at the industry level, and a system of complaints. Finally the report demonstrates how the National Privacy Principles could be used to harmonize existing legislation and practices.

The Draft CIS Citizens Privacy (Protection) Bill 2013

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness, completing in depth research, and driving a privacy legislation in India. As part of this work, the Centre for Internet and Society has drafted the Privacy (Protection) Bill 2013. The Citizens Privacy Protection Bill contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the privacy commissioner, and lays out offenses and penalties for contravention of the Act. The Bill represents a citizens’ version of a privacy legislation, and will be shared with civil society, industry, and government. It is hoped that the review and revision of the Bill will be a participatory process, and thus comments and feedback to it’s’ provisions will be included as annex’s to the Bill.

The International Principles on the Application of Human Rights to Communication Surveillance

These principles were defined in 2013 in response to rapidly changing technologies and surveillance practices. The principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology, spearheaded by the Electronic Frontier Foundation US and Privacy International UK. As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. These principles attempt to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

Tentative Agenda

Time	Detail
10.00 11.00	Introduction
11.00 11.30	Tea
11.30 13.00	Discussion
13.00 14.00	Lunch
14.00 16.00	Discussion
16.00 16.15	Tea

Resources

For more details visit https://cis-india.org/internet-governance/events/privacy-and-surveillance-roundtable-new-delhi

Privacy and Surveillance Roundtable

praskrishna — 2014-06-20T05:26:10Z

The Centre for Internet and Society and the Cellular Operators Association of India in collaboration with the Council for Fair Business Practices invite you to a "Privacy Roundtable" at IMC Building, IMC Marg, Churchgate, Mumbai on June 28, 2014, 10.00 a.m. to 4.00 p.m.

Time	Details
10:00 – 11:00	Introduction
11:00 - 11:30	Tea
11:30 - 13:00	Discussion
13:00 - 14:00	Lunch
14.00 - 16.00	Discussion
16.00 - 16.15	Tea

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative schedule for the Roundtables:

Mumbai – June 28th
New Delhi – July 4th
Ahmedabad/Hyderabad – August 1st
Bangalore – September 5th
New Delhi – October 3rd
Chennai – October 24th
New Delhi – November 7th

Resources

For more details visit https://cis-india.org/events/privacy-surveillance-roundtable

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit https://cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Privacy and Security Implications of Public Wi-Fi - A Case Study

vanya — 2016-12-12T12:29:49Z

Today internet is an essential necessity in everyday work and recognizing its vital role, governments across the world including the Indian government, are giving access to public Wi-Fi. However, use of public Wi-Fi brings along with it certain privacy and security risks. This research paper analyses some of these concerns, along with the privacy policies of key ISPs in India providing public Wi-Fi service in Bangalore-namely D-VoIS and Tata Docomo, as a case study to provide suitable recommendations.

Download (PDF)

1. Introduction

2. Global Scenario

3. Overview of Public Wi-Fi in India

4. Indian Policy and Legal Conundrum

5. Public Wi-Fi and Privacy Concerns

5.1. Data Theft

5.2. Tracking an Individual

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

5.4. Illegal Use of Data

6. Ranking Digital Rights Project

6.1. D-VoIS, Bangalore

6.2. Tata Docomo, Bangalore

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

8. Conclusion and Recommendations

8.1. Commitment

8.2. Freedom of Expression

8.3. Privacy

1. Introduction

Recognizing internet as a critical tool for day-to-day work and facilitating increased access to it in the past few years,^[1] the Indian Government as well as Governments across the world have rolled out plans for offering public Wi-Fi. However, privacy risks of using public Wi-Fi have also been flagged across jurisdictions, which will be discussed in this paper. Apart from highlighting key privacy concerns associated with the use of free public Wi-Fi, this case study aims to analyse the privacy policies of two of the Internet Service Providers in India-namely Tata Docomo^[2] and D-VoiS^[3], which offer public Wi-Fi services in Bangalore city against the indicators listed under the Ranking Digital Rights project^[4], as well as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011^[5]. Based on this analysis, this paper shall list key recommendations to these ISPs to ensure sound privacy policies and practices with a view to have a balanced framework and ecosystem in light of key privacy considerations, especially in light of public Wi-Fi.

2. Global Scenario

Security and privacy concerns around the use of free and public Wi-Fi have been raised in India^[6] as well as across the globe. In various cities like Bangalore, Delhi, Hyderabad, New York, London, Paris, etc., privacy experts have raised concerns over the public Wi-Fi systems at metro stations, malls, payphones and other such public places.^[7]

For many years, New York City has been in the process of developing a “free” public Wi-Fi project called LinkNYC^[8] to bring wireless Internet access to the residents of the city. However, privacy concerns have been raised by the users and privacy advocates like the New York Civil Liberties Union, where the latter also issued a letter to the Mayor's office regarding this^[9] as the collection of potentially sensitive personal, locational and behavioral data, without adequate safeguards could result in sharing of such data without the data subject’s consent or knowledge. For example, one of the concerns raised has been regarding retention of user's data by CityBridge, the company behind the LinkNYC kiosks, often indefinitely, for building a massive database which carries a risk of security breaches and unwarranted surveillance by the police. ^[10] Also, users are concerned that their internet browsing history may reveal sensitive information about their political views, religious affiliations or medical issues^[11], since registration is required to use LinkNYC by submitting their email addresses and by agreeing to allow CityBridge to collect information about the websites they visit, the duration for which they linger on certain information on a webpage and the links they click on. On the contrary, the privacy policy of CityBridge states that this massive amount of personally identifiable user information would be cleared only if there have been 12 months of user inactivity, raising an alarm in light of privacy concerns.^[12]

In the year 2015, the Information Commissioner’s Office (ICO) conducted a review of public Wi-Fi services on a UK high street, where it was found that the Wi-Fi networks requested for varying levels of personal data, which was also processed for marketing purposes. The results highlighted that while some networks did not request any personal data, others asked for varying amounts, including information regarding name, postal and email address, mobile number, gender, as well as asking for a date of birth as a mandatory requirement (except for gender). During the sign-up process, though some Wi-Fi networks provided users with the choice to opt-in or opt-out for receiving electronic newsletters and updates, others offered no choice at all.^[13] As a result of the review process, the ICO notified Wi-Fi network providers that it had reviewed and advised them of improvements that they could make to their service and issued guidance^[14] regarding the dangers of using public Wi-Fi^[15]. ICO also recommended users to take time to read all the information given by providers of Wi-Fi services before connecting.

In 2006, the European Data Retention Directive 2006/24/EC^[16] was introduced for the retention of communications data by providers of public electronic communications services for national security. The Directive provides an obligation for providers of publicly available electronic communications services and public communications networks to retain traffic and location data for the purpose of the investigation, detection, and prosecution of serious crime.^[17] Also, the Data Retention (EC Directive) Regulations 2009^[18] were introduced to implement the Directive in the UK. However, this was challenged on grounds of insufficient safeguards for the privacy rights of individuals, given the substantial interference which it facilitated with those rights.^[19]

To ensure protection of user’s data and information, the Data Protection Act 1998^[20] in UK obliges businesses retaining people’s data to comply with the law, which involves informing people about what data is being collected and ensure that the data is stored securely.^[21] . Therefore, in case of ISP’s providing public Wi-Fi service, this would relate to the information people provide when they log on, such as their email address. Under the Act, the data protection principles must be complied with by the data controllers and it needs to be ensured that the information is used fairly and lawfully, for limited and stated purposes, used in a way that is adequate, relevant and not excessive, kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure and not transferred outside the European Economic Area without adequate protection.^[22] This would soon be updated and synced with the European Union’s General Data Protection Directive (GDPR).

3. Overview of Public Wi-Fi in India

In India, the public Wi-Fi in some cases has been offered free for a limited duration, in several cities across the country. For example, in 2014, Bangalore became the first city in the country to establish free public Wi-Fi- Namma Wi-Fi (802.11N) to make Bangalore a smart and connected city. The service is offered at MG Road, Brigade Road and four other locations in Bangalore including Traffic and Transit Management Centres (TTMCs) at Shanthinagar, Yeshwanthpur, Koramangala and CMH Road in Indiranagar.^[23] The internet and Wi-Fi service provider for Namma Wi-Fi is D-VoiS Broadband Ltd,a city-based firm.^[24] However, it seems the State Government plans to pull the plug on the project, funds, lack of awareness and difficulty in access as key constraints.^[25] Tata Docomo has inked an agreement with GMR Airports to offer Wi-Fi services at several International Airports in the country, including the Bangalore International Airport. It offers access to access free Wi-Fi service for 45 minutes, following which they users are required to pay for the service online, to continue using the Wi-Fi service.^[26]

Delhi has also introduced free Wi-Fi at its premier shopping hubs of Connaught Place and Khan Market in the year 2014, and BSNL launched a free WiFi service at Karnataka’s Malpe beach in the year 2016 making it the first WiFi beach in the three coastal districts of the state.^[27] The State Governments of Mumbai, Kolkata, Patna and Ahmedabad also offer free Wi-Fi services in limited areas.^[28] As part of the flagship programme by Indian Government, Digital India, the Government announced the rollout of Wi-Fi services by June 2015 at select public places in 25 Indian cities with population of over 10 lakh and tourist destinations by December 2015.^[29] Also, the Government has plans to digitise India by rolling out free Wi-Fi in 2500 towns and cities over a span of 3 years.^[30] Google plans to deploy WiFi at 100 railway stations in partnership with Railtel. Under this scheme, Mumbai Central was the first station to get free Wi-Fi in the year 2016.^[31] Also, Google's Project Loon aims to provide internet connectivity in remote and rural areas in India, which is currently being tested in other countries.^[32].

4. Indian Policy and Legal Conundrum

In light of national security concerns around the misuse of public Wi-Fi, the Department of Telecommunication, GoI, published a regulation^[33] dated February 2009, defining procedures for the establishment and use of public Wi-Fi to prevent misuse of public Wi-Fi and to be able to track the perpetrator in case of abuse. Indeed, the DOT has stated that “Insecure Wi-Fi networks are capable of being misused without any trail of user at later date”.^[34]

As per the 2009 Regulations, DoT has instructed ISPs to enforce centralized authentication using Login ID and Password for each user to ensure that the identity of the user can be traced.^[35] Regarding Wi-Fi services provided at public places, the Regulations state that bulk login IDs shall be created for controlled distribution, with authentication done at a centralized server. The subscribers are required to use public Wi-Fi by registering with temporary user ID and password, in the following methods:

Obtaining copy of photo identity of the subscriber, to be maintained by Licensee for one year; or
Providing details of user ID and password via SMS on subscriber's mobile phone , to be used as his/her identity by keeping the mobile number for one year.

Additionally, the data protection regime in India is governed by section 43A of the Information Technology Act, 2000 and the Rules^[36] notified under it. It obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain reasonable security practices, failing which they would be held liable to compensate those affected by any negligence attributable to this failure. The said Rules also define requirements and safeguards that every Body Corporate is legally required to incorporate into the company's privacy policy. The Rules put restrictions on body corporates on collecting sensitive personal information, and also states that it must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information, along with limiting disclosure of such information.^[37] Most of the ISPs in India being a private company, like D-VoiS and Tata Docomo, are obliged to comply with these provisions. Also, under the model License Agreement for Unified License^[38] by Ministry of Communication & IT, Department of Telecommunications, Government of India, where the Unified Access License Framework allows for a single license for multiple services such as telecom, the internet and television and provides certain security guidelines, privacy of communications is to be maintained by the Licensee (the ISPs in this case) and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. It also provides for ensuring unauthorized interception of messages does not take place. Therefore, the ISPs providing public Wi-Fi services in various cities across India would be governed by the data protection regime and could be held liable under these provisions in case of non-compliance with the security measures so stated.

In July 2016, the Telecom Regulatory Authority of India (hereinafter referred as “TRAI”) floated a Consultation paper on Proliferation of Broadband through Public Wi-Fi Networks^[39] with an objective to examine the need of encouraging public Wi-Fi networks in the country from a public policy point of view and discuss the issues as well as solutions in its proliferation. The paper recognises the fact that India is still in a green field deployment phase in terms of adoption of public Wi-Fi services and requires solutions for resolving the challenges and risks being faced in the process and lay a strong foundation to evolve towards a meaningful position in the advancement of initiatives related to Internet of Things, Smart Cities, etc.^[40] This is an important step towards fulfilment of the Digital India scheme of the Indian Government to ensure better connectivity. In the paper, TRAI has advocated development of a payment platform which allows easy access to Wi-Fi services across internet service providers (ISPs) and through any payment instrument.^[41] Besides that, the paper raises issues of various regulatory, licensing or policy measures required to encourage ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas, along with the issue of encouraging interoperability between the Wi-Fi networks of different service providers, both within the country and internationally, as well as between cellular and Wi-Fi networks.^[42]

5. Public Wi-Fi and Privacy Concerns

Since proliferation of public Wi-Fi in India is happening at a moderate pace, the paper discusses key issues towards this, one of them being the logistics of deploying this service. This section briefly states and acknowledges privacy and security concerns as an important factor that may be posing issues in the adoption of public Wi-Fi services in the country. Since there have been numerous cases of security vulnerabilities in public Wi-Fi networks worldwide, security of networks and cyber crimes is a key issue for consideration.^[43]

Deployment of public wireless access points has made it more convenient for people to access the Internet outside of their offices or homes. Despite advantages like ease of accessibility, connectivity and convenience, public Wi-Fi connection pose serious concerns as well. “The proliferation of public Wi-Fi is one of the biggest threats to consumer data”, says David Kennedy, founder of TrustedSec, a specialised information security consulting company based in the United States of America.^[44] Also, the networks become an easier target with little public awareness about the existence of such threats wherein users expose valuable personal data over Wi-Fi hotspots. The recently released Norton Cyber Security Report 2016^[45] shows how the benefit of constant connectivity is often outweighed by consumer complacency, leaving consumers and their Wi-Fi networks at risk. For the purpose of this report, Norton surveyed 20,000 people (over a 1,000 from India ) which reflects that though users in India may be increasingly becoming aware of the cyber threats they face due to use of public Wi-Fi, they don’t fully understand the accompanying risks and their online behaviour is often contradictory.^[46] Also, it is important to consider that the services which claim to be free, actually generate revenue by advertisements, where the model works by providing free access to internet in exchange for user's’ personal and behavioral data, which is subsequently used to target ads to them.^[47]

Some of the privacy harms stemming from use of public Wi-Fi are listed below.

5.1. Data Theft

With hackers finding it easy to access personal information of the data subjects, data can be hijacked by unauthorized internet access by spoofing the MAC and IP addresses of the authenticated user’s device or by use of default settings (saved passwords or IPs).^[48] The following kinds of data is at a risk of being stolen and further misused:

demographic and locational data^[49]
forms of personal information acting as identifiers like financial information, social and personal information^[50]
private information like passwords to social networking sites, email accounts and banking websites^[51]
historical data from the devices^[52]

5.2. Tracking an Individual

Like cell phones, Wi-Fi devices have unique identifiers that can be used for tracking purposes which can cause potential security issues. Tracking by using a Wi-Fi hotspot can also lead to third party harms like stalking.^[53] To receive or use a service, often websites require the user to share their personal information such as name, age, ZIP code, or personal preferences, which is many times shared with advertisers and other third parties, without the knowledge or consent of the users.^[54]

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

A recent experiment conducted by the chief scientist at mobile security firm Appknox at the Bengaluru International Airport, India, found that the wireless devices could be easily hacked over the airport’s free Wi-Fi network due to the easily exploitable security holes in the software made by Apple, Google, and Microsoft.^[55] A similar experiment was backed by the European law enforcement agency, Europol, where a mobile hotspot was created in central London^[56] and the hacker was able to gain access to passwords, apps, and even credit card and banking information with ease.^[57] Lack of secure softwares and prevalence of open, unprotected Wi-Fi has made it fairly easy for hackers to set up fake twin access points that give them access to data histories and personal information.^[58] This makes is easy to track data histories of users. Even if certain softwares use encryption codes, a simple decryption software can be used to obtain the information.^[59]

5.4. Illegal Use of Data

By authorities: the authorities have easier access to people’s browsing details and habits, and with justification in the name of national security, could be used to monitor the people without their consent.^[60]

Wi-Fi provider: can sell the user’s demographic and location information. ^[61] Also, it was revealed in a study that the personal information of users is often transmitted by service providers without encryption. Anyone along the path between the user and the service’s data center can then intercept this information, opening users to grave privacy and security risks.^[62]

By hackers: steal information and hack into unsuspecting victim’s bank accounts and misuse corporate financial information and secrets^[63]

6. Ranking Digital Rights Project

The "Ranking Digital Rights" project, an ongoing international non-profit research initiative, aims to promote greater respect for freedom of expression and privacy by focusing on the policies and practices of companies in the information communications technology (ICT) sector^[64], rank such companies in this light, and undertake research to develop the ranking methodology.^[65]

In November 2015, the Ranking Digital Rights project launched the Corporate Accountability Index. Since several actors like the Internet and telecommunications companies, software producers, and device and networking equipment manufacturers exert growing influence over the political and civil lives of people all over the world, it is important to state that these organisations share a responsibility to respect human rights. For this purpose, 16 Internet and telecommunications companies were evaluated according to 31 indicators, which focused on corporate disclosure of policies and practices that affect users’ freedom of expression and privacy.^[66]

The data produced by the index can help companies improve their policies, practices and help them identify challenges faced by companies in meeting their corporate obligations to respect human rights like Freedom of Expression and Privacy in the digital space.^[67] Some of the key corporate practices which affect these rights are :

How companies handle government requests to hand over user data or restrict content;
How companies enforce their own terms of service;
What information companies collect about users and how long they retain it; and
To whom they share or sell user information.^[68]

The 2015 Corporate Accountability Index assesses transparency levels of the World’s most powerful Internet and telecommunications companies regarding their commitments, policies and practices that affect users’ freedom of expression and privacy and evaluates what companies share about these practices and offers recommendations for improvement. The methodology adopted relies on publicly available information so that advocates, researchers, journalists, policy makers, investors, and users can understand the extent to which different companies respect freedom of expression and privacy, and make appropriate policy, investment, and advocacy decisions. Also, public disclosures would enable researchers and journalists to investigate and verify the accuracy of company statements.^[69]

For the purpose of this research, we would apply this index and the indicators to the internet service provider of public Wi-Fi in Bangalore-D-VoiS Ltd. and Tata Docomo to understand how comprehensive their privacy policies are when compared to global standards and make informed recommendations. Analysing policies against the index can help these companies identify best practices, as well as the obstacles they face in meeting their corporate obligations to respect human rights in the very digital spheres they helped to create.^[70] The information has been gathered and analysed on the basis of publicly available information, and this can help companies empower users to make informed decisions about how they use technology, which would help build trust between users and companies in the long run.^[71]

6.1. D-VoIS^[72], Bangalore

For the purpose of this case study, the Privacy Policies of D-VoIS have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 1.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Privacy Policy and Terms of Use, though only in the English language.

The company does not commit to notify users in case of changes in the privacy policy of the company.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction.

The Company commits to the principle of data minimization, discloses circumstances when it shares information with third parties, and provides users with options to control the company’s collection and sharing of their information

Deploys industry standards for security of products and services.

Analysis

Commitment: D-VoIS fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. The Company lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lacks stakeholder engagement and a grievance mechanism.

Freedom of Expression: The Company also fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal^[73], but it does not prevent the company from publishing more information about private requests for content restriction. D-VoIS does not provide any information with respect to this.

Privacy: D-VoIS is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. Also, D-VoIS does not disclose what user information is collected, how and why, nor does it offer users meaningful access to their information. D-VoIS does not disclose any information regarding retention of user information, and the company could improve its disclosures about what user information it collects and how long it is retained.

Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

6.2. Tata Docomo^[74], Bangalore

The Privacy Policy and Terms & Conditions of Tata Docomo have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 2.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Data Privacy Policy and Terms of Use, though only in English language.

The Company has established electronic and administrative safeguards designed to secure the information collected to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction. The company’s disclosed policies and practices demonstrate how it works to avoid contributing to actions that may interfere with the right to freedom of expression, except where such actions are lawful, proportionate and for a justifiable purpose.

The Company clearly states the kind of information collected, ways of collection and the reasons for collection as well as sharing.

Deploys industry standards for security of products and services

Analysis

Commitment: Tata Docomo fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. Though the Company has established electronic and administrative safeguards designed to secure the information collected, it lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lack of stakeholder engagement.

Freedom of Expression: The Company fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal, it does not prevent the company from publishing more information about private requests for content restriction. Tata Docomo does not provide any information with respect to that.

Privacy: Tata Docomo is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. No information is publically available regarding users option to control company's collection of information. Tata Docomo discloses that user information shall be retained as long as required and does not mention a specific duration for the same. Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Privacy Policy and Terms & Conditions of D-VoIS and Tata Docomo have been analysed on the basis of the security measures and procedures stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 to ascertain how sound and compliant the framework is with the existing data protection regime in India. The comparison can be accessed in Annex 3.

Comparing the requirements listed under the Rules with the policies of both the companies, it can be said that though the websites of both companies provide privacy policies and are easily accessible, they lack crucial information regarding consent of the user before collection as well as sharing of information. Also, though the policies state the purpose of sharing such data with third parties, it does not state the purpose of collection of the information. The policies are also silent regarding the requirements to be complied with before transferring personal data into another jurisdiction . There is also no information about the companies having a grievance officer. Additionally, though the terms of services of D-VoIS state that the customer may choose to restrict the collection or use of their personal information, both companies do not specifically provide for an opt out mechanism to its users.

8. Conclusion and Recommendations

To allay the numerous concerns regarding privacy and security with respect to public Wi-Fi’s, the ISPs must have a sound Privacy Policy in place. For this purpose, adherence to the indicators as listed under the Corporate Accountability Index, along with requirements for security of personal information stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and improving the policies accordingly shall greatly contribute to protection of Freedom of Expression and ensure Privacy of user information. Ensuring compliance with the existing data protection regime in the country becomes more important in light of the growing privacy and security concerns due to proliferation of free and public Wi-Fi service in India. Adequate measures like acquiring consent for collection and sharing of user data, commitment by company executives to ensure protection of rights of individuals, adoption of security standards, creating awareness about security concerns, etc. by such corporate must be considered to ensure protection of personal information and reduce the likelihood of a data breach. Both D-VoIS and Tata Docomo must consider the following recommendations in order to meet the criteria set by the Ranking Digital Rights project, ensuring commitment towards protection of right to freedom of expression and privacy of the users.

8.1. Commitment

Set in place an oversight mechanism to monitor how the company’s policies and practices affect freedom of expression and privacy. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.
Also, they must conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of their business impact freedom of expression and privacy.
In addition to that, they must Provide for a remedy or grievance mechanism. The Telecom Regulatory Authority of India also requires that all service providers have redress mechanisms. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.

8.2. Freedom of Expression

The Companies must make an effort to make the Terms of Service available in the most commonly spoken languages by its users, besides English.
Also, it is recommended that the Companies must ensure to provide meaningful notice to users regarding change in terms of service.
Besides disclosing what content and activities the companies prohibit, they must disclose information regarding how it enforces these prohibitions and should provide examples regarding the circumstances under which it may suspend service to individuals or areas to help users understand such policies.
The Companies must also disclose information regarding the process for evaluating and responding to requests from third parties to restrict content or service. Additionally, it must disclose how long it retains user information, publish process for evaluating and responding to requests from government and other third parties for stored user data and/or real-time communications.

8.3. Privacy

Though both the Companies disclose that the user information shall be shared with third parties, and Tata Docomo discloses what information is collected and how, yet there should be no legal impediment for the companies to improve its disclosures about what user information it collects, with whom it is shared, and how long it is retained to protect the privacy of the users.
Though Tata Docomo allows the users to review and correct their Personal Information collected by the Company, D-VoIS must release information regarding whether the users are able to view, download or otherwise obtain all of the information about them that the company holds. In case it does not allow, the Company must duly change its policy regarding the same.
The Companies must also publish information to help users defend against cyber threats.

^[1] The Financial Express, ‘Free wi-fi: Digital Dilemma’, February 22, 2015,

http://www.financialexpress.com/article/economy/free-Wi-Fi-digital-dilemma/45804/

^[2] Tata Docomo, http://www.tatadocomo.com/

^[3] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[4] Ranking Digital Rights, https://rankingdigitalrights.org/

^[5] the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Available at : http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf

^[6] See : http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/, http://www.aljazeera.com/indepth/features/2016/03/india-unlocking-public-wi-fi-hotspots-160308072320835.html , http://www.business-standard.com/article/technology/indians-most-willing-to-share-personal-data-over-public-wifi-116083000673_1.html and http://articles.economictimes.indiatimes.com/2015-05-20/news/62413108_1_corporate-espionage-hotspots-bengaluru-airport

^[7] Scroll, ‘Free wifi in Delhi is good news but here is the catch’, November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[8] LinkNYC, https://www.link.nyc/

^[9] See : http://www.nyclu.org/files/releases/city%20wifi%20letter.pdf

^[10] The Huffingtonpost, ‘Maybe You Shouldn't Use Public Wi-Fi In New York City’, March 16, 2016, http://www.huffingtonpost.in/entry/public-wifi-nyc_us_56e96b1ce4b0b25c9183f74a

^[11] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[12] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[13]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[14]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[15]Marketing Law, ‘The ICO sounds a warning on public wi-fi and privacy’, November 24, 2015,

http://marketinglaw.osborneclarke.com/data-and-privacy/the-ico-sounds-a-warning-on-public-Wi-Fi-and-privacy/

^[16]Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32006L0024

^[17] Feiler, L., "The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection", European Journal of Law and Technology, Vol. 1, Issue 3, 2010, http://ejlt.org/article/view/29/75

^[18] The Data Retention (EC Directive) Regulations 2009 http://www.legislation.gov.uk/ukdsi/2009/9780111473894/pdfs/ukdsi_9780111473894_en.pdf

^[19] Purple, ‘Update on the legal implications of offering public WiFi in the UK’, September 10, 2014, http://purple.ai/update-legal-implications-offering-public-wifi-uk/

^[20] Data Protection Act 1998, http://www.legislation.gov.uk/ukpga/1998/29/contents

^[21] Wireless Social, http://www.wireless-social.com/how-it-works/legal-compliance/

^[22] Data Protection Act 1998, https://www.gov.uk/data-protection/the-data-protection-act

^[23]The Hindu, ‘Free wifi on M.G. Road and Brigade Road from Friday’, January 23, 2014, http://www.thehindu.com/news/cities/bangalore/free-wifi-on-mg-road-and-brigade-road-from-friday/article5606757.ece

^[24]The Telegraph, ‘Free Wi-fi on tech city streets- Bangalore offers five public hotspots’, January 25, 2014, http://www.telegraphindia.com/1140125/jsp/nation/story_17863705.jsp#.VwIv_Zx97IU

^[25]Economic Times, ‘Karnataka Govt pulls the plug on public Wi-Fi spots in Bengaluru’, March 15, 2016, http://tech.economictimes.indiatimes.com/news/internet/karnataka-govt-pulls-the-plug-on-public-Wi-Fi-spots-in-bengaluru/51404414

^[26] Medianama, ‘Why Don’t Indian Airports Offer Free WiFi To Passengers?’, May 22, 2013, http://www.medianama.com/2013/05/223-indian-airports-free-wifi/

^[27]Hindustan Times, ‘BSNL launches free public WiFi at Karnataka’s Malpe beach’, January 25, 2016, http://www.hindustantimes.com/tech/bsnl-launches-free-public-wifi-on-karnataka-s-malpe-beach/story-XVM06KQKIcoyqV8CLJoYzJ.html

^[28]TechTree, ‘Problems With Free City-Wide Wi-Fi Hotspots In India’, September 28, 2015,

http://www.techtree.com/content/features/9914/problems-free-city-wide-Wi-Fi-hotspots-india.html#sthash.2ZSf9kq7.dpuf

^[29]India Today, ‘25 Indian cities to get free public Wi-Fi by June 2015’, December 17, 2014, http://indiatoday.intoday.in/technology/story/25-indian-cities-to-get-free-public-Wi-Fi-by-june-2015/1/407214.html

^[30]Business Insider, ‘Modi Government To Roll Out Free Wi-Fi In 2,500 Towns And Cities To Make India Digital’, January 23, 2015, http://www.businessinsider.in/Modi-Government-To-Roll-Out-Free-Wi-Fi-In-2500-Towns-And-Cities-To-Make-India-Digital/articleshow/45989339.cms

^[31]RailTel launches free high-speed public Wi-Fi service with Google at Mumbai Central, http://www.railtelindia.com/images/Mumbai.pdf

^[32]Economic Times, ‘Google may get government nod to conduct pilot for Project Loon in India’, May 24, 2016,

http://economictimes.indiatimes.com/tech/internet/google-may-get-government-nod-to-conduct-pilot-for-project-loon-in-india/articleshow/52408455.cms

^[33]Department of Telecommunications, Ministry of Communications & IT, Government of India, February 23, 2009, http://www.dot.gov.in/sites/default/files/Wi-%20fi%20Direction%20to%20UASL-CMTS-BASIC%2023%20Feb%2009.pdf

^[34] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[35]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[36] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

^[37]The Centre for Internet & Society, ‘Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?’, April 7, 2011, http://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

^[38]License Agreement for Unified License, http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf

^[39] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[40] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[41] The Economic Times, ‘Trai floats consultation paper to boost broadband through Wi-Fi in public places’, July 14, 2016, http://economictimes.indiatimes.com/articleshow/53195586.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^[42] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[43]Mint, ‘Trai issues paper on public Wi-Fi networks’ July 14, 2016, http://www.livemint.com/Industry/1jVgso2R2Lz4NR5IYFaCtN/Trai-issues-paper-on-public-WiFi-networks.html

^[44]Forbes,’How To Avoid Data Theft When Using Public Wi-Fi’, March 4, 2014, http://www.forbes.com/sites/amadoudiallo/2014/03/04/hackers-love-public-wi-fi-but-you-can-make-it-safe/#373c75e32476

^[45]Symantec, ‘Norton Cyber Security Insights Report’, 2016, https://www.symantec.com/content/dam/symantec/docs/reports/2016-norton-cyber-security-insights-report.pdf

^[46]The Indian Express, ‘Indian cybercrime victims don’t learn from past experience: Norton Report’, November 18, 2016, http://indianexpress.com/article/technology/tech-news-technology/indian-users-complacent-when-it-comes-to-cyber-security-norton-report/

^[47]Mashable, ‘This is the real price you pay for 'free' public Wi-Fi’, January 26, 2016, http://mashable.com/2016/01/25/actual-cost-free-Wi-Fi/?utm_cid=mash-com-Tw-main-link#WmAJGJ_COiq5

^[48]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[49]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[50]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[51]The Indian Express, ‘Public Wifi can be used to steal private information: IT Security Expert’, May 19, 2015, http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/#sthash.xiuWtL6v.dpuf

^[52]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[53]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[54]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[55]Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[56]The Guardian, ‘Londoners give up eldest children in public Wi-Fi security horror show’, September 29, 2014, https://www.theguardian.com/technology/2014/sep/29/londoners-Wi-Fi-security-herod-clause

^[57] Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[58]ABC13, ‘Hackers set up fake Wi-Fi hotspots to steal your information, July 10, 2015, http://abc13.com/technology/hackers-set-up-fake-Wi-Fi-hotspots-to-steal-your-information/835223/

^[59]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[60] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[61] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[62]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[63] Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[64] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[65] Business & Human Rights Resource Centre, ‘Ranking Digital Rights Project’, http ://business-humanrights.org/en/documents/ranking-digital-rights-project

^[66] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[67] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[68] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[69] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[70] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[71] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[72] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[73]Section 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 states that all request and complaints must be kept confidential.

^[74] Tata Docomo, http://www.tatadocomo.com/

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security-implications-of-public-wi-fi-a-case-study

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Privacy and Governmental Databases

elonnai — 2012-03-22T05:41:38Z

In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.

Government Databases and recommendations for privacy practices

Citizen-State relationships and privacy standards
Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.
Specific privacy policy

Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:
- data collection
- digitization
- usage
- storage
- security
- disclosure
- retrieval
- access (inter departmental and public)
- anonymization, obfuscation and deletion.
Personal vs. personal sensitive and public vs. non-public data categories

Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct

categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.
Standardization of Privacy Policies and Access Control

Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.
Record of breach notification

If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.
Anonymization/obfuscation and deletion policies

Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.
Accountability for accuracy of data

Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.
Appropriate uses of government databases

Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."
Access, updation and control of personal information

Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.

Bibliography

Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.
Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.

Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada

joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Privacy after Big Data - Workshop Report

amber — 2017-01-27T01:09:17Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, organised a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12, 2016 at Centre for the Study of Developing Societies in New Delhi.

This workshop aimed to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It was an open event.

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few. With the UID project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision. Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

This workshop sought to discuss some of the emerging problems due to the advent of big data and possible ways to address these problems. The workshop began with Amber Sinha of CIS and Sandeep Mertia of Sarai introducing the topic of big data and implications for privacy. Both speakers tried to define big data and brief history of the evolution of the term and raised questions about how we understand it. Dr. Usha Ramanathan spoke on the right to privacy in the context of the ongoing Aadhaar case and Vipul Kharbanda introduced the concept of Habeas Data as a possible solution to the privacy problems posed by big data. Amelia Andersotter discussed national centralised digital ID systems and their evolution in Europe, often operating at a cross-functional scale, and highlighted its implications for discussions on data protection, welfare governance, and exclusion from public and private services. Srikanth Lakshmanan spoke of the issues with technology and privacy, and possible technological solutions. Dr. Anupam Saraph discussed the rise of digital banking and Aadhaar based payments and its potential use for corrupt practices. Astha Kapoor of Microsave spoke about her experience of implementation of digital money solution in rural India.

Post lunch, Dr. Anja Kovacs and Mathew Rice spoke on the rise of mass communication surveillance across the world, and the evolving challenges of regulating surveillance by government agencies. Mathew also spoke of privacy movements by citizens and civil society in regions. In the final speaking session, Apar Gupta and Kritika Bhardwaj traced the history of jurisprudence on the right to privacy and the existing regulations and procedures. In the final session, the participants discussed various possible solutions to privacy threats from big data and identity projects including better regulation, new approached such as harms based regulation and privacy risk assessments, and conceiving privacy as a horizontal right. The workshop ended with vote of thanks from the organizers.

The agenda for the event can be accessed here, and the transcript is available here.

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-workshop-report

Privacy Act should not circumscribe RTI: expert group

praskrishna — 2012-10-22T09:36:49Z

An expert group to draw the framework of a law to protect privacy of individuals has suggested that issues of personal privacy must not be used to dilute the provisions of or block information under the Right to Information Act, and used a language that almost directly contradicts the sentiments expressed by the Prime Minister in this regard just a few days ago.

This article by Amitabh Sinha was published in the Indian Express on October 19, 2012.

The group headed by Justice (retd) A P Shah has argued that the RTI Act already has provisions that protect the privacy, and such types of information are exempt from public disclosure. “When applied, the (proposed) Privacy Act should not circumscribe the Right to Information Act,” the report of the expert group, which was made public on Thursday, said.

“Section 8 of the (RTI) Act lists specific types of information that are exempted from public disclosure in order to protect privacy. In this way, privacy is the narrow exception to the Right to Information,” the report said.

Interestingly, just earlier this week, while inaugurating an annual convention of information commissioners, Prime Minister Manmohan Singh had made the opposite argument. “There is a fine balance required to be maintained between the Right to Information and the right to privacy, which stems out of the Fundamental Right to Life and Liberty,” he had said.

“The citizens’ right to know should definitely be circumscribed if disclosure of information encroaches upon someone’s personal privacy. But where to draw the line is a complicated question,” he had said.

Sibngh’s remarks had come at a time when questions were being asked about whether government money had been spent on foreign trips and medical treatment of UPA chairperson Sonia Gandhi. The government had clarified that no public money had been spent on either of the two.

The expert group under Justice Shah was constituted at the initiative of Minister of State for Planning Ashwani Kumar after an attempt by the Department of Personnel and Training (DoPT) last year to draft a privacy bill ended in a disaster. The expert group was only asked to draw up the broad contours of what a privacy law must comprise of. It has drawn from international experiences and presented nine ‘principles’ that must be accommodated in any future privacy law.

The group also recognises that the constitutional basis of privacy as “a fundamental right deriving from Article 21 of the Constitution of India”.

The report deals mainly with how the extensive collection of personal data — through government institutions like Census, NATGRID, UID, or through private agencies like banks, credit card companies or phone operators — must be stored, managed and eventually destroyed, if possible, without infringing on the privacy rights of an individual.

The report would now be referred to the DoPT which will then begin further consultation processes to make a fresh start at drafting a privacy law.

Suggestions on Tapping

The expert group has said that the system of telephone and other communication interception for security reasons has an “unclear regulatory regime that is inconsistent, non-transparent, prone to misuse, and that does not provide remedy or compensation to aggrieved individuals”. It has suggested the following:

All orders of interceptions must be reported to a court within 15 days, disclosing the reason for interception.
All interceptions must only be in force for 60 days, renewable up to a period of 180 days.
Reasons for interception order must be specified and recorded in writing by competent authority.
Records of interception must be destroyed by security agencies after six months, or nine months, and service providers must destroy records after two months, or six months.
All interception orders must be sent for review by a designated committee.
Officers to whom information relating to interception can be disclosed must be specified.
Intermediaries (like telephone operators) must ensure security, confidentiality and privacy of intercepted material, and must be held legally responsible for any unauthorized access or disclosure of intercepted material.

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/indianexpress-amitabh-sinha-october-19-2012-privacy-act-should-not-circumscribe-rti-expert-group

Privacy (Protection) Bill, 2013: Updated Third Draft

bhairav — 2013-10-01T12:25:43Z

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, we drafted the Privacy (Protection) Bill, 2013.

This research is being undertaken as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC. The following is the latest version with changes based on the Round Table held on August 24:

[Preamble]

CHAPTER I

Preliminary

1. Short title, extent and commencement. – (1) This Act may be called the Privacy (Protection) Act, 2013.

(2) It extends to the whole of India.

(3) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint.

2. Definitions. – In this Act and in any rules made thereunder, unless the context otherwise requires, –

(a) “anonymise” means, in relation to personal data, the removal of all data that may, whether directly or indirectly in conjunction with any other data, be used to identify the data subject;

(b) “appropriate government” means, in relation the Central Government or a Union Territory Administration, the Central Government; in relation a State Government, that State Government; and, in relation to a public authority which is established, constituted, owned, controlled or substantially financed by funds provided directly or indirectly –

(i) by the Central Government or a Union Territory Administration, the Central Government;

(ii) by a State Government, that State Government;

(c) “authorised officer” means an officer, not below the rank of a Gazetted Officer, of an All India Service or a Central Civil Service, as the case may be, who is empowered by the Central Government, by notification in the Official Gazette, to intercept a communication of another person or carry out surveillance of another person under this Act;

(d) “biometric data” means any data relating to the physical, physiological or behavioural characteristics of a person which allow their unique identification including, but not restricted to, facial images, finger prints, hand prints, foot prints, iris recognition, hand writing, typing dynamics, gait analysis and speech recognition;

(e) “Chairperson” and “Member” mean the Chairperson and Member appointed under sub-section (1) of section 17;

(f) “collect”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a data controller obtaining, or coming into the possession or control of, any personal data of a data subject;

(g) “communication” means a word or words, spoken, written or indicated, in any form, manner or language, encrypted or unencrypted, meaningful or otherwise, and includes visual representations of words, ideas, symbols and images, whether transmitted or not transmitted and, if transmitted, irrespective of the medium of transmission;

(h) “competent organisation” means an organisation or public authority listed in the Schedule;

(i) “data controller” means a person who, either alone or jointly or in concert with other persons, determines the purposes for which and the manner in which any personal data is processed;

(j) “data processor” means any person who processes any personal data on behalf of a data controller;

(k) “Data Protection Authority” means the Data Protection Authority constituted under sub-section (1) of section 17;

(l) “data subject” means a person who is the subject of personal data;

(m) “deoxyribonucleic acid data” means all data, of whatever type, concerning the characteristics of a person that are inherited or acquired during early prenatal development;

(n) “destroy”, with its grammatical variations and cognate expressions, means, in relation to personal data, to cease the existence of, by deletion, erasure or otherwise, any personal data;

(o) “disclose”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a person who is not the data subject coming into the possession or control of that personal data;

(p) “intelligence organisation” means an intelligence organisation under the Intelligence Organisations (Restriction of Rights) Act, 1985 (58 of 1985);

(q) “interception” or “intercept” means any activity intended to capture, read, listen to or understand the communication of a person;

(r) “personal data” means any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data;

(s) “prescribed” means prescribed by rules made under this Act;

(t) “process”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or operation which is performed upon personal data, whether or not by automated means including, but not restricted to, organisation, structuring, adaptation, modification, retrieval, consultation, use, alignment or destruction;

(u) “receive”, with its grammatical variations and cognate expressions, means, in relation to personal data, to come into the possession or control of any personal data;

(v) “sensitive personal data” means personal data as to the data subject’s –

(i) biometric data;

(ii) deoxyribonucleic acid data;

(iii) sexual preferences and practices;

(iv) medical history and health;

(v) political affiliation;

(vi) commission, or alleged commission, of any offence;

(vii) ethnicity, religion, race or caste; and

(viii) financial and credit information.

(w) “store”, with its grammatical variations and cognate expressions, means, in relation to personal data, to retain, in any form or manner and for any purpose or reason, any personal data;

(x) “surveillance” means any activity intended to watch, monitor, record or collect, or to enhance the ability to watch, record or collect, any images, signals, data, movement, behaviour or actions, of a person, a group of persons, a place or an object, for the purpose of obtaining information of a person;

and all other expressions used herein shall have the meanings ascribed to them under the General Clauses Act, 1897 (10 of 1897) or the Code of Criminal Procedure, 1973 (2 of 1974), as the case may be.

CHAPTER II

Regulation of Personal Data

3. Regulation of personal data. – Notwithstanding anything contained in any other law for time being in force, no person shall collect, store, process, disclose or otherwise handle any personal data of another person except in accordance with the provisions of this Act and any rules made thereunder.

4. Exemption. – Nothing in this Act shall apply to the collection, storage, processing or disclosure of personal data for personal or domestic use.

CHAPTER III

Protection of Personal Data

5. Regulation of collection of personal data. – (1) No personal data of a data subject shall be collected except in conformity with section 6 and section 7.

(2) No personal data of a data subject may be collected under this Act unless it is necessary for the achievement of a purpose of the person seeking its collection.

(3) Subject to section 6 and section 7, no personal data may be collected under this Act prior to the data subject being given notice, in such and form and manner as may be prescribed, of the collection.

6. Collection of personal data with prior informed consent. – (1) Subject to sub-section (2), a person seeking to collect personal data under this section shall, prior to its collection, obtain the consent of the data subject.

(2) Prior to a collection of personal data under this section, the person seeking its collection shall inform the data subject of the following details in respect of his personal data, namely: –

(a) when it will be collected;

(b) its content and nature;

(d) the manner in which it may be accessed, checked and modified;

(e) the security practices, privacy policies and other policies, if any, to which it will be subject;

(f) the conditions and manner of its disclosure; and

(g) the procedure for recourse in case of any grievance in relation to it.

(3) Consent to the collection of personal data under this section may be obtained from the data subject in any manner or medium but shall not be obtained as a result of a threat, duress or coercion:

Provided that the data subject may, at any time after his consent to the collection of personal data has been obtained, withdraw the consent for any reason whatsoever and all personal data collected following the original grant of consent shall be destroyed forthwith:

Provided that the person who collected the personal data in respect of which consent is subsequently withdrawn may, if the personal data is necessary for the delivery of any good or the provision of any service, not deliver that good or deny that service to the data subject who withdrew his grant of consent.

7. Collection of personal data without prior consent. – Personal data may be collected without the prior consent of the data subject if it is –

(a) necessary for the provision of an emergency medical service to the data subject;

(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;

(d) necessary to prevent, investigate or prosecute a cognisable offence.

8. Regulation of storage of personal data. – (1) No person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose is achieved or ceases to exist for any reason, for any period following such achievement or cessation.

(2) Save as provided in sub-section (3), any personal data collected or received in relation to the achievement of a purpose shall, if that purpose is achieved or ceases to exist for any reason, be destroyed forthwith.

(3) Notwithstanding anything contained in this section, any personal data may be stored for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation, if –

(a) the data subject grants his consent to such storage prior to the purpose for which it was collected or received being achieved or ceasing to exist;

(b) it is adduced for an evidentiary purpose in a legal proceeding; or

Provided that only that amount of personal data that is necessary to achieve the purpose of storage under this sub-section shall be stored and any personal data that is not required to be stored for such purpose shall be destroyed forthwith:

Provided further that any personal data stored under this sub-section shall, to the extent possible, be anonymised.

9. Regulation of processing of personal data. – (1) No person shall process any personal data that is not necessary for the achievement of the purpose for which it was collected or received.

(2) Save as provided in sub-section (3), no personal data shall be processed for any purpose other than the purpose for which it was collected or received.

(3) Notwithstanding anything contained in this section, any personal data may be processed for a purpose other than the purpose for which it was collected or received if –

(a) the data subject grants his consent to the processing and only that amount of personal data that is necessary to achieve the other purpose is processed;

(b) it is necessary to perform a contractual duty to the data subject;

(d) it necessary to prevent, investigate or prosecute a cognisable offence.

10. Transfer of personal data for processing. – (1) Subject to the provisions of this section, personal data that has been collected in conformity with this Act may be transferred by a data controller to a data processor, whether located in India or otherwise, if the transfer is pursuant to an agreement that explicitly binds the data processor to same or stronger measures in respect of the storage, processing, destruction, disclosure and other handling of the personal data as are contained in this Act.

(2) No data processor shall process any personal data transferred under this section except to achieve the purpose for which it was collected.

(3) A data controller that transfers personal data under this section shall remain liable to the data subject for the actions of the data processor.

11. Security of personal data and duty of confidentiality. – (1) No person shall collect, receive, store, process or otherwise handle any personal data without implementing measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure its confidentiality, secrecy, integrity and safety, including from theft, loss, damage or destruction.

(2) Data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control.

(3) Without prejudice to the provisions of this section, a data controller or data processor shall, if the confidentiality, secrecy, integrity or safety of personal data in its possession or control is violated by theft, loss, damage or destruction, or as a result of any disclosure contrary to the provisions of this Act, or for any other reason whatsoever, notify the data subject, in such form and manner as may be prescribed, forthwith.

12. Regulation of disclosure of personal data. – Subject to section 10, section 13 and section 14, no person shall disclose, or otherwise cause any other person to receive, the content or nature of any personal data that has been collected in conformity with this Act.

13. Disclosure of personal data with prior informed consent. – (1) Subject to sub-section (2), a data controller or data processor seeking to disclose personal data under this section shall, prior to its disclosure, obtain the consent of the data subject.

(2) Prior to a disclosure of personal data under this section, the data controller or data processor, as the case may be, seeking to disclose the personal data, shall inform the data subject of the following details in respect of his personal data, namely: –

(a) when it will be disclosed;

(b) the purpose of its disclosure;

(d) the procedure for recourse in case of any grievance in relation to it.

14. Disclosure of personal data without prior consent. – (1) Subject to sub-section (2), personal data may be disclosed without the prior consent of the data subject if it is necessary –

(a) to prevent a reasonable threat to national security, defence or public order; or

(b) to prevent, investigate or prosecute a cognisable offence.

(2) No data controller or data processor shall disclose any personal data unless it has received an order in writing from a police officer not below the rank of [___] in such form and manner as may be prescribed:

Provided that an order for the disclosure of personal data made under this sub-section shall not require the disclosure of any personal data that is not necessary to achieve the purpose for which the disclosure is sought:

Provided further that the data subject shall be notified, in such form and manner as may be prescribed, of the disclosure of his personal data, including details of its content and nature, and the identity of the police officer who ordered its disclosure, forthwith.

15. Quality and accuracy of personal data. – (1) Each data controller and data processor shall, to the extent possible, ensure that the personal data in its possession or control, is accurate and, where necessary, is kept up to date.

(2) No data controller or data processor shall deny a data subject whose personal data is in its possession or control the opportunity to review his personal data and, where necessary, rectify anything that is inaccurate or not up to date.

(3) A data subject may, if he finds personal data in the possession or control of a data controller or data processor that is not necessary to achieve the purpose for which it was collected, received or stored, demand its destruction, and the data controller shall destroy, or cause the destruction of, the personal data forthwith.

16. Special provisions for sensitive personal data. – Notwithstanding anything contained in this Act and the provisions of any other law for the time being in force –

(a) no person shall store sensitive personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation;

(b) no person shall process sensitive personal data for a purpose other than the purpose for which it was collected or received;

(c) no person shall disclose sensitive personal data to another person, or otherwise cause any other person to come into the possession or control of, the content or nature of any sensitive personal data, including any other details in respect thereof.

CHAPTER IV

The Data Protection Authority

17. Constitution of the Data Protection Authority. – (1) The Central Government shall, by notification, constitute, with effect from such date as may be specified therein, a body to be called the Data Protection Authority consisting of a Chairperson and not more than four other Members, to exercise the jurisdiction and powers and discharge the functions and duties conferred or imposed upon it by or under this Act.

(2) The Chairperson shall be a person who has been a Judge of the Supreme Court:

Provided that the appointment of the Chairperson shall be made only after consultation with the Chief Justice of India.

(3) Each Member shall be a person of ability, integrity and standing who has a special knowledge of, and professional experience of not less than ten years in privacy law and policy.

18. Term of office, conditions of service, etc. of Chairperson and Members. – (1) Before appointing any person as the Chairperson or Member, the Central Government shall satisfy itself that the person does not, and will not, have any such financial or other interest as is likely to affect prejudicially his functions as such Chairperson or Member.

(2) The Chairperson and every Member shall hold office for such period, not exceeding five years, as may be specified in the order of his appointment, but shall be eligible for reappointment:

Provided that no person shall hold office as the Chairperson or Member after he has attained the age of sixty-seven years.

(3) Notwithstanding anything contained in sub-section (2), the Chairperson or any Member may –

(a) by writing under his hand resign his office at any time;

(b) be removed from office in accordance with the provisions of section 19 of this Act.

(4) A vacancy caused by the resignation or removal of the Chairperson or Member under sub-section (3) shall be filled by fresh appointment.

(5) In the event of the occurrence of a vacancy in the office of the Chairperson, such one of the Members as the Central Government may, by notification, authorise in this behalf, shall act as the Chairperson till the date on which a new Chairperson, appointed in accordance with the provisions of this Act, to fill such vacancy, enters upon his office.

(6) When the Chairperson is unable to discharge his functions owing to absence, illness or any other cause, such one of the Members as the Chairperson may authorise in writing in this behalf shall discharge the functions of the Chairperson, till the date on which the Chairperson resumes his duties.

(7) The salaries and allowances payable to and the other terms and conditions of service of the Chairperson and Members shall be such as may be prescribed:

Provided that neither the salary and allowances nor the other terms and conditions of service of the Chairperson and any member shall be varied to his disadvantage after his appointment.

19. Removal of Chairperson and Members from office in certain circumstances. – The Central Government may remove from office the Chairperson or any Member, who –

(a) is adjudged an insolvent; or

(b) engages during his term of office in any paid employment outside the duties of his office; or

(d) is of unsound mind and stands so declared by a competent court; or

(e) is convicted for an offence which in the opinion of the President involves moral turpitude; or

(f) has acquired such financial or other interest as is likely to affect prejudicially his functions as a Chairperson or Member, or

(g) has so abused his position as to render his continuance in offence prejudicial to the public interest.

20. Functions of the Data Protection Authority. – (1) The Chairperson may inquire, suo moto or on a petition presented to it by any person or by someone acting on his behalf, in respect of any matter connected with the collection, storage, processing, disclosure or other handling of any personal data and give such directions or pass such orders as are necessary for reasons to be recorded in writing.

(2) Without prejudice to the generality of the foregoing provision, the Data Protection Authority shall perform all or any of the following functions, namely –

(a) review the safeguards provided by or under this Act and other law for the time being in force for the protection of personal data and recommend measures for their effective implementation;

(b) review any measures taken by any entity for the protection of personal data and take such further action is it deems fit;

(c) review any action, policy or procedure of any entity to ensure compliance with this Act and any rules made hereunder;

(d) formulate, in consultation with experts, norms for the effective protection of personal data;

(e) promote awareness and knowledge of personal data protection through any means necessary;

(f) undertake and promote research in the field of protection of personal data;

(g) encourage the efforts of non-governmental organisations and institutions working in the field of personal data protection;

(h) publish periodic reports concerning the incidence of collection, processing, storage, disclosure and other handling of personal data;

(i) such other functions as it may consider necessary for the protection of personal data.

(3) Subject to the provisions of any rules prescribed in this behalf by the Central Government, the Data Protection Authority shall have the power to review any decision, judgement, decree or order made by it.

(4) In the exercise of its functions under this Act, the Data Protection Authority shall give such directions or pass such orders as are necessary for reasons to be recorded in writing.

(5) The Data Protection Authority may, in its own name, sue or be sued.

21. Secretary, officers and other employees of the Data Protection Authority. – (1) The Central Government shall appoint a Secretary to the Data Protection Authority to exercise and perform, under the control of the Chairperson such powers and duties as may be prescribed or as may be specified by the Chairperson.

(2) The Central Government may provide the Data Protection Authority with such other officers and employees as may be necessary for the efficient performance of the functions of the Data Protection Authority.

(3) The salaries and allowances payable to and the conditions of service of the Secretary and other officers and employees of the Data Protection Authority shall be such as may be prescribed.

22. Salaries, etc. be defrayed out of the Consolidated Fund of India. – The salaries and allowances payable to the Chairperson and Members and the administrative expenses, including salaries, allowances and pension, payable to or in respect of the officers and other employees of the of the Data Protection Authority shall be defrayed out of the Consolidated Fund of India.

23. Vacancies, etc. not to invalidate proceedings of the Data Protection Authority. – No act or proceeding of the Data Protection Authority shall be questioned on the ground merely of the existence of any vacancy or defect in the constitution of the Data Protection Authority or any defect in the appointment of a person acting as the Chairperson or Member.

24. Chairperson, Members and employees of the Data Protection Authority to be public servants. – The Chairperson and Members and other employees of the Data Protection Authority shall be deemed to be public servants within the meaning of section 21 of the Indian Penal Code, 1860 (45 of 1860).

25. Location of the office of the Data Protection Authority. – The offices of the Data Protection Authority shall be in [___] or any other location as directed by the Chairperson in consultation with the Central Government.

26. Procedure to be followed by the Data Protection Authority. – (1) Subject to the provisions of this Act, the Data Protection Authority shall have powers to regulate –

(a) the procedure and conduct of its business;

(b) the delegation to one or more Members of such powers or functions as the Chairperson may specify.

(2) In particular and without prejudice to the generality of the foregoing provisions, the powers of the Data Protection Authority shall include the power to determine the extent to which persons interested or claiming to be interested in the subject-matter of any proceeding before it may be allowed to be present or to be heard, either by themselves or by their representatives or to cross-examine witnesses or otherwise take part in the proceedings:

Provided that any such procedure as may be prescribed or followed shall be guided by the principles of natural justice.

27. Power relating to inquiries. – (1) The Data Protection Authority shall, for the purposes of any inquiry or for any other purpose under this Act, have the same powers as vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908), while trying suits in respect of the following matters, namely –

(a) the summoning and enforcing the attendance of any person from any part of India and examining him on oath;

(b) the discovery and production of any document or other material object producible as evidence;

(d) the requisitioning of any public record from any court or office;

(e) the issuing of any commission for the examination of witnesses; and,

(f) any other matter which may be prescribed.

(2) The Data Protection Authority shall have power to require any person, subject to any privilege which may be claimed by that person under any law for the time being in force, to furnish information on such points or matters as, in the opinion of the Data Protection Authority, may be useful for, or relevant to, the subject matter of an inquiry and any person so required shall be deemed to be legally bound to furnish such information within the meaning of section 176 and section 177 of the Indian Penal Code, 1860 (45 of 1860).

(3) The Data Protection Authority or any other officer, not below the rank of a Gazetted Officer, specially authorised in this behalf by the Data Protection Authority may enter any building or place where the Data Protection Authority has reason to believe that any document relating to the subject matter of the inquiry may be found, and may seize any such document or take extracts or copies therefrom subject to the provisions of section 100 of the Code of Criminal Procedure, 1973 (2 of 1974), in so far as it may be applicable.

(4) The Data Protection Authority shall be deemed to be a civil court and when any offence as is described in section 175, section 178, section 179, section 180 or section 228 of the Indian Penal Code, 1860 (45 of 1860) is committed in the view or presence of the Data Protection Authority, the Data Protection Authority may, after recording the facts constituting the offence and the statement of the accused as provided for in the Code of Criminal Procedure, 1973 (2 of 1974), forward the case to a Magistrate having jurisdiction to try the same and the Magistrate to whom any such case is forwarded shall proceed to hear the complaint against the accused as if the case had been forwarded to him under section 346 of the Code of Criminal Procedure, 1973 (2 of 1974).

28. Decisions of the Data Protection Authority. – (1) The decisions of the Data Protection Authority shall be binding.

(2) In its decisions, the Data Protection Authority has the power to –

(a) require an entity to take such steps as may be necessary to secure compliance with the provisions of this Act;

(b) require an entity to compensate any person for any loss or detriment suffered;

29. Proceedings before the Data Protection Authority to be judicial proceedings. – The Data Protection Authority shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974), and every proceeding before the Data Protection Authority shall be deemed to be a judicial proceeding within the meaning of section 193 and section 228 and for the purposes of section 196 of the Indian Penal Code, 1860 (45 of 1860).

CHAPTER V

Regulation by Data Controllers and Data Processors

30. Co-regulation by Data Controllers and the Data Protection Authority. – (1) The Data Protection Authority may, in consultation with data controllers, formulate codes of conduct for the collection, storage, processing, disclosure or other handling of any personal data.

(2) No code of conduct formulated under sub-section (1) shall be binding on a data controller unless –

(a) it has received the written approval of the Data Protection Authority; and

(b) it has received the approval, by signature of a director or authorised signatory, of the data controller.

31. Co-regulation without prejudice to other remedies. – Any code of conduct formulated under this chapter shall be without prejudice to the jurisdiction, powers and functions of the Data Protection Authority.

32. Self-regulation by data controllers. – (1) The Data Protection Authority may encourage data controllers and data processors to formulate professional codes of conduct to establish rules for the collection, storage, processing, disclosure or other handling of any personal data.

(2) No code of conduct formulated under sub-section (1) shall be effective unless it is registered, in such form and manner as may be prescribed, by the Data Protection Authority.

(3) The Data Protection Authority shall, for reasons to be recorded in writing, not register any code of conduct formulated under sub-section (1) that is not adequate to protect personal data.

CHAPTER IV

Surveillance and Interception of Communications

33. Surveillance and interception of communication to be warranted. – Notwithstanding anything contained in any other law for the time being in force, no –

(i) surveillance shall be carried out, and no person shall order any surveillance of another person;

(ii) communication shall be intercepted, and no person shall order the interception of any communication of another person; save in execution of a warrant issued under section 36, or an order made under section 38, of this Act.

34. Application for issuance of warrant. – (1) Any authorised officer seeking to carry out any surveillance or intercept any communication of another person shall prefer an application for issuance of a warrant to the Magistrate.

(2) The application for issuance of the warrant shall be in the form and manner prescribed in the Schedule and shall state the purpose for which the warrant is sought.

(3) The application for issuance of the warrant shall be accompanied by –

(i) a report by the authorised officer of the suspicious conduct of the person in respect of whom the warrant is sought, and all supporting material thereof;

(ii) an affidavit of the authorised officer, or a declaration under his hand and seal, that the contents of the report and application are true to the best of his knowledge, information and belief, and that the warrant shall be executed only for the purpose stated in the application and shall not be misused or abused in any manner including to interfere in the privacy of any person;

(iii) details of all warrants previously issued in respect of the person in respect of whom the warrant is sought, if any.

35. Considerations prior to the issuance of warrant. – (1) No warrant shall issue unless the requirements of section 34 and this section have been met.

(2) The Magistrate shall consider the application made under section 34 and shall satisfy himself that the information contained therein sets out –

(i) a reasonable threat to national security, defence or public order; or

(ii) a cognisable offence, the prevention, investigation or prosecution of which is necessary in the public interest.

(3) The Magistrate shall satisfy himself that all other lawful means to acquire the information that is sought by the execution of the warrant have been exhausted.

(4) The Magistrate shall verify the identity of the authorised officer and shall satisfy himself that the application for issuance of the warrant is authentic.

36. Issue of warrant. – (1) Subject to section 34 and section 35, the Magistrate may issue a warrant for surveillance or interception of communication, or both of them.

(2) The Magistrate may issue the warrant in Chambers.

37. Magistrate may reject application for issuance of warrant. – If the Magistrate is not satisfied that the requirements of section 34 and section 35 have been met, he may, for reasons to be recorded in writing, –

(i) refuse to issue the warrant and dispose of the application;

(ii) return the application to the authorised officer without disposing of it;

(iii) pass any order that he thinks fit.

38. Order by Home Secretary in emergent circumstances. – (1) Notwithstanding anything contained in section 35, if the Home Secretary of the appropriate government is satisfied that a grave threat to national security, defence or public order exists, he may, for reasons to be recorded in writing, order any surveillance or interception of communication.

(2) An authorised officer seeking an order for surveillance or interception of communication under this section shall prefer an application to the Home Secretary in the form and manner prescribed in the Schedule and accompanied by the documents required under sub-section (3) of section 34.

(3) No order for surveillance or interception of communication made by the Home Secretary under this section shall be valid upon the expiry of a period of seven days from the date of the order.

(4) Before the expiry of a period of seven days from the date of an order for surveillance or interception of communication made under this section, the authorised officer who applied for the order shall place the application before the Magistrate for confirmation.

39. Duration of warrant or order. – (1) The warrant or order for surveillance or interception of communication shall specify the period of its validity and, upon its expiry, all surveillance and interception of communication, as the case may be, carried out in relation to that warrant or order shall cease forthwith:

Provided that no warrant or order shall be valid upon the expiry of a period of sixty days from the date of its issue.

(2) A warrant issued under section 36, or an order issued under section 38, for surveillance or interception of communication, or both of them, may be renewed by a Magistrate if he is satisfied that the requirements of sub-section (2) of section 35 continue to exist.

40. Duty to inform the person concerned. – Subject to sub-section (2), before the expiry of a period of sixty days from the conclusion of any surveillance or interception of communication carried out under this Act, the authorised officer who carried out the surveillance or interception of communication shall, in writing in such form and manner as may be prescribed, notify, with reference to the warrant of the Magistrate, and, if applicable, the order of the Home Secretary, each person in respect of whom the warrant or order was issued, of the fact of such surveillance or interception and duration thereof.

(2) The Magistrate may, on an application made by an authorised officer in such form and manner as may be prescribed, if he is satisfied that the notification under sub-section (1) would –

(a) present a reasonable threat to national security, defence or public order, or

(b) adversely affect the prevention, investigation or prosecution of a cognisable offence,

for reasons to be recorded in writing addressed to the authorised officer, order that the person in respect of whom the warrant or order of surveillance or interception of communication was issued, not be notified of the fact of such interception or the duration thereof:

41. Security and duty of confidentiality and secrecy. – (1) No person shall carry out any surveillance or intercept any communication of another person without implementing measures, including, but not restricted to, technological, physical and administrative measures, to secure the confidentiality and secrecy of all information obtained as a result of the surveillance or interception of communication, as the case may be, including from theft, loss or unauthorised disclosure.

(2) Any person who carries out any surveillance or interception of any communication, or who obtains any information, including personal data, as a result of surveillance or interception of communication, shall be subject to a duty of confidentiality and secrecy in respect of it.

(3) Every competent organisation shall, before the expiry of a period of one hundred days from the enactment of this Act, designate as many officers as it deems fit as Privacy Officers who shall be administratively responsible for all interceptions of communications carried out by that competent organisation.

42. Disclosure of information. – (1) Save as provided in this section, no person shall disclose to any other person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any information, including personal data, obtained as a result of any surveillance or interception carried out under this Act.

(2) Notwithstanding anything contained in this section, if the disclosure of any information, including personal data, obtained as a result of any surveillance or interception of any communication is necessary to –

(a) prevent a reasonable threat to national security, defence or public order, or

(b) prevent, investigate or prosecute a cognisable offence,

an authorised officer may disclose the information, including personal data, to any authorised officer of any other competent organisation.

CHAPTER VI

Offences and penalties

43. Punishment for offences related to personal data. – (1) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes or otherwise handles any personal data shall be punishable with imprisonment for a term which may extend to [___] years and may also be liable to fine which may extend to [___] rupees.

(2) Whoever attempts to commit any offence under sub section (1) shall be punishable with the punishment provided for such offence under that sub-section.

(3) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes or otherwise handles any sensitive personal data shall be punishable with imprisonment for a term which may extend to [increased for sensitive personal data] years and and may also be liable to fine which may extend to [___] rupees.

(4) Whoever attempts to commit any offence under sub section (3) shall be punishable with the punishment provided for such offence under that sub-section.

44. Abetment and repeat offenders. – (1) Whoever abets any offence punishable under this Act shall, if the act abetted is committed in consequence of the abetment, be punishable with the punishment provided for that offence.

(2) Whoever, having been convicted of an offence under any provision of this Act is again convicted of an offence under the same provision, shall be punishable, for the second and for each subsequent offence, with double the penalty provided for that offence.

45. Offences by companies. – (1) Where an offence under this Act has been committed by a company, every person who, at the time of the offence was committed, was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to any punishment, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.

(2) Notwithstanding anything contained in sub-section (1), where any offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall be deemed to be guilty of that offence, and shall be liable to be proceeded against and punished accordingly.

46. Cognisance. – Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the offences under section 43, section 44 and section 45 shall be cognisable and non-bailable.

47. General penalty. – Whoever, in any case in which a penalty is not expressly provided by this Act, fails to comply with any notice or order issued under any provisions thereof, or otherwise contravenes any of the provisions of this Act, shall be punishable with fine which may extend to [___] rupees, and, in the case of a continuing failure or contravention, with an additional fine which may extend to [___] rupees for every day after the first during which he has persisted in such failure or contravention.

48. Punishment to be without prejudice to any other action. – The award of punishment for an offence under this Act shall be without prejudice to any other action which has been or which may be taken under this Act with respect to such contravention.

CHAPTER VII

Miscellaneous

49. Power to make rules. – (1) The Central Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for –

[__]

(3) Every rule made under this section shall be laid, as soon as may be after it is made, before each House of Parliament while it is in session for a period of thirty days which may be comprised in one session or in two successive sessions and if before the expiry of the session in which it is so laid or the session immediately following, both Houses agree in making any modification in the rule, or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be, so however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule.

50. Bar of jurisdiction. – (1) On and from the appointed day, no court or authority shall have, or be entitled to exercise, any jurisdiction, powers or authority (except the Supreme Court and a High Court exercising powers under Article 32, Article 226 and Article 227 of the Constitution) in relation to matters specified in this Act.

(2) No order passed under this Act shall be appealable except as provided therein and no civil court shall have jurisdiction in respect of any matter which the Data Protection Authority is empowered by, or under, this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

51. Protection of action taken in good faith. – No suit or other legal proceeding shall lie against the Central Government, State Government, Data Protection Authority, Chairperson, Member or any person acting under the direction either of the Central Government, State Government, Data Protection Authority, Chairperson or Member in respect of anything which is in good faith done or intended to be done in pursuance of this Act or of any rules or any order made thereunder.

52. Power to remove difficulties. – (1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions, not inconsistent with the provisions of this Act, as appears to it to be necessary or expedient for removing the difficulty:

Provided that no such order shall be made under this section after the expiry of a period of three years from the commencement of this Act.

(2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.

53. Act to have overriding effect. – The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft