Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17                                                        4                                                      15

According to the above table - which is based on data from the WikiLeaks’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs. 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems, such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data, the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc), 1973: Section 91

5. The Information Technology (Amendment) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”



Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent.

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide!

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days. The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

 

This article was cross-posted in Medianama on 6th November 2013.

---

Note: Clause-by-clause comments on the Working Draft version of April 29, 2012 from the Centre for Internet and Society

---

1. This short note speaks to legal issues arising from the proposed Human DNA Profiling Bill, 2012 ("DBT Bill") that was circulated within the Experts Committee constituted under the aegis of the Department of Biotechnology of the Ministry of Science and Technology, Government of India.
2. This note must be read against the relevant provisions of the DBT Bill and, where indicated, together with the proposed Forensic DNA Profiling (Regulation) Bill, 2013 that was drafted by the Centre for Internet & Society, Bangalore ("CIS Bill"). These comments must also be read alongside the two-page submission titled “A Brief Note on the Forensic DNA Profiling (Regulation) Bill, 2013” ("CIS Note"). Whereas the aforesaid CIS Note raised issues that informed the drafting of the CIS Bill, this present note seeks to provide legal comments on the DBT Bill.
   Preamble
3. The DBT Bill, in its current working form, lacks a preamble. No doubt, a preamble will be added later once the text of the DBT Bill is finalised. Instead, the DBT Bill contains an introduction. It must be borne in mind that the purpose of the legislation should be spelt out in the preamble since preambular clauses have interpretative value. [See, A. Thangal Kunju Musaliar AIR 1956 SC 246; Burrakur Coal Co. Ltd. AIR 1961 SC 954; and Arnit Das (2000) 5 SCC 488]. Hence, a preamble that states the intent of Parliament to create permissible conditions for DNA source material collection, profiling, retention and forensic use in criminal trials is necessary.
   Objects Clause
4. An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the DBT Bill should incorporate an objects clause that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimisation must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralised databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.
   Definitions
5. The definition of “analytical procedure” in clause 2(1)(a) of the DBT Bill is practically redundant and should be removed. It is used only twice – in clauses 24 and 66(2)(p) which give the DNA Profiling Board the power to frame procedural regulations. In the absence of specifying the content of any analytical procedure, the definition serves no purpose.
6. The definition of “audit” in clause 2(1)(b) is relevant for measuring the training programmes and laboratory conditions specified in clauses 12(f) and 27. However, the term “audit” is subsequently used in an entirely different manner in Chapter IX which relates to financial information and transparency. This is a conflicting definition. The term “audit” has a well-established use for financial information that does not require a definition. Hence, this definition should be removed.
7. The definition of “calibration” in clause 2(1)(d) is redundant and should be removed since the term is not meaningfully used in the DBT Bill.
8. The definition of “DNA Data Bank” in clause 2(1)(h) is unnecessary. The DBT Bill seeks to establish a National DNA Data Bank, State DNA Data Banks and Regional DNA Data Banks vide clause 32. These national, state and regional databases must be defined individually with reference to their establishment clauses. Defining a “DNA Data Bank”, exclusive of the national, state and regional databases, creates the assumption that any private individual can start and maintain a database. This is a drafting error.
9. The definition of “DNA Data Bank Manager” in clause 2(1)(i) is misleading since, in the text of the DBT Bill, it is only used in relation to the proposed National DNA Data Bank and never in relation to the State and Regional Data Banks. If it is the intention of DBT Bill that only the national database should have a manager, the definition should be renamed to ‘National DNA Data Bank Manager’ and the clause should specifically identify the National DNA Data Bank. This is a drafting error.
10. The definition of “DNA laboratory” in clause 2(1)(j) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.
11. The definition of “DNA profile” in clause 2(1)(l) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person.
12. The definition of “forensic material” in clause 2(1)(o) needs to be amended to remove the references to intimate and non-intimate body samples. If the references are retained, then evidence collected from a crime scene, where an intimate or non-intimate collection procedure was obviously not followed, will not fall within the scope of “forensic material”.
13. The terms “intimate body sample” and “non-intimate body sample” that are defined in clauses 2(1)(q) and 2(1)(v) respectively are not used anywhere outside the definitions clause except for an inconsequential reference to non-intimate body samples only in the rule-making provision of clause 66(2)(zg). “Intimate body sample” is not used anywhere outside the definitions clause. Both these definitions are redundant and should be removed.
14. The terms “intimate forensic procedure” and “non-intimate forensic procedure”, that are defined in clauses 2(1)(r) and 2(1)(w) respectively, are not used anywhere except for an inconsequential reference of non-intimate forensic procedure in the rule-making provision of clause 66(2)(zg). “Intimate forensic procedure” is not used anywhere outside the definitions clause. Both these definitions are redundant and should be removed.
15. The term “known samples” that is defined in clause 2(1)(s) is not used anywhere outside the definitions clause and should be removed for redundancy.
16. The definition of “offender” in clause 2(1)(y) if vague because it does not specify the offences for which an “offender” need be convicted. It is also linked to an unclear definition of the term “undertrial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offences such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.
17. The term “proficiency testing” that is defined in clause 2(1)(zb) is not used anywhere in the text of the DBT Bill and should be removed.
18. The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule-making powers under clauses 18 and 66. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.
19. The term “suspect” defined in clause 2(1)(zi) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").
    The DNA Profiling Board
20. Clause 3 of the DBT Bill, which provides for the establishment of the DNA Profiling Board, contains a sub-clause (2) which vests the Board with corporate identity. This vesting of legal personality in the DNA Profiling Board – when other boards and authorities, even ministries and independent departments, and even the armed forces do not enjoy this function – is ill-advised and made without sufficient thought. Bodies corporate may be corporations sole – such the President of India, or corporations aggregate – such as companies. The intent of corporate identity is to create a fictional legal personality where none previously existed in order for the fictional legal personality to exist apart from its members, enjoy perpetual succession and to sue in its own legal name. Article 300 of the Constitution of India vests the Central Government with legal personality in the legal name of the Union of India and the State Governments with legal personality in the legal names of their respective states. Apart from this constitutional dispensation, some regulatory authorities, such as the Telecom Regulatory Authority of India ("TRAI") and the Securities and Exchange Board of India ("SEBI") have been individually vested with legal personalities as bodies corporate to enable their autonomous governance and independent functioning to secure their ability to free, fairly and impartially regulate the market free from governmental or private collusion. Similarly, some overarching national commissions, such as the Election Commission of India and the National Human Rights Commission ("NHRC") have been vested with the power to sue and be sued in their own names. In comparison, the DNA Profiling Board is neither an independent market regulator nor an overarching national commission with judicial powers. There is no legal reason for it to be vested with a legal personality on par with the Central Government or a company. Therefore, clause 3(2) should be removed.
21. The size and composition of the Board that is staffed under clause 4 is extremely large. Creating unwieldy and top-heavy bureaucratic authorities and investing them with regulatory powers, including the powers of licensing, is avoidable. The DBT Bill proposes to create a Board of 16 members, most of them from a scientific background and including a few policemen and one legal administrator. In its present form, the Board is larger than many High Courts but does not have a single legal member able to conduct licensing. Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be drastically reduced to no more than five members, at least half of whom should be lawyers or ex-judges. The change in the legal composition of the Board is necessary because the DBT Bill contemplates that it will perform the legal function of licensing that must obey basic tenets of administrative law. The current membership may be viable only if the Board is divested of its administrative and regulatory powers and left with only scientific advice functions. Moreover, stacking the Board with scientists and policemen appears to ignore the perils that DNA collection and retention pose to the privacy of ordinary citizens and their criminal law rights. The Board should have adequate representation from the human rights community – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced human rights activists). The Board should also have privacy advocates.
22. Clauses 5(2) and 5(3) establish an unequal hierarchy within the Board by privileging some members with longer terms than others. There is no good reason for why the Vice-Chancellor of a National Law University, the Director General of Police of a State, the Director of a Central Forensic Science Laboratory and the Director of a State Forensic Science Laboratory should serve membership terms on the Board that are longer than those of molecular biologists, population geneticists and other scientists. Such artificial hierarchies should be removed at the outset. The Board should have one pre-eminent chairperson and other equal members with equal terms.
23. The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed. Clause 4 should be modified to mention the appointment of the Chairperson and other Members.
24. Clause 7 deals with the issue of conflict of interest in narrow cases. The clause requires members to react on a case-by-case basis to the business of the Board by recusing themselves from deliberations and voting where necessary. Instead, it may be more appropriate to require members to make a full and public disclosures of their real and potential conflicts of interest, and then granting the Chairperson the power to prevent such members from voting on interested matters. Failure to follow these anti-collusion and anti-corruption safeguards should attract criminal penalties.
25. Clause 10 anticipates the appointment of a Chief Executive Officer of the Board who shall be a serving Joint Secretary to the Central Government. Clause 10(3) further requires this officer to be scientist. This may not be possible because the administrative hierarchy of the Central Government may not contain a genetic scientist.
26. The functions of the Board specified in clause 12 are overbroad. Advising ministries, facilitating governments, recommending the size of funds and so on – these are administrative and governance functions best left to the executive. Once the Board is modified to have sufficient legal and human rights representation, then the functions of the Board can non-controversially include licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.
    DNA Laboratories
27. The provisions of Chapters V and VI may be simplified and merged.
    DNA Data Banks
28. The creation of multiple indices in clause 32(4) cannot be justified and must be removed. The collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast and have either not been properly understood or deliberately ignored. At this moment, the forcible collection of biological source material should be restricted to the categories of offenders mentioned in the Identification of Prisoners Act, 1920 ("Prisoners Act") with a suitable addition for persons arrested in connection with certain specified terrorism-related offences. Therefore, databases should contain only an offenders’ index and a crime scene index.
29. Clause 32(6), which requires the names of individuals to be connected to their profiles, and hence accessible to persons connected with the database, should be removed. DNA profiles, once developed, should be anonymised and retained separate from the names of their owners.
30. Clause 36, which allows international disclosures of DNA profiles of Indians, should be removed immediately. Whereas an Indian may have legal remedies against the National DNA Data Bank, he/she certainly will not be able to enforce any rights against a foreign government or entity. This provision will be misused to rendition DNA profiles abroad for activities not permitted in India. Similarly, as in data protection regimes around the world, DNA profiles should remain within jurisdictions with high privacy and other legal standards.
    Use
31. The only legitimate purpose for which DNA profiles may be used is for establishing the identity of individuals in criminal trials and confirming their presence or absence from a certain location. Accordingly, clauses 39 and 40 should be re-drafted to specify this sole forensic purpose and also specify the manner in which DNA profiles may be received in evidence. For more information on this point, see the relevant provisions of the CIS Note and the CIS Bill.
32. The disclosure of DNA profiles should only take place to a law enforcement agency conducting a valid investigation into certain offences and to courts currently trying the individuals to whom the DNA profiles pertains. All other disclosures of DNA profiles should be made illegal. Non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The DBT Bill does not prescribe stringent criminal penalties and other mechanisms to affix individual liability on individual scientists and research institutions for improper use of DNA profiles; it is therefore open to the criticism that it seeks to sacrifice individual rights of persons, including the fundamental right to privacy, without parallel remedies and penalties. Clause 40 should be removed in entirety.
33. Clause 43 should be removed in entirety. This note does not contemplate the retention of DNA profiles of suspects and victims, except as derived from a crime scene.
34. Clause 45 sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721].

Background

The Department of Biotechnology released, in 29 April 2012, a working draft of a proposed Human DNA Profiling Bill, 2012 ("DBT Bill") for public comments. The draft reveals an effort to (i) permit the collection of human blood, tissue and other samples for the purpose of creating DNA profiles, (ii) license private laboratories that create and store the profiles, (iii) store the DNA samples and profiles in various large databanks in a number of indices, and (iv) permit the use of the completed DNA profiles in scientific research and law enforcement. The regulation of human DNA profiling is of significant importance to the efficacy of law enforcement and the criminal justice system and correspondingly has a deep impact on the freedoms of ordinary citizens from profiling and monitoring. Below, we highlight five important concerns to bear in mind before drafting and implementing DNA legislation.

Primary Issues

Purpose of DNA Profiling

DNA  profiling  serves  two broad  purposes – (i) forensic – to establish  unique  identity  of a person in the criminal justice system; and, (ii) research – to understand human genetics and its contribution  to  anthropology, biology  and  other  sciences.  These  two  purposes have  very different approaches  to DNA  profiling and  the  issues and  concerns attendant on them vary accordingly. Forensic DNA profiling is undertaken to afford either party in a criminal trial a better  possibility  of  adducing corroborative evidence to  prosecute,  or to  defend, an alleged offence. DNA, like fingerprints, is a biometric estimation of the individuality of a person. By itself, in the same manner that fingerprint evidence is only proof of the presence of a person at a particular place and not proof of the commission of a crime, DNA is merely corroborative evidence  and cannot,  on its  own  strength,  result  in a conviction  or  acquittal  of  an  offence. Therefore, DNA  and fingerprints,  and the  process  by which they  are  collected and  used as evidence, should be broadly similar.

Procedural Integrity

Forensic DNA profiling results from biological source material that is usually collected from crime scenes or forcibly from offenders and convicts. Biological source material found at a crime scene is very rarely non-contaminated and the procedure by which it is collected and its integrity ensured is of primary legislative importance. To avoid the danger of contaminated crime scene evidence being introduced in the criminal justice system to pervert the course of justice, it is crucial to ensure that DNA is collected only from intact human cells and not from compromised genetic material. Therefore, if the biological source material found at a crime scene  does  not  contain  at  least  one  intact  human  cell,  the  whole  of  the biological  source material should be destroyed to prevent the possibility of compromised genetic material being collected to  yield  inconclusive results.  Adherence  to  this  basic  principle  will  obviate  the possibility  of  partial  matches  of  DNA  profiles  and  the  resulting  controversy  and  confusion that ensues.

Conditions of Collection

In India, the taking of fingerprints is chiefly governed by the Identification of Prisoners Act, 1920 ("Prisoners Act") and section 73 of the Indian Evidence Act, 1872 ("Evidence Act"). The Prisoners Act permits  the forcible taking of  fingerprints from convicts and  suspects in certain  conditions.  The Evidence  Act,  in  addition,  permits  courts  to  require  the  taking  of fingerprints  for  the  forensic  purpose  of  establishing  unique  identity  in  a  criminal  trial. No
provisions exist for consensual taking of fingerprints, presumably because of the danger of self-incrimination and general privacy concerns. Since, as discussed earlier, fingerprints and DNA are  biometric  measurements  that  should  be treated  equally to the  extent possible, the conditions for the collection of DNA should be similar to those for the taking of fingerprints.Accordingly,  there  should  be  no  legal  provisions  that  enable  other  kinds  of  collection, including from volunteers and innocent people.

Retention of DNA

As  a  general  rule applicable  in  India,  the  retention  of  biometric  measurements  must  be supported  by  a  clear  purpose  that  is  legitimate, judicially  sanctioned  and  transparent. The Prisoners Act, which permits the forcible taking of fingerprints from convicts, also mandates the destruction of these fingerprints when the person is acquitted or discharged. The indefinite collection  of  biometric  measurements  of people  is  dangerous,  susceptible  to  abuse  and invasive of civil rights. Therefore, once lawfully collected from crime scenes and offenders, their DNA profiles must  be  retained  in  strictly  controlled  databases with  highly  restricted access for the forensic purpose of law enforcement only. DNA should not be held in databases that allow non-forensic use. Further, the indices within these databases should be watertight and exclusive of each other.

DNA Laboratories

The process by which DNA profiles are created from biological source material is of critical importance. Because of the evidentiary value of DNA profiles, the laboratories in which these profiles  are  created  must  be  properly  licensed, professionally  managed  and manned  by competent  and  impartial  personnel.  Therefore,  the  process  by  which  DNA laboratories  are licensed and permitted to operate is significant.

 

1. Do you think India needs privacy legislation? Why / Why not?

 

Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state.

2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?

 

Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about.

3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.

 

Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.

Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.

4. Should people have the right to give up their right to privacy? Why / Why not?

 

In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!”

But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. There's no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.

5. Do you agree with India's UID scheme? Why / Why not?

 

There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way.

Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived.

There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds.

And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual.

Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.

6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?

Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy.

There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory.

We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term.

7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?

Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are software. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!

In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient.

8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?

 

In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies.

After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure.

It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today.

9. How would you advise young people working in the surveillance industry?

 

Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career.

---

On behalf of event organizers, we invite you to view the report, available online for free access here: "Mapping Digital Media: India.

---

Event organizers, Alternative Law Forum, The Centre for Internet & Society, and Maraa, held a public consultation at the Bangalore International Centre with the ultimate goals to inform and engage the public within key themes of the Mapping Digital Media: India report, as a new knowledge basis for better understanding India’s transitioning digital landscape. Many resulting ideas about moving forward with the report’s findings also came about, as prospective proceeding steps within the life cycle following the report’s release.

Respondents consisted of reputed media lawyers, researchers, journalists, activist and other media professionals. Each spoke before the meeting room within three panel discussions pertaining to different sections of the report: Policies, Laws and Regulators; Digital Activism; and Digital Journalism. Each speaker shed a new light on key challenges confronting our emergent digital media landscape with special focus given to broadcasting (radio and television), cable operations and newspapers (print & online) as each of these sectors undergo digitisation.

Opening

Vibodh Parthasarathi, who had anchored the country report, started off the consultation by underscoring the report's objective of mapping the different sectors and seemingly disparate aspects of India's complex media landscape. Following a brief introduction to the report was the setting of the stage by Alternative Law Forum Co-founder and Partner, Lawrence Liang, as he shared the ultimate aims of the event in speaking collectively to the report so that we may gain a better understanding of an area that is otherwise opaque by most. Lawrence also brings to the forefront the report’s debunking of the idea of the digital divide for India, and its account of a rich media landscape.

Policies, Laws and Regulators

The consultation’s first panel discussion was started by Lawrence, as he responded to the report from a perspective of legality. Lawrence examines the role of the state in India’s rich media landscape, specifically in terms of the four values at the centre of such: freedom of speech and expression, access to infrastructure, the question of development, and the question of market regulations—all of which are tied together within the country report.  Lawrence argues that we must arrive at quantitative measures of accessing diversity and quantity of freedom of speech, but only after understanding the ecology in which freedom of speech operates, and attempts to do so in examining drafted policies, policing measures, and market regulatory measures taken within the context of India.

Thirty attendees including journalists, activists, academics, and lawyers, all brought forth different perspectives on digital media in India.

Following was Matthew John, Associate Professor and Executive Director of the Centre on Public law and Jurisprudence. Matthew shared his impressions on the report, while making reference to three issues the report asks us to rethink; these being: public reason, the regulatory state, and the question of distribution. Matthew gives rise to a democratic problem in the public sphere of communication and claims that how it is addressed and resolved must be paid attention to. He makes reference to the history of telecom cases in responding to the question of how we are going to think about freed up telecom, and contrasts different types of regulatory agencies in asking the question of whether or not we should separate regulation from politics.

An engaging discussion following this panel’s speakers took place. Amongst points made by event attendees includes questions of how to scale up the citizen’s stake in media within a legal paradigm, as well as points made with reference to challenges to equity in media in terms of content and challenges to such.

Digital Media and Society (Digital Activism)

The discussion had begun with panelist, Arjun Venkatraman, Co-founder of the Mojolab Foundation as well as the digital activism platform, Swara. Arjun engages within the digital media debate in speaking on behalf of members of civil society that act from within the digital divide and exposes the gaps within new modes of activism that arise out of a lack of understanding on how to engage with these new medias. He also informed attendees of how to make cheap IVR based voice portals, linking voice users to the web for under USD200 as means of leveraging users’ voices via unlicensed spectrum.

Also contributing to the discussion on digital activism was Meera K, Cofounder of Bangalore News publication, Citizen Matters. In examining examples of new spaces that digital media has provided for the exchange of pluralistic views and alternative voices, Meera critiques different types of activism that have emerged, including  social activism, political activism, and middle class activism. She questions whether new media can be seen as sufficient space for free speech with reference to various challenges, such as the polarization of debates, and also compares and contrasts the positive outcomes of new media campaigns—such as tangible capitalized solutions—with corresponding pitfalls.

A debate amongst attendees followed in response to the question of assessing the value of media in terms of impact or size of public outreach, along with how content is generated and controlled.

Digital Media and Journalism

Independent journalist and media analyst, Geeta Seshu, got the conversation started regarding digital media and journalism by comparing the pitfalls of journalism in traditional media with the possibilities offered by digital journalism. Geeta argues that journalists have become devalued and are losing their footing within traditional media. She discussed the new forms of journalism and how news can be generated in an interactive and non-hierarchical manner and examined the intersections of mainstream media and journalism.  She questions the possibility of digital journalism existing on its own, without the influence of or incorporation of principles of traditional media, and grapples with possibilities for providing a new model for doing so.

The day’s last speaker was Subhash Rai, Associate Editor of New Indian Express. Subhash offers a mainstream perspective and argues that we must look at traditional and mainstream forms of media as a starting point for emerging forms of journalism before we can begin to understand these journalism models better. Just as well, traditional and mainstreams means of news dissemination can learn from digital media, however we should not be quick to look away from the core of the entire picture, as traditional forms of media are still very strong in comparison.

A discussion followed surrounded questions posed by speakers and attendees, such as what digital journalism should look like, and how such a transition to new forms of media should be imagined. How information has changed with respect to its creation and consumption was debated as well.

Moving Forward

Before the conclusion of the public consultation, attendees and speakers discussed future advancements for the country report.  Many recommendations and ideas were generated, including suggestions for future public consultations, advocacy windows offered by the report, and ways to produce another iteration of the report. Prospective initiatives included online working groups to dive deeper into specific themes of the report, a Hackathon where attendees will pool ideas together, and follow-up public consultations.

Participants brainstormed together on how to move forward the report’s findings. Many ideas were drafted, including a Hack-a-thon and online focus groups.

The event's agenda went as follows:

Time	Detail
10.00 a.m.	Introductory Remarks by Vibodh Parthasarathi, CCMG, Jamia
10.15 a.m. - 11.30 a.m.	Policies, Laws and Regulators Session Moderator – Ram Bhat Speakers – Lawrence Liang (ALF) and Mathew John (JGLS)
11.30 a.m. - 11.45 a.m.	Tea Break
11.45 a.m. - 1.15 p.m.	Digital Media and Society (Digital Activism) Session Moderator – Lawrence Liang Speakers – Arjun Venkatraman (Mojolab) and Meera K (Citizen Matters)
1.15 p.m. - 2.00 p.m.	Lunch Break
2.00 p.m. - 3.15 p.m.	Digital Media and Journalism Session Moderator – Vibodh Parthasarathi Speakers – Geeta Seshu (Free Speech Hub) and Subhash Rai (newindianexpress.com)
3.15 p.m. - 4.00 p.m.	The Way Ahead (Moving Forward) Moderated by Lawrence Liang

Event Participants

1. Rashmi Vallabhrajasyuva
2. Meera K, Oorvani Foundation
3. Samantha Cassar, CIS
4. Sharath Chandra Ram, CIS
5. Suresh Kumar, Artist
6. Aruna Sekhar, Amnesty India
7. Sriram Sharma, Part time Blogger
8. Ammu Joseph, Independent Researcher
9. Mathew John, Jindal Global Law School
10. Swati Mehta, The Rules
11. James North, The Rules
12. Bhairav Acharya, Lawyer
13. Deepa Kurup, The Hindu
14. Abhilash N, Independent
15. Deepu, Pedestrian Pictures
16. Rashmi M, PhD Student at NIAS
17. Jayanth S, LOCON Solutions Pvt Ltd.
18. Nehaa Chaudhari, CIS
19. Dinesh TB, Servelots
20. Snehashish Ghosh, CIS
21. Lawrence Liang, ALF
22. Vibodh Parthasarathi, CCMG, Jamia
23. Ram Bhat, Maraa
24. Ashish Sen, AMARC
25. Subhash Rai, New Indian Express
26. Geeta Seshu, Free Speech Hub, The Hoot
27. Arjun Venkatraman, Mojo Lab Foundation
28. Raajen, Centre for Education and Documentation
29. Ekta, Maraa
30. Smarika Kumar, ALF

Press Coverage

1. Need to increase diversity in online journalism (The New Indian Express, October 28, 2013).
2. Experts moot holistic approach to media laws (The Hindu, October 28, 2013).

"In a strange mix of how both capitalism and state control work, what is happening is that more and more of these places that one could access, for various reasons, whether it is for ones own pleasure or for political conversations, are getting further and further away from us. And I think that that mix of both corporate interests and state control is particularly playing a role in this regard." - Namita Malhotra, researcher and lawyer, Alternative Law Forum

Centre for Internet and Society presents its twelfth installment of the CIS Cybersecurity Series. 

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Namita Malhotra is a researcher and lawyer at Alternative Law Forum (ALF). She has a keen interest in working on law, technology and media through legal research, cultural studies, new media practices and film making.

ALF homepage: www.altlawforum.org

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

 

The Centre for Internet and Society is pleased to release the trailer of its first documentary film, on cybersecurity and civil society in India. 

The documentary is part of the CIS Cybersecurity Series, a work in progress which may be found here.

DesiSec: Cybersecurity and Civil Society in India

The trailer of DesiSec: Cybersecurity and Civil Society in India was shown at the Internet Governance Forum in Bali on October 24. It was a featured presentation at the Citizen Lab workshop, Internet Governance For The Next Billion Users.

The transcript of the workshop is available here: http://www.intgovforum.org/cms/component/content/article/121-preparatory-process/1476-ws-344-internet-governance-for-the-next-billion-users 

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.

Previous Privacy Round-tables were held in:

• New Delhi: (April 13, 2013) with 45 participants;
• Bangalore: (April 20, 2013) with 45 participants;
• Chennai: (May 18, 2013) with 25 participants;
• Mumbai, (June 15, 2013) with 20 participants;
• Kolkata: (July 13, 2013) with 25 participants; and
• New Delhi: (August 24, 2013) with 40 participants.

Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.

The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, the Privacy Protection Bill, 2013, drafted by the Centre for Internet and Society, Strengthening Privacy through Co-regulation by the Data Security Council of India, and the Report of the Group of Experts on Privacy by the Justice A.P. Shah committee were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.

The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under section 43A of the Information Technology Act, were not sufficient to meet EU data secure adequacy.  In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.

---

Presentation: Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Group

---

Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded.

Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.

In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.

Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present  regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.

Key Points:

1. Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.
2. Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data.
3. India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.

---

Discussion: National Security, Surveillance and Privacy

---

Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.

Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.

While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.

Key Points:

1. The Indian surveillance regime currently does not have strong enough safeguards.
2. The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.
3. A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.

---

Presentation: Chantal Bernier, Deputy Privacy Commissioner, Canada

---

In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.

Bernier described three main characteristics of the Canadian privacy regime including:

1. It is comprehensive and applies to both the public and the private sectors.
2. The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.
3. The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing.

Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.

Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.

Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:

1. The importance of having strong regulators.
2. Privacy regulators must work and cooperate together.
3. Privacy has become a condition of trade.
4. In today’s age, issues around surveillance cannot be underestimated.
5. Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.
6. Privacy frameworks must be clear and flexible.
7. Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments.

Key Points:

1. The Right to Privacy is a fundamental right in Canada.
2. The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.
3. The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest.

---

Discussion: The Data Protection Authority

---

Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.

When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.

Key Points:

1. The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.
2. The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.
3. The Data Protection Authority could be established as a small regulator with an appellate body attached.

---

Presentation: Christopher Graham, Information Commissioner, United Kingdom

---

Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the UK Data Protection Act and the Freedom of Information Act. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.

Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.

Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.

Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.

Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction.  Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.

Key Points:

1. The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.
2. Penalties must be proportionate and scalable to the offense.
3. Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective.

---

Discussion: Collection of Data with Consent and Collection of Data without Consent

---

Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required,  it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.

Key Points:

1. There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.
2. The Privacy Protection Bill should explicitly address transfer of information to other countries.
3. The Privacy Protection Bill should address consent in the context of changing terms of service.

---

Discussion: Penalties and Offences

---

The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation.  Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.

The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that  it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.

Key Points:

1. Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.
2. Instead of levying penalties, the Bill should include incentives to ensure compliance.
3. Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach.

---

Discussion: Cultural Aspects of Privacy

---

The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.

Key Points:

1. India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.
2. Given India’s diversity, a principle based model might not be adequate.
3. Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India.

Conclusion

The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc) and the Information Technology (Amendment) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India’s Computer Emergency Response Team (CERT) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO’s “Netra” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free, you are the product”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

1. Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
2. Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
3. Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
4. Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
5. Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
6. Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

1. Respect and protect the right to privacy, particularly in the context of digital communications.
2. To ensure that relevant legislation is in compliance with international human rights law
3. To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
4. To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles.  The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access.  A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

 

Dr. Nishant Shah's article was originally published in the Indian Express on October 27.

---

If you are a part of any social networking site, then you know that privacy is something to be concerned about. We put out an incredible amount of personal data on our social networks. Pictures with family and friends, intimate details about our ongoing drama with the people around us, medical histories, and our spur-of-the-moment thoughts of what inspires, peeves or aggravates us. In all this, the more savvy use filters and group settings which give them some semblance of control about who has access to this information and what can be done with it.

But it is now a given that in the world of the worldwide web, privacy is more or less a thing of the past. Data transmits. Information flows. What you share with one person immediately gets shared with thousands. Even though you might make your stuff accessible to a handful of people, the social networks work through a "friend-of-a-friend effect", where others in your networks use, like, share and spread your information around so that there is an almost unimaginable audience to the private drama of our lives. Which is why there is a need for a growing conversation about what being private in the world of big data means.

Privacy is about having control over the data and some ownership about who can use it and for what purpose. Interface designs and filters that allow limited access help this process. The legal structures are catching up with regulations that control what individuals, entities, governments and corporations can do with the data we provide. However, most people think of privacy as a private matter. Just look at last month's conversations around Facebook's new privacy policies, which no longer allow you to hide. If you are on Facebook, people can find you using all kinds of parameters — meta data — other than just your name. They might find you through hobbies, pages you like, schools you have studied in, etc. This can be scary because it means that based on particular activities, people can profile and follow you. Especially for people in precarious communities — the young adults, queer people who might not be ready to be out of the closet, women who already face increased misogyny and hostility online. This means they are officially entering a stalkers' paradise.

While those concerns need to be addressed, there is something that seems to be missing from the debate. Almost all of these privacy alarms are about what people can do to people. That we need to protect ourselves from people, when we are in public — digital or otherwise. We are reminded that the world is filled with predators, crackers and scamsters, who can prey on our personal data and create physical, emotional, social and financial havoc. But this is the world we already know. We live in a universe filled with perils and we have learned and coped with the fact that we navigate through dangerous spaces, times and people all the time. The digital is no different than the physical when it comes to the possible perils that we live in, though digital might facilitate some kinds of behaviour and make data-stalking easier.

What is different with the individualised, just-for-you crafted world of the social web is that there are things which are not human, which are interacting with you in unprecedented ways. Make a list of the top five people you interact with on Facebook. And you will be wrong. Because the thing that you interact with the most on Facebook, is Facebook. Look at the amount of chatter it creates — How are you feeling today?; Your friend has updated their status; Somebody liked your comment… the list goes on. In fact, much as we would like to imagine a world that revolves around us, we know that there are a very few people who have the energy and resources to keep track of everything we do. However, no matter how boring your status message or how pedestrian your activity, deep down in a server somewhere, an artificial algorithm is keeping track of everything that you do. Facebook is always listening, and watching, and creating a profile of you. People might forget, skip, miss or move on, but Facebook will listen, and remember long after you have forgotten.

If this is indeed the case, we need to think of privacy in different ways — not only as something that happens between people, but between people and other entities like corporations. The next time there is a change in the policy that makes us more accessible to others, we should pay attention. But what we need to be more concerned about are the private corporations, data miners and information gatherers, who make themselves invisible and collect our personal data as we get into the habit of talking to platforms, gadgets and technologies.

Dr. Nishant Shah's article was published in the Indian Express on November 24, 2013.

---

I am making a list of all the platforms that I use to connect with the large networks that I belong to. Here goes: I use Yahoo! Messenger to talk to my friends in east Asia. Most of my work meetings happen on Skype and Google Hangout. A lot of friendly chatter fills up my Facebook Messenger. Twitter is always available for a little back-chat and bitching. On the phone, I use Viber to make VoIP calls and WhatsApp is the space for unending conversations spread across days. And these are just the spaces for real-time conversation. Across all these platforms, something strange is happening. As I stay connected all the time, I am facing a phenomenon where we have run out of things to say, but not the desire to talk.

I had these three conversations today on three different instant-messaging platforms:

Person 1 (on WhatsApp): Hi.

Me: Hey, good to hear from you. How are you doing?

Person 1: Good.

Me (after considerable silence): So what's up?

Person 1: Nothing.

End of conversation.

Person 2 (On an incoming video call on Skype): Hey, you there?

Me: Yeah. What time is it for you right now?

Person 2: It is 10 at night.

Me: Oh! That is late. How come you are calling me so late?

Person 2: Oh, I saw you online.

Me: Ok….. *eyes raised in question mark*

Person 2: So, that's it. I am going to sleep soon.

Me: Ok…. Er…goodnight.

Person2: Goodnight.

We hang up.

Person 3 (pinging me on Facebook): Hey, you are in the US right now?

Me: Yes. I am attending a conference here.

Person 3: Cool!

Me: Umm… yeah, it is.

Person 3: emoticon of a Facebook 'like'. Have fun. Bye.

Initially I was irritated at the futility of these pings that are bewildering in their lack of content. I dismissed it as one of those things, but I realise that there is a pattern here. Our lives are so particularly open and documented, such minute details of what we do, where we are and who we are with, is now available for the rest of the world to consume, making most of the conversations seeking information, redundant. If you know me on my social media networks, you already know most of the basic things that you would want to know about me. And it goes without saying that no matter how close and connected we are, we are not necessarily in a state where we want to talk all the time. The more distributed our lives are, the more diminished is the need for personal communication.

And yet, the habit or the urge to ping, buzz, DM or chat has not caught up with this interaction deficit. So, we still seem to reach out, using a variety of platforms just to say hello, even when there is nothing to say. I call this the 'Always On' syndrome. We live in a world where being online all the time has become a ubiquitous reality. Even when we are asleep, or busy in a meeting, or just mentally disconnected from the online spaces, our avatars are still awake. They interact with others. And when they feel too lonely, they reach out and send that empty ping — just to confirm that they are not alone. That on the other side of the glowing screen is somebody else who is going to connect back, and to reassure you that we are all together in this state of being alone.

This empty ping has now become a signifier, loaded with meaning. The need for human connection has been distributed, but it does not compensate our need for one-on-one contact. In the early days of the cell phone, when incoming calls were still being charged, the missed call, without any content, was a code between friends and lovers. It had messages about where to meet, when to meet, or sometimes, just that you were missing somebody. The empty ping is the latest avatar of the missed call — in a world where we are always online but not always connected, when we are constantly together, but also spatially and emotionally alone, the ping remains that human touch in the digital space that reassures us that on the other side of that seductive interface and the buzzing gadget, is somebody we can say hello to.

 

Case 1: Unlawful Phone-tapping in Himachal Pradesh

In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.

On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371¹ phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.

Violations of the Law

While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34² cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.

Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.

While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.

Concluding Concerns

What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.

What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the PUCL judgment, were blatantly ignored.

What should concern us is that it took a change in government to actually uncover this sordid tale.

In Pragati Maidan, New Delhi, many companies from India and abroad gathered to exhibit their products at the following expos which were organised by Electronics Today (India's first electronic exhibition organiser) on 16-18 October 2013:

• SmartCards Expo 2013
• e-Security Expo 2013
• RFID Expo 2013
• Biometrics Expo 2013

The Centre for Internet and Society (CIS) attended these exhibitions for research purposes and is sharing the publicly available brochures it gathered through the attached zip file. The use of these brochures constitutes Fair Use.

---

The article by Chinmayi Arun was published in the Hindu on January 3, 2014.

---

The Gujarat telephone tapping controversy is just one of many kinds of abuse that surveillance systems enable. If a relatively primitive surveillance system can be misused so flagrantly despite safeguards that the government claims are adequate, imagine what is to come with the Central Monitoring System (CMS) and Netra in place.

News reports indicate Netra — a “NEtwork TRaffic Analysis system” — will intercept and examine communication over the Internet for keywords like “attack,” “bomb,” “blast” or “kill.” While phone tapping and the CMS monitor specific targets, Netra is vast and indiscriminate. It appears to be the Indian government’s first attempt at mass surveillance rather than surveillance of predetermined targets. It will scan tweets, status updates, emails, chat transcripts and even voice traffic over the Internet (including from platforms like Skype and Google Talk) in addition to scanning blogs and more public parts of the Internet. Whistle-blower Edward Snowden said of mass-surveillance dragnets that “they were never about terrorism: they’re about economic spying, social control, and diplomatic manipulation. They’re about power.”

So far, our jurisprudence has dealt with only targeted surveillance; and even that in a woefully inadequate manner. This article discusses the slow evolution of the right to privacy in India, highlighting the context and manner in which it is protected. It then discusses international jurisprudence to demonstrate how the right to privacy might be protected more effectively.

Privacy and the Constitution

A proposal to include the right to privacy in the Constitution was rejected by the Constituent Assembly with very little debate. Separately, a proposal to give citizens an explicit fundamental right against unreasonable governmental search and seizure was also put before the Constituent Assembly. This proposal was supported by Dr. B.R. Ambedkar. If accepted, it would have included within our Constitution the principles from which the United States derives its protection against state surveillance. However, the proposed amendment was rejected by the Constituent Assembly.

Fortunately, the Supreme Court has gradually been reading the right to privacy into the fundamental rights explicitly listed in the Constitution. After its initial reluctance to affirm the right to privacy in the 1954 case of M.P. Sharma vs. Satish Chandra, the court came around to the view that other rights and liberties guaranteed in the Constitution would be seriously affected if the right to privacy was not protected. In Kharak Singh vs. The State of U.P., the court recognised “the right of the people to be secure in their persons, houses, papers, and effects” and declared that their right against unreasonable searches and seizures was not to be violated. The right to privacy here was conceived around the home, and unauthorised intrusions into homes were seen as interference with the right to personal liberty.

If the Kharak Singh judgment was progressive in its recognition of the right to privacy, it was conservative about the circumstances in which the right applies. The majority of judges held that shadowing a person could not be seen to interfere with that person’s liberty. Dissenting with the majority, Justice Subba Rao maintained that broad surveillance powers put innocent citizens at risk, and that the right to privacy is an integral part of personal liberty. He recognised that when a person is shadowed, her movements will be constricted, and will certainly not be free movements. His dissenting judgment showed remarkable foresight and his reasoning is consistent with what is now a universally acknowledged principle that there is a “chilling effect” on expression and action when people think that they are being watched.

The right to privacy as defined by the Supreme Court now extends beyond government intrusion into private homes. After Govind vs. State of M.P., and Dist. Registrar and Collector of Hyderabad vs. Canara Bank, this right is seen to protect persons and not places. Any inroads into this right for surveillance of communication must be for permissible reasons and according to just, fair and reasonable procedure. State action in violation of this procedure is open to a constitutional challenge.

Our meagre procedural safeguards against phone tapping were introduced in PUCL vs. Union of India (1997) after the Supreme Court was confronted with extensive, undocumented phone tapping by the government. The apex court found itself compelled to lay down what it saw as bare minimum safeguards, consisting mostly of proper record-keeping and internal executive oversight by senior officers such as the home secretary, the cabinet secretary, the law secretary and the telecommunications secretary. These safeguards are of little use since they are opaque and rely solely on members of the executive to review surveillance requests.

Right and safeguards

There is a difference between targeted surveillance in which reasons have to be given for surveillance of particular people, and the mass-surveillance which Netra sets up. The question of mass surveillance and its attendant safeguards has been considered by the European Court of Human Rights in Liberty and Others vs. the United Kingdom. Drawing upon its own past jurisprudence, the European Court insisted on reasonable procedural safeguards. It stated quite clearly that there are significant risks of arbitrariness when executive power is exercised in secret and that the law should be sufficiently clear to give citizens an adequate indication of the circumstances in which interception might take place. Additionally, the extent of discretion conferred and the manner of its exercise must be clear enough to protect individuals from arbitrary interference. The principles laid down by the European Court in relation to phone-tapping also require that the nature of the offences which may give rise to an interception order, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased or the tapes destroyed be made clear.

Opaque and ineffective

Our safeguards apply only to targeted surveillance, and require written requests to be provided and reviewed before telephone tapping or Internet interception is carried out. CMS makes the process of tapping more prone to misuse by the state, by making it even more opaque: if the state can intercept communication directly, without making requests to a private telecommunication service provider, then it is one less layer of scrutiny through which the abuse of power can reach the public. There is no one to ask whether the requisite paperwork is in place or to notice a dramatic increase in interception requests.

India has no requirements of transparency whether in the form of disclosing the quantum of interception taking place each year, or in the form of subsequent notification to people whose communication was intercepted. It does not even have external oversight in the form of an independent regulatory body or the judiciary to ensure that no abuse of surveillance systems takes place. Given these structural flaws, the Amit Shah controversy is just the beginning of what is to come. Unfettered mass surveillance does not bode well for democracy.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

January 3, 2014

Shri Kapil Sibal,
Honourable Minister for Communication and Information Technology
Ministry of Communication and Information Technology,
Government of India

Subject: Public consultation at the domestic level on the position of Government of India at WGEC

Dear Sir,

We at the Centre for Internet and Society, Bangalore (“CIS”) commend, Government of India’s participation at the Working Group on Enhanced Cooperation (WGEC), working under the aegis of United Nations Commission on Science and Technology and Development (CSTD). The Working Group was set up in pursuance of General Assembly Resolution A/Res/67/195, to identify a shared understanding of enhanced cooperation on public policy issues pertaining to the internet. The WGEC after its first meeting circulated a questionnaire to collect the views and positions of the stakeholders on various aspects of enhanced cooperation. The Government of India responded to the questionnaire and also represented its position at the second meeting of WGEC held in Geneva from November 6-8, 2013. We would like the Government to take cognizance of representations from concerned stakeholders before finalizing its position.

In this regard, we would like to note, Government of India’s commitment towards multi-stakeholder approach in formulation of public policy pertaining to the internet. At the Internet Governance Forum, 2012 held in Baku, the Honourable Minister for Communications and Information Technology noted that the “issues of public policy related to the internet have to be dealt with, by adopting a multi-stakeholder, democratic and transparent approach”. Furthermore, the Government of India’s stand at the World Conference on International Telecommunications, 2012 in Dubai supported and recognized the multi-stakeholder nature of the internet.

However, it seems that the Government has digressed from its previous stand on internet governance whereas it fell short of having a multi-stakeholder public consultation on India’s position on enhanced cooperation at the WGEC. We earnestly urge you to hold domestic public consultation before the next WGEC meeting.

Thank you.
Sincerely,

Snehashish Ghosh,
Policy Associate,
Centre for Internet and Society, Bangalore

Copied to: Dr. Ajay Kumar, Joint Secretary, DietY, MOCIT and Shri. J. Satyanarayana, Secretary, DietY, MOCIT

---

Download a copy of the letter here

India’s Unique Identity (UID) project is already the world’s largest biometrics identity program, and it is still growing. Almost 530 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Despite these potential benefits, however, critical concerns remain about the UID’s legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.

The most basic concerns regarding the UID project stem from the fact that biometric technologies have never been tested on such a large population. As a result, well-founded concerns exist around scalability, false acceptance and rejection rates, and the project’s core premise that biometrics can uniquely and unambiguously identify people in a foolproof manner. Some of these concerns are based on technical issues—collecting fingerprints and iris scans “in the field,” for instance, can be complicated when a registrant’s fingerprints are eroded by manual labor or her irises are affected by malnutrition and cataracts. Other concerns relate to the project’s federated implementation architecture, which, by outsourcing collection to a massive group of private and public registrars and operators, increases the chance for data breaches, error, and fraud.

Perhaps even more vexing are concerns regarding how the UID, which promises financial inclusion (by reducing the identification barriers to opening bank accounts, for example), might in fact lead to new types of exclusion for already marginalized groups. Members of the LGBT community, for instance, question whether the inclusion of the transgender category within the UID scheme is a laudable attempt at inclusion, or a new means of listing and targeting members of their community for exclusion. More fundamentally, as more and more services and benefits are linked to the UID, the project threatens to exclude all those who cannot or will not participate in the scheme due to logistical failures or philosophical objections.

It is worth noting that the UID is not the only large data project in India. A slew of “Big Brother” projects exist: the Centralised Monitoring System (CMS), the Telephone Call Interception System (TCIS), the National Population Register (NPR), the Crime and Criminal Tracking Network and Systems (CCTNS), and the National Intelligence Grid (NATGRID), which is working to aggregate up to 21 different databases relating to tax, rail and air travel, credit card transactions, immigration, and other domains. The UID is intended to serve as a common identifier across these databases, creating a massive surveillance state. It also facilitates an ecosystem where access to goods and services, from government subsidies to drivers’ licenses to mobile phones to cooking gas, increasingly requires biometric authentication.

The UID project was originally vaunted as voluntary, but the inexorable slippery slope toward compulsory participation has triggered a series of lawsuits challenging the legality of forced enrollment and the constitutionality of the entire project. Most recently, in September 2013, India’s federal Supreme Court affirmed by way of an interim decision that the UID was not mandatory, that not possessing a UID should not disadvantage anybody, and that citizenship should be ascertained as a criteria for registering in order to ensure that UIDs are not issued to illegal immigrants. This last stipulation is particularly thorny given that the Unique Identification Authority of India (UIDAI, the body in charge of the UID project) has consistently distanced the UID from questions of citizenship under the justification that it is a matter beyond their remit (i.e., the UID is open to residents, and is not linked to citizenship). The government moved quickly to urge a modification of the order, but the Supreme Court declined to do so and will instead release its final decision after it reviews a batch of petitions from activists and others. The UIDAI approached the court, arguing that not making the UID mandatory has serious consequences for welfare schemes, but the court recently ordered the federal government, the Reserve Bank of India, and the Election Commission to delink the LPG cooking gas scheme from the UID. This is a considerable setback for the project, given that this was one of the most hyped linkages for the UID. It remains to be seen whether the court will similarly halt other attempts to make the UID mandatory.

In the meantime, the UID project is effectively being implemented in a legal vacuum without support from the Supreme Court or Parliament. The Cabinet is seeking to rectify this and has cleared a bill that would finally provide legal backing for the UID program—its previous attempt was rejected by the Standing Committee on Finance in 2010. This bill is scheduled to come up for debate during the winter session of Parliament. The bill’s progress, along with the final decision of the Supreme Court, will have far reaching consequences for the UID project’s implementation and longevity, as well as for the relationship between India’s citizens and the state.

If fully implemented, the UID system will fundamentally alter the way in which citizens interact with the government by creating a centrally controlled, technology-based standard that mediates access to social services and benefits, financial systems, telecommunications, and governance. It will undoubtedly also have implications for how citizens relate to private sector entities, on which the UID rests and which have their own vested interests in the data. The success or failure of the UID represents a critical moment for India. Whatever course the country takes, its decision to travel further toward or turn away from becoming a “database nation” will have implications for democracy, free speech, and economic justice within its own borders and also in the many neighboring countries that look to it as a technological standard bearer.

The Indian government seems to envision “big data” as a panacea for fraud, corruption, and abuse, but it has given little attention to understanding and addressing the fraud, corruption, and abuse that massive databases can themselves engender. The government’s actions have yet to demonstrate an appreciation for the fact that the matrix of identity and surveillance schemes it has implemented can create a privacy-invading technology layer that is not only a barrier to online activity but also to social participation writ large.

The lack of identification documents for a large portion of the Indian population does need to be addressed. Whether the UID project is the best means to do this—whether it has the right architecture and design, whether it can succeed without an overhaul of several other failures of governmental institutions, and whether fixing the identity piece alone causes more harm than good—should be the subject of intense debate and scrutiny. Only through rigorous threat modeling and analysis of the risks arising out of this burgeoning “data industrial complex” can steps be taken to stem the potential repercussions of the project not just for identity management, fraud, corruption, distributive justice, and welfare generally, but also for autonomy, openness, and democracy.

---

Click to download the article published in the annual report of Berkman's Center for Internet and Society (PDF 7223 Kb)

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

---

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

---

You can follow Gautam Bhatia on Twitter

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website.  Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been  able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach.  It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

Introduction

In January 2014, the Global Network Initiative (GNI) published the Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo. GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.

Overview of the Public Report

The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the GNI principles on freedom of expression and privacy. The principles lay out broad guidelines that member companies  should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with Implementation Guidelines to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.

Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments  on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.

The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.

A number of findings came out of the assessments undertaken for the Report including:

1. As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.
2. The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights.
3. Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles.

The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:

• Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies.
• Consider the impact of hardware on freedom of expression and privacy.
• Improve external and internal reporting.
• Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations.
• Review executive management training.
• Improve stakeholder engagement.
• Improve communication with users.
• Increase sharing of best practices.
• The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights.

NSA leaks, global push for governmental surveillance reform, and the Public Report

With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government  and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five Principles on Global Government Surveillance Reform.  Similar to other efforts to end mass and disproportionate surveillance, such as the Necessary and Proportionate principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.

Along these lines, on January 14^th, GNI released the statement “Surveillance Reforms to Protect Rights and Restore Trust”, urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.

Conclusion and way forward

Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.

The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.

Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?

In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.

In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.

In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.

As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did not deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.

However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I did have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !

In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.

And how did the case continue thereafter?

In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.

Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!

Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.

Have there been any other recent court cases against the UID?

Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.

Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.

Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.

So what is the status of your pending court cases?

Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.

After its judgment in Kharak Singh, the Court was not concerned with the privacy question for a while. The next case that dealt – peripherally – with the issue came eleven years later. In R.M. Malkani v State of Maharashtra, the Court held that attaching a recording device to a person’s telephone did not violate S. 25 of the Telegraph Act, because

"where a person talking on the telephone allows another person to record it or to hear it, it can-not be said that the other person who is allowed to do so is damaging, removing, tampering, touching machinery battery line or post for intercepting or acquainting himself with the contents of any message. There was no element of coercion or compulsion in attaching the tape recorder to the telephone."

Although this case was primarily about the admissibility of evidence, the Court also took time out to consider – and reject – a privacy-based Article 21 argument, holding that:

"Article 21 was invoked by submitting that the privacy of the appellant’s conversation was invaded. Article 21 contemplates procedure established by law with regard to deprivation of life or personal liberty. The telephonic conversation of an innocent citizen will be protected by Courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants. It must not be understood that the Courts will tolerate safeguards for the protection of the citizen to be imperiled by permitting the police to proceed by unlawful or irregular methods."

Apart from the fact that it joined Kharak Singh in refusing to expressly find a privacy right within the contours of Article 21, there is something else that unites Kharak Singh and R.M. Malkani: they hypothetical in Kharak Singh became a reality in Malkani – what saved the telephone tapping precisely because it was directed at "… a guilty person", with the Court specifically holding that the laws were not for targeting innocent people. Once again, then, the targeted  and specific nature of interception became a crucial – and in this case, a decisive – factor. One year later, in another search and seizure case, Pooran Mal v Inspector, the Court cited M.P. Sharma and stuck to its guns, refusing to incorporate the Fourth Amendment into Indian Constitutional law.

It is Gobind v State of MP, decided in 1975, that marks the watershed moment for Indian privacy law in the Constitution. Like Kharak Singh, Gobind also involved domiciliary visits to the house of a history-sheeter. Unlike Kharak Singh, however, in Gobind the Court found that the Regulations did have statutory backing – S. 46(2)(c) of the Police Act, which allowed State Government to make notifications giving effect to the provisions of the Act, one of which was the prevention of commission of offences. The surveillance provisions in the impugned regulations, according to the Court, were indeed for the purpose of preventing offences, since they were specifically aimed at repeat offenders. To that extent, then, the Court found that there existed a valid “law” for the purposes of Articles 19 and 21.

By this time, of course, American constitutional law had moved forward significantly from eleven years ago, when Kharak Singh had been decided. The Court was able to invoke Griswold v Connecticut and Roe v Wade, both of which had found a "privacy" as an "interstitial" or "penumbral" right in the American Constitution – that is, not reducible to any one provision, but implicit in a number of separate provisions taken together. The Court ran together a number of American authorities, referred to Locke and Kant, to dignity, to liberty and to autonomy, and ended by holding, somewhat confusingly:

“the right to privacy must encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. This catalogue approach to the question is obviously not as instructive as it does not give analytical picture of that distinctive characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as unifying principle underlying the concept has been the assertion that a claimed right must be a fundamental right implicit in the concept of ordered liberty… there are two possible theories for protecting privacy of home. The first is that activities in the home harm others only to the extent that they cause offence resulting from the mere thought that individuals might he engaging in such activities and that such ‘harm’ is not Constitutionally protective by the state. The second is that individuals need a place of sanctuary where they can be free from societal control. The importance of such a sanctuary is that individuals can drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves, an image that may reflect the values of their peers rather than the realities of their natures… the right to privacy in any event will necessarily have to go through a process of case-by-case development."

But if no clear principle emerges out of the Court’s elucidation of the right, it was fairly unambiguous in stressing the importance of the right itself. Interestingly, it grounded the right within the context of the freedom struggle. "Our founding fathers," it observed, "were thoroughly opposed to a Police Raj even as our history of the struggle for freedom has borne eloquent testimony to it." (Para 30) The parallels to the American Fourth Amendment are striking here: in his historical analysis Akhil Amar tells us that the Fourth Amendment was meant precisely to avoid the various abuses of unreasonable searches and seizures that were common in England at the time.

The parallels with the United States become even more pronounced, however, when the Court examined the grounds for limiting the right to privacy. "Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, that fundamental right must be subject to restriction on the basis of compelling public interest." "Compelling public interest" is an interesting phrase, for two reasons. First, “public interest” is a ground for fundamental rights restrictions under Article 19 (see, e.g., Article 19(6)), but the text of the Article 19 restrictions do not use – and the Court, in interpreting them, has not held – that the public interest must be “compelling”. This suggests a stricter standard of review for an Article 21 privacy right violation than Article 19 violations. This is buttressed by the fact that in the same paragraph, the Court ended by observing: “even if it be assumed that Article 19(5) [restrictions upon the freedom of movement] does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.” The Court echoes the language of 19(5), and adds the word “compelling”. This surely cannot be an oversight.

More importantly – the compelling State interest is an American test, used often in equal protection cases and cases of discrimination, where “suspect classes” (such as race) are at issue. Because of the importance of the right at issue, the compelling state interest test goes hand-in-hand with another test: narrow tailoring. Narrow tailoring places a burden upon the State to demonstrate that its restriction is tailored in a manner that infringes the right as narrowest manner that is possible to achieve its goals. The statement of the rule may be found in the American Supreme Court case of Grutter v Bollinger:

"Even in the limited circumstance when drawing racial distinctions is permissible to further a compelling state interest, government is still constrained under equal protection clause in how it may pursue that end: the means chosen to accomplish the government’s asserted purpose must be specifically and narrowly framed to accomplish that purpose."

To take an extremely trivial example that will illustrate the point: the State wants to ban hate speech against Dalits. It passes legislation that bans “all speech that disrespects Dalits.” This is not narrowly tailored, because while all hate speech against Dalits necessarily disrespects them, all speech that disrespects Dalits is not necessarily hate speech. It was possible for the government to pass legislation banning only hate speech against Dalits, one that would have infringed upon free speech more narrowly than the “disrespect law”, and still achieved its goals. The law is not narrowly tailored.

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-tailoring flip side of the compelling state interest coin. On the constitutionality of the Police Regulations itself, it upheld their constitutionality by reading them narrowly. Here is what the Court said:

“Regulation 855, in our view, empowers surveillance only of persons against whom reasonable materials exist to induce the opinion that they show a determination, to lead a life of crime – crime in this context being confined to such as involve public peace or security only and if they are dangerous security risks. Mere convictions in criminal cases where nothing gravely imperiling safety of society cannot be regarded as warranting surveillance under this Regulation. Similarly, domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security and not routine follow-up at the end of a conviction or release from prison or at the whim of a police officer.”

But Regulation 855 did not refer to the gravity of the crime at all. Thus, the Court was able to uphold its constitutionality only by narrowing its scope in a manner that the State’s objective of securing public safety was met in a way that minimally infringed the right to privacy.

Therefore, whether the Gobind bench was aware of it or not, its holding incorporates into Indian constitutional law and the right to privacy, not just the compelling State interest test, but narrow tailoring as well. The implications for the CMS are obvious. Because with narrow tailoring, the State must demonstrate that bulk surveillance of all individuals, whether guilty or innocent, suspected of crimes or not suspected of crimes (whether reasonably or otherwise), possessing a past criminal record or not, speaking to each other of breaking up the government or breaking up a relationship – every bit of data must be collected to achieve the goal of maintaining public security, and that nothing narrower will suffice. Can the State demonstrate this? I do not think it can, but at the very least, it should be made to do so in open Court.

---

Chinmayi Arun's Op-ed was published in the Hindu on January 29, 2014.

---

It is odd indeed that the Delhi High Court seems to believe that sensational media coverage can sway the Supreme Court into prejudice against one of its own retired judges. Justice Manmohan Singh of the Delhi High Court has said in Swatanter Kumar v. Indian Express and others that the pervasive sensational media coverage of the sexual harassment allegations against the retired Supreme Court judge 'may also result in creating an atmosphere in the form of public opinion wherein a person may not be able to put forward his defence properly and his likelihood of getting fair trial would be seriously impaired.'  This Delhi High court judgment has drawn upon the controversial 2011 Supreme Court judgment in Sahara India Real Estate Corp. Ltd v. SEBI (referred to as the Gag Order case here) to prohibit the media from publishing headlines connecting retired Justice Swatanter Kumar with the intern's allegations, and from publishing his photograph in connection with the allegations.

Although the Gag Order judgment was criticised at the time that it was delivered Swatanter Kumar v. Indian Express illustrates its detractors' argument more vividly that anyone could have imagined.

Sukumar Muralidharan wrote of Gag Order case that the postponement (of media coverage) order remedy that it created, could become an "instrument in the hands of wealthy and influential litigants, to subvert the course of open justice".

Here we find that although a former Supreme Court judge is pitted against a very young former intern within a system over which he once presided, Justice Manmohan Singh seems to think that it is the judge who is danger of being victimised.

The Swatanter Kumar judgment was enabled by both the Gag Order case as well as the 1966 Supreme Court judgment in Naresh Sridhar Mirajkar v. State of Maharashtra, which in combination created a process for veiling court proceedings. Naresh Mirajkar stated that courts' inherent powers extend to barring media reports and comments on ongoing trials in the interests of justice, and that such powers do not violate the right to freedom of speech; and the Gag Order case created an instrument - the 'postponement order' - for litigants, such that they can have media reports of a pending case restricted. The manner in which this is used in the Swatanter Kumar judgment raises very worrying questions about how the judiciary views the boundaries of the right to freedom of expression, particularly in the context of reporting court proceedings.

Broad power to restrict reporting

The Gag Order case was problematic: it used arguments for legitimate restraints on media reporting in exceptional circumstances, to permit restrictions on media reporting of court proceedings under circumstances 'where there is a real and substantial risk of prejudice to fairness of the trial or to proper administration of justice'.  The Supreme Court refused to narrow this or clarify what publications would fall within this category. It merely stated that this would depend on the content and context of the offending publication, and that no 'straightjacket formula' could be created to enumerate these categories. This leaves higher judiciary with a broad discretionary power to decide what amounts to
legitimate restraints on media reporting, using an ambiguous standard. Exercise of this power to veil proceedings involving powerful public figures whose actions have public implications, imperils openness and transparency when they are most critical.

Court proceedings are usually open to the public. This openness serves as a check on the judiciary, and ensures public faith in the judiciary. In countries as large as ours, media coverage of important cases ensures actual openness of court proceedings - we are able to follow the arguments made by petitioners who ask that homosexuality be decriminalised, the trial of suspected terrorists and alleged murderers, and the manner in which our legal system handles sexual harassment complaints filed by young women.

When court proceedings are closed to the public (known as 'in-camera' trials) or when media dissemination of information about them is restricted, the openness and transparency of court proceedings is compromised. Such compromise of transparency does take place in many countries, to protect the rights of the parties involved, or prevent miscarriage of justice. For example, child-participants are protected by holding trials in-camera; names of parties to court proceedings are withheld to protect their privacy sometimes; and in countries where juries determine guilt, news coverage that may prejudice the jury is also restricted.

The damage done

Although the Supreme Court stated in principle that the openness of court proceedings should only be restricted where strictly necessary, this appears to lend itself to very varied interpretation. For example, it is very difficult for some of us to understand why it was strictly necessary to restrict media coverage of sexual harassment proceedings in the Swatanter Kumar case. J. Manmohan Singh on the other hand seems to believe that the adverse public opinion will affect the retired judge's chance of getting a fair trial. His judgment also seems to indicate his concern that the sensational headlines will impact the public confidence in the Supreme Court.

The Delhi High Court's apprehension about the effects of the newspaper coverage on the reputation of the judge did not need to translate into a prior restraint on media coverage. They may better have been addressed later, by evaluating a defamation claim pertaining to published material. The larger concerns about the reputation of the judiciary are better addressed by openness: if powerful public figures, especially those with as much influence as a former Supreme Court judge are not subjected to transparent court proceedings, the opacity in the face of such a critical issue is likely to undermine public faith in the judiciary as an institution.Such opacity undermines the purpose of open courts. It is much worse for the reputation of the judiciary than publicised complaints about individual judges.

Since the Delhi High Court ruling, there has been little media coverage of the sexual harassment case. Suppression of media coverage leaves the young woman comparatively isolated. Wide coverage of the harassment complaint involving Justice Ganguly, helped the intern in that case find support. The circulation of information enabled other former interns as well as a larger network of lawyers and activists, reach out to her. This is apart from the general pressure to be fair that arises when a case is being followed closely by the public. Media coverage is often critical to whether someone relatively powerless is able to assert her rights against a very powerful person. This is why media freedom is sacred to democracies.

If the Supreme Court was confident that the high courts in India would use their broad discretionary power under the Gag Order case sparingly and only in the interests of justice, the Swatanter Kumar case should offer it grounds to reconsider.  Openness and freedom of expression are not meant to be diluted to protect the powerful - they exist precisely to ensure that even the powerful are held accountable by state systems that they might otherwise be able to sway.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as a project run by the Centre for Communication Security Research and Monitoring (CCSRM), along with the Telecom Testing and Security Certification (TTSC) project.

The Central Monitoring System (CMS), which was largely covered by the media in 2013, was actually approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, government funding of the CMS has reached at least Rs. 450 crore (around $72 million).

In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, clause 41.10 of the Unified Access Services (UAS) License Agreement was amended in June 2013. In particular, the amended clause includes the following:

“But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”

Furthermore, draft Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the amendment to clause 41.10 of the UAS License Agreement, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph Act, 1885, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:

• the interests of the sovereignty and integrity of India

• the security of the State

• friendly relations with foreign states

• public order

• for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.

So how does the Central Monitoring System (CMS) actually work?

We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized access to the country's telecommunications network. The question, though, is how.

Well, prior to the CMS, all service providers in India were required to have Lawful Interception Systems installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.

In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that the authority can also bypass service providers in gaining such access. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.

The above is illustrated in the following chart:

The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, 70 ISF servers have been purchased for six License Service Areas and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.

The Centre for Development of Telematics plans to integrate ISF servers which connect with the CMS in the premises of service providers in the following regions:

• Delhi

• Maharashtra

• Kolkata

• Uttar Pradesh (West)

• Andhra Pradesh

• Uttar Pradesh (East)

• Kerala

• Gujarat

• Madhya Pradesh

• Punjab

• Haryana

With regards to the UAS License Agreement that TSPs are required to comply with, amended clause 41.10 specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a Memorandum of Understanding (MoU) for MPLS connectivity has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, Rs. 4.8 crore have been given to BSNL for interconnecting 81 CMS locations of the following License Service Areas:

• Delhi

• Mumbai

• Haryana

• Rajasthan

• Kolkata

• Karnataka

• Chennai

• Punjab

Clause 41.10 of the UAS License Agreement also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor at least 30 simultaneous calls for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:

• Called/calling party mobile/PSTN numbers

• Time/date and duration of interception

• Location of target subscribers (Cell ID & GPS)

• Data records for failed call attempts

• CDR (Call Data Records) of Roaming Subscriber

• Forwarded telephone numbers by target subscriber

Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, 80% of the CMS Physical Data Centre has been built so far.

In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. Training has been imparted to the following law enforcement agencies:

• Intelligence Bureau (IB)

• Central Bureau of Investigation (CBI)

• Directorate of Revenue Intelligence (DRI)

• Research & Analysis Wing (RAW)

• National Investigation Agency (NIA)

• Delhi Police

And should we even be worried about the Central Monitoring System?

Well, according to the brief material for the Honourable MOC and IT Press Briefing on 16th July 2013, we should not be worried about the Central Monitoring System. Over the last year, media reports have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However, Indian authorities have argued that the Central Monitoring System will better protect the privacy of individuals and maintain their security due to the following reasons:

1. The CMS will just automate the existing process of interception and monitoring, and all the existing safeguards will continue to exist

2. The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A

3. The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted

4. The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data

5. A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard

While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.

The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will “just” be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the Information Technology (Amendment) Act, 2008, and the Indian Telegraph Act, 1885, potentially infringe upon individual's right to privacy and other human rights.

May I remind you of Section 69 of the Information Technology (Amendment) Act, 2008, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an ambiguous matter. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”

The second argument appears inadequate too. Section 5(2) of the Indian Telegraph Act, 1885, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates targeted surveillance, while the Central Monitoring System could potentially undertake mass surveillance. Since the process of interception is automated and, under clause 41.16 of the Unified License (Access Services) Agreement, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.

As for the third argument, it is not clear how bypassing the nodal officers of TSPs will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?

While the fourth argument makes a point about differentiating the provisioning and requesting entities with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.

Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What's concerning is that metadata can potentially be more useful for tracking individuals than content data, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.

The final argument appears to provide some promise, since the maintenance of a command log of all provisioning activities could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.

In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it protects individuals from abuse by those in power and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.

If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.

After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.

How can we not be worried about the Central Monitoring System?

 

 

The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.

This was published in a book on Palestinian art.

---

The rise of mobile media is heralding new forms of networked visualities. These visualities see place, politics and images entangled in new ways: what can be called ‘emplaced visuality’. In the images disseminated globally of citizen uprising such as the Arab Spring, it was mobile phones that provided the frame and context for new forms of networked visual politics. In the growth in networked photo apps such as Instagram and Hipstamic, how, when and why we are representing a relationship between place and co-presence is changing. No longer the poorer cousin to professional cameras, camera phones have lead the rise of do-it-yourself (DIY) aesthetics flooding mainstream and subcultural media cultures. In networked visuality contexts such as YouTube and Flickr, the aesthetic of what Burgess has called ‘vernacular creativity’[1] has become all-pervasive—so much so that even mainstream media borrows the DIY style.

Now, with locative media added into the equation, these visualities are not only networked but also emplaced—that is, entangled within the temporal and spatial movements of everyday life.[2]

Emplaced visualities represent a new relationship between place (as a series of what Doreen Massey calls ‘stories so far’)[3] co-presence, subjectivity and visuality. This phenomenon is impacting upon video art. In this chapter we reflect upon how mobile media visualities are impacting upon a sense of place and displacement. With the added dimension of Big Data and location-based services (like Google Maps and Facebook Places) now becoming part of the everyday informational circuits, how a sense of place and privacy is experienced and represented is changing. This phenomenon is apparent in the Palestinian cross-cultural video project called Al Jaar Qabla al Daar (The Neighbour before the House) as we will discuss in detail later in this chapter.

With its history of displacement and disapora, Palestinine’s role in contemporary art is increasingly becoming pivotal. This is especially the case with video art as a key medium for reflecting upon representations of place and movement. When we think of Palestinan video art the first artist we think of is Mona Hatoum. Hatoum was a poineer in so many ways. In particular, she gave voice to Arab women. Her work unsetttled the poetics of the everyday by evoking a sense of displacement and entanglement. While born in Beirut of Palestinan parents and then moving to London, she never identified as Lebanese. Despite never living in Palestinian, Hatoum was like a number of Palestinian refugees in Lebanon post 1948 who were never able to gain Lebanese identity cards. Unsurprisingly, Hatoum’s experiences of exile permulate her work. In particular, exile, politics and the body have played a key role. This is epitomised in her iconic Measures of Distance (1988) whereby Hatoum superimposes images of her mother having a shower with letters by her mum written in Arabian.

However, Hatoum is not the only artist representing the oevre of Palestinian video art. Over the last two decades—with the rise of mobile media affording easy accessibility to new media tools and networked contexts like YouTube—a new breed of video artists has arisen. An example is Navigations: Palestinian Video Art, 1988 to 2011 (curated as part of the Palestine Film Festival) that explored artists working in Palestine and the diaspora over nearly a quarter of a century. Unsurprisingly, motifs of diaspora and displacement feature throughout the fifteen works by Hatoum, Taysir Batniji, Manar Zoabi, Larissa Sansour and Khaled Jarrar to name a few. In Navigations: Palestinian Video Art key themes include ‘mobility and fluidity: the virtual and the real, the past and the future, the spectacular and the quotidian, the near and the far’.

Another example of an event promoting Palestinian video art is the /si:n/ Festival of Video Art & Performance. Consisting of performances, video installations, lectures, talks, and workshops in various venues all over the West Bank and includes artists from all over the world. The name /si:n/ is meant to linked the words ‘scene’ with ‘seen’ and has been seen as making an innovative context for video artists to share and collaborate in public venue. With themes such as ‘poetical revolution comes before political revolution’, the /si:n/ Festival provides a context that reflects upon exile and place in one of the most contested and politucal spaces, the West Bank. Beginning in 2009, the /si:n/ Festival became the first festival of video art in Palestine.

Given this rich tapestry of video art emerging in Palestine, in this chapter we explore the relationship between emergent mobile visualities, diaspora and place through a specific project called The Neighbour before the House. A cross-cultural video collaboration between Indian artists Shaina Anand, Ashok Sukumaran and Nida Ghouse, with Palestinian and Israeli artists Mahmoud Jiddah, Shereen Brakat and Mahasen Nasser-Eldin, The Neighbour before the House is a video art project that explores quotidian practices of life in a ‘post-surveillance society’. The Neighbour before the House is set in the context of the much contested territories and the relentless re-occupation and re-appropriation of East Jerusalem. Working with cheap surveillance technologies which have become such a ubiquitous part of the landscape of East Jerusalem, the artists use a PTZ (pan-tilt-zoom) security camera to inquire into the affective dimensions of ‘mobile’ life in the time of turbulent politics. The images that they capture look at jest, memory, desire and doubt, as fragile conditions of trust and life shape the everyday experiences of the region. The camera is given to the residents of a neighbourhood torn asunder by political strife and conflicts, asking them to search for the nugget of truth or morsel of thickness in the otherwise familiar flatness of walls and closed doors, which have been completely depleted of all depth because of the increased distance in the social relations.

The images eschew the tropes of traditional documentary making by and adopting the grainy, lo-res, digital non-frame, DIY aesthetics constantly in search of an image that might become the site of meaning making, but increasingly only capturing the mundane, the inane, the opaque and the evanescent. The image leads the commentary. The live camera operator’s interest and experience shape the image, rendering the familiar or the insignificant as hugely affective and evocative. The project further initiates a dialogue between the neighbours—both from across the contested zones, but also from across picket fences and walls of surveillance—by introducing the images to them, by inviting them to capture the images, and instil in them, the narratives of hope, despair, nostalgia, memory, loss, love, and longing.

The Neighbour before the House reflects upon the relationship between between art, technologies of visual reproduction and political strife. Moving away from the documentary style that has been popular in capturing the ‘real’, The Neighbour before the House refigures the temporality and spatiality through new affective and metaphorical tropes, playing with the tension between the presence of surveillance technologies and the familiarity of these images that breeds new conditions of life and living, trust and belonging, safety and threat, for people in Palestine. In the process, it introduces key questions to the role of the artist, the function of art, the form of video art practice, and the new negotiations that digital video apparatus introduce to the art worlds, beyond the now main-stream ideas of morphing, digitization, remixing etc.

Moreover, The Neighbour before the House reflects upon a shift away from the dominant network society paradigm and towards more contingent and ambivalent mirconarratives of camera phone practices. It toys with the DIY ‘banality’ aesthetics of camera phones in order to consider the ways in which place is overlaid with different types of information—electronic, geographic, psychological and metaphoric. On the one hand, The Neighbour before the House evokes network society metaphors. On the other hand, it suggests a move away from this paradigm and towards a politics of both ‘emplaced’ and displaced visuality. In order to discuss this transformation of the relationship between image, place and information from network society metaphors towards ‘emplaced’ visualities we firstly describe The Neighbour before the House before then reflecting upon a few key themes the project explores: that is, the movement of the networked society to emplaced visualities and the rise of the politics of the phoneur.

The Neighbour before the House 2012): A case study

As aforementioned, The Neighbor before the House is a collaborative video project between Indian, Israeli and Palestenian artists that appropriates, critically responds and insightfully rearranges the notion of art, politics and digital video technologies in its exploration of everyday practices of life in critical times in a networked post-surveillance society. The Neighbor before the House equips eight Palestenian families from East Jerusalem to be in control of PTZ (Pan Tilt Zoom) surveillance cameras mounted at strategic locations in the city, to observe the live feed on their TV sets, recording their reactions and live commentaries at what they see. Here the Big Brother, and its contemporary Big Data, is inverted through everyday citizens being given the omnipresent eye. It plays on the idea of the neighbour being both a friendly eye and when this watching shifts from being benevolent to malevolent.

As the artists write, ‘this footage shot with a security camera, takes us beyond the instrumental aspects of surveillance imaging, introducing us to the architecture of a deliberate and accelerated occupation of a city.’ Here the city is rendered into a cartography of informational circuits. Exploiting the conditions of networked spectacle, the project attempts to remap the real and the everyday through ‘inquisitiveness, jest, memory, fear, desire and doubt’. They use the surveillance cameras—symbols of suspicion and fear—to catalyse stories from Palestenians in different neighbourhoods about what can be seen: ‘messianic archeological digs; Israeli settlement activities; takeovers of Palestenian properties; the Old City, the Wall and the West Bank,’ among other mundane and marvellous details of living life in those precarious conditions.

Through the inversion of the politics of survellience from the Big Brother to the ubiquitous neighbour, The Neighbor before the House provides a rich, evocative and non-representational history of living in East Jerusalem. The networked media spectacles which have come to stand-in for the complex geo-political struggles of the region are displaced. As the low-res cameras reduce the deep geography into an alien flatness on the TV screens, as the camera captures glimpses of what could have been, records traces of blurred movements which require discussions and debates about their possible meaning, and engages the families to communicate their hopes, fears, desires and doubts, the art project also signals us to the new forms, functions and role of video art. Rather than the media event or spectacle,
The Neighbor before the House provides the micronarrative gestures of the everyday. The ways in which the place is a tapestery of subjectivities and experiences, not just a media spectacle.

As artist Shaina Anand mentions in an interview with Shah, this is a new kind of storytelling, where,

… a lot of the practice actually removes the filmmaker, the director, the auteur, and also therefore the cameraman, and also the lens... and offers these possibilities and privileges— of this look and gaze and all—to the subjects themselves[4]

And as the lens makes itself invisible, it also gives new importance to the apparatus of surveillance, seeing and its incorporation in our lives. As Florian Schenider mentions in the introduction to the project, the house upon which the camera is mounted, itself becomes a tripod made of stones. Instead of thinking of the video apparatus as out there, the private conditions of the home, the histories of the family, their relationships with neighbours and communities that they have lost, and strangers that they have inherited, all become the defining circumstances of this new crisis.

Borrowing from a Quranic saying, Al Jaar Qabla Al Daar, which is close to the idea of ‘loving they neighbour’ it explores how the presence of new digital video technologies establishes difference, distance, alienation, proximity, curiosity and surveillance which is not merely a function of governmental structures but also a condition of gamification and everyday engagement for the families in East Jerusalem. For the artists, this also takes up another connotation of ‘checking out your neighbour before you buy the house’ suggesting establishing bounded similarities to seek comfort. The edited footage of the video shows how and when the users got in control of the keyboard and a joy-stick, panning, tilting and zooming the camera, watching the live feeds on their Television sets as they speak live over the footage. These commentaries are personal as they are affective. Sometimes the commentary leads the person to probe the image, deeper, trying to find a meaning that can no longer be supported by the hyper-pixelated image on their screen, but becoming a site through which memories and interpretations

get generated. What begins as a playful probe soon takes up sinister shades, as some generate narratives of loss and death. Others take the opportunity to spy on the new settlers who have sometimes taken over their older houses, wondering what changes they are making to what was their own. There is a sense of rawness and urgency, as they look back, with fear, and anger, but also with resignation at the houses that they were evicted from, and the semblance of life that they can spot from their remote presence.

The final 5 cuts that the artist produce, give us a deep and evocative insight into geography, temporality, and the ways in which we can re-appropriate the network spectacle to look at things that are often forgotten, dropped out of, or rendered invisible in the neat and clean lines of network models and diagrams. The ‘footage’ quality of the probes, the long dwellings on insignificant images, and the panoptican nature of video as witness, video as spy, and video as affective engagement with territories and times that are lost, all give a new idea of what the future of video art would be like. Instead of looking at a tired old Foucauldian critique of surveillance, The Neighbor before the House posits the question of ‘Who watches the watchman?’ in ways that are both startling and assuring.

Visualising the Politics of the Network

One of the key themes of The Neighbour before the House is the changing role of the network society—especially in an age of Big Data and locative-based services (LBS)—whereby privacy and surveillance come to the forefront. The network society has often been cited as one of the defining frameworks of our heavily mediated times. From theorists such as Barry Wellman and Manuel Castells, the network metaphor has burgeoned in parallel with the all-pervasive rise of Information and Communication Technologies (ICTs) globally. According to Lee Raine and Wellman in Networked, the ‘new social operating systems of networked individualism liberates us from the restrictions of tightly knit groups.’[5]

Raine and Wellman argue that there has been a ‘triple revolution’: the rise of social networking, the capacity of the internet to empower individuals, and the always-on connectivity of mobile devices’.[6]

The ability of networks to explain a range of human personal and social relationships has afforded it great explanatory power, where everything (and hence, by association, everybody) can be understood and explained by the indexicalities and visual cartographies that networks produce. The network is simultaneously, and without any sense of irony, committed to both, examining sketchiness and producing clarity of any phenomena or relationality. The network presumes an externality which can be rich, chaotic and complex and proposes tools and models through which that diverse and discrete reality can be rendered intelligible by producing visualisations.

These visualisations are artefacts—in as much as all mapping exercises produce artefacts—and operate under the presumption of a benignity devoid of political interventions or intentions. The visualisations are non-representational, in terms that they do not seek to reproduce reality but actually understand it, and thereby shaping the lenses and tools to unravel the real nature of the Real. In this function, the network visualisations are akin to art, attaining symbolic value and attempting to decode a depth that the network itself defies and disowns, simulating conditions of knowing and exploring, emerging as surrogate structures that stand in for the real. Thus the rich set of actions, emotions, impulses, traces, inspirations, catalysts, memories, etc. get reified as transactions which can be sorted in indices, arranged in databases, and presented as an abstract, symbolic and hyper-visual reality which can now be consumed, accessed and archived within the network, thus obfuscating the reality that it was premised upon.

This phenomenon is what Shah calls the spectacle imperative of the network. Especially with the proliferation of ubiquitous image and video recording digital devices, this ability to create subjective, multiple, fractured spectacles that feed into the network’s own understanding of itself (rather than an engagement with a reality outside) has become the dominant aesthetic that travels from Reality TV programming to user generated content production on video distribution channels on the internet. This networked spectacle, without a single auteur or a concentrated intention—so the videos from the Arab Spring on YouTube, for example, range from small babies in prams to women forming barricades against a marching army, and from people giving out free food and water to acts of vandalism and petty thefts—has become the new aesthetic of video interaction, consumption and circulation. It invites an engagement, divesting our energies and attentions from the physical and the political, to the aesthetic and the discursive. Which is to say that when we consume these spectacles (or indeed, produce them, not necessarily only through the images but also through texts), we produce a parallel universe that demands that we understand the world ‘out there’ through these cultural artefacts which require an immense amount of decoding and meaning making. The network, in its turn, offers us better and more exhaustive tools of mining and sifting through this information, sorting and arranging it, curating and managing it, so that we build more efficient networks without essentially contributing to the on-the-ground action.

This peculiar self-sustaining selfish nature of the network, to become the only reality, under the guise of attempting to explain reality, is perhaps the most evident in times and geographies of crises. Where (and when) the conditions of politics, circumstances of everyday survival, and the algebra of quotidian life becomes too precarious, too wearisome, too unimaginable to cope with, the network spectacle appears as both the tool for governance as well as the site of protest. Hence, the same technologies are often used by people on different sides of the crises, to form negotiations and get a sense of control, on a reality that is quickly eluding their lived experiences. Surveillance cameras storing an incredible amount of visual data, forming banal narratives of the everyday, appear in critical times and geographies as symbols of control and containment, by authorities that seek to establish their sovereignty over unpredictable zones of public life and dwelling. The gaze of the authority is often criss-crossed by the cell-phone, the webcam, the tiny recording devices of everyday life that people on the streets and in their houses use, to record the nothingness of the crisis, the assurance of normalcy and the need to look over the shoulder and beyond the house, to know that whether or not god is in the heavens, all is well with the world.

The Place of the Visual: Towards a theory of emplaced visuality

However, with the rise of mobile media and its micronarrative capacity, the politics of network, and its relationship to a sense of place changes. Far from eroding a sense of place in the growing unboundness of home, mobile technologies reinforce the significance locality.[7] Mobile media also signal a move away from earlier depictions of the network society. Through the growth in camera phone practices overlaid with location-based services, we see new forms of visuality that reflect changing relations between place and information. With the rise of technologies in an increasingly mobile—physically and technologically—place has become progressively more contested. As Rowan Wilken and Gerard Goggin note in Mobile Technologies and Place, place is one of the most contested, ambiguous and complex terms today.[8] Viewing it as unbounded and relational, Wilken and Goggin observe, ‘place can be understood as all-pervasive in the way that it informs and shapes everyday lived experience—including how it is filtered and experienced via the use of mobile technologies’.[9] As social geographer Doreen Massey notes, maps provide little understanding into the complex elusiveness of place as a collection of ‘stories-so-far’:

One way of seeing ‘places’ is as on the surface of maps… But to escape from an imagination of space as surface is to abandon also that view of place. If space is rather a simultaneity of stories-so-far, then places are collections of those stories, articulations within the wider power-geometries of space. Their character will be a product of these intersections within that wider setting, and of what is made of them… And, too, of the non-meetings-up, the disconnections and the relations not established, the exclusions. All this contributes to the specificity of place.[10]

For anthropologist Sarah Pink, place is increasingly being mapped by practices of emplacement.[11] With location based media like Google Maps and geotagging becoming progressively part of everyday media practice, how place is imagined and experienced across geographic, psychological, online and offline spaces is changing. This impacts upon the role of ethnography and its relationship to geography and place. As Anne Beaulieu notes, ethnography has moved from co-location to co-presence.[12] In this shift, we see the role of ethnography to address the complex negotiations between online and offline spaces growing.

In The Neighbour before the House, we are made to consider the changing role of visuality in how place is experienced and practiced. By deploying a surveillant and multivalent gaze, The Neighbour before the House asks us to reconsider privacy and surviellance in an age of locative media. The rise of the network society has witnessed numerous tensions and ambivalence, especially around the the relationship between agency, information and place. This is epitomised by the second generation camera phones practices whereby with the added layer of LBS—where and when images were taken—becomes automatic by default. Whereas first generation of camera phone practices noted gendered differences.[13] through LBS, these differences take on new dimensions—particularly in terms of its potential ‘stalker’ elements.[14] While notions of privacy differ subject to socio-cultural context, LBS do provide more details about users and thus allow them to be victims of stalking (Cincotta, Ashford, & Michael 2011).

The shift towards second generation camera phone images sees a movement away from networked towards emplaced visualities (Pink & Hjorth 2012; Hjorth 2013; Hjorth & Arnold 2013). On the one hand, this overlaying of the geographic with the social highlights that place has always mattered to mobile media (Ito 2002; Hjorth 2005). Far from eroding place, mobile media amplify the complexities of place as something lived and imagined, geographic and yet psychological. LBS enable mobile media users to create and convey more complex details about a locality. On the other hand, LBS create new motivations for narrating a sense of place and the role of amateur and vernacular photography.

Shifts in contemporary amateur photography highlight the changes in how place, co-presence and information is navigated, performed and represented. This issues are particularly prevalent in contested location like Palestine. Last century it was the Kodak camera that epitomized amateur photography and played an important role in normalizing notions of the family as well as ritualizing events such as holidays.[15]

As Lisa Gye notes, personal photography is central to the process of identity formation and memorialization.[16] The shift towards camera phones not only changes how we capture, store, and disseminate images but also has ‘important repercussions for how we understand who we are and how we remember the past’.[17]

Moreover, with the rise in possibilities for sharing via social media like microblogs and Twitter, camera phone photography not only magnifies UCC, but also provides filters and lenses to enhance the “professional” and “artistic” dimensions of the photographic experience.[18]

For Daniel Palmer, smartphone photography is distinctive in various ways, with one key feature being the relationship between touch and the image in what he calls an ”embodied visual intimacy” (2012: 88). With the rise of high quality camera phones, along with the growth in distribution services via social and locative media, new forms of visuality are emerging (Pink & Hjorth 2012). The added dimensions of movement and touch becoming important features of the camera phone with the emphasis on networked is shifting to “emplaced” visuality. Images as emplaced in relation to what human geographer Tim Ingold has called a “meshwork” and entanglement of lines (2008). Images themselves are part of such lines as they are inextricable from the camera and person who took them. In this sense camera phone images are not simply about what they represent (although they are also about that) but are additionally about what is behind, above, below, and to either side.

By using different smartphone photo apps, respondents tried to inscribe a sense of place with emotion. This practice is what anthropologist Sarah Pink identifies as the “multisensorality of images.” That is, they are located in “the production and consumption of images as happening in movement, and consider them as components of configurations of place” (Pink 2011: 4). Drawing on Tim Ingold’s conceptualization of place as “entanglement” (Ingold 2008), Pink notes, “Thus, the ‘event’ where photographs are produced and consumed becomes not a meeting point in a network of connections but an intensity of entangled lines in movement… a meshwork of moving things” (Pink 2011: 8).

While the surveillant eye of Big Brother now takes the form of Big Data, the emplaced nature of camera phone images can help to contribute to a changing relationship between performativity, memory and place that is user-orientated. Rather than operating to memorialize place, camera phone practices, especially through LBS networks, are creating playful performances around the movement of co-presence, place and placing (Richardson & Wilken 2012). As noted elsewhere, Pink and Hjorth argue that camera phone practices are highlighting a move away from the network society towards emplaced visualities and socialities (2012). Emplaced visuality means understanding camera phone practices and the socialities that create and emerge through them in ways corresponding with non-representational (Thrift, 2008) or ‘more-than-representational’ approaches in geography which according to Hayden Lorimer encompass:

… how life takes shape and gains expression in shared experiences, everyday routines, fleeting encounters, embodied movements, precognitive triggers, affective intensities, enduring urges, unexceptional interactions and sensuous dispositions (Lorimer, 2005: 84).

Thus we see camera phone photography as a part of the flow of everyday life, an increasingly habitual way of being that is sensed and felt (emotionally and physically). Yet, because camera phone photography involves the production and sharing of images, it also compels us to engage with the relationship between the representational and the non-representational. Emplaced visualities see images as embedded with the movements of everyday life. Tim Cresswell has suggested that we consider ‘three aspects of mobility: the fact of physical movement—getting from one place to another; the representations of movement that give it shared meaning; and, finally, the experienced and embodied practice of movement’ (Cresswell, 2010: 19). These three aspects of mobility are deeply interwoven and entangled. In camera phone photography the experience and representation of camera phone photography is enacted in the ‘flow’ of everyday life at the interface where digital and material realities come together. These emplaced visualities are often abstracted through the mechanics of Big Data mega surveillance. But as The Neighbour before the House demonstrates, the perpetual movement of emplaced visualities is in sharp contrast with the unmoving, omipresent Big Data eye.

This contrast between the moving and unmoving, micro and macro information overlaid onto place can also be reflected as part of the shift from the flâneur to the phoneur. The notion of mobility—as a technology, cultural practice, geography and metaphor—has impacted upon the ways in which twenty-first century cartographies of the urban play out. Through the trope of mobility, and immobility, rather than overcoming all difference and distance, the significance of local is reinforced. While nineteenth-century narrations of the urban were symbolised by the visual economics of the flâneur, the twenty-first century wanderer of the informational city has been rendered what Robert Luke calls the phoneur. [19] The conceptual distance, and yet continuum, between the flâneur and the phoneur is marked by the paradigmatic shift of the urban as once a geospatial image of, and for, the bourgeoisie, as opposed to the phoneur which sees the city transformed into informational circuit in which the person is just a mere node with little agency. Beyond dystopian narrations about the role of technology in maintaining a sense of intimacy, community and place, we can find various ways in which the tenacity of the local retains control. In particular, through the tension between mobile media and Big Data, we can see how the local and the urban can be re-imagined in new ways.

The flâneur (or the wanderer of the modern city), best encapsulated by German philosopher Walter Benjamin’s discussion of Baudelaire’s painting, has been defined as an important symbol of Paris and modernity as it moved into nineteenth century urbanity. Thanks to the restructuring of one third of the small streets into boulevards by Baron Hausmann, Paris of the nineteenth century took a new sense of place and space.

Luke’s phoneur, on the other hand, is the ‘user’ as as part of the informational network flows constituting contemporary urbanity. If the flâneur epitomised modernism and the rise of nineteenth-century urban, then for Luke, the phoneur is the twenty-first-century extension of this tradition as the icon of modernity. As Luke observes, in a networked city one is connected as part of circuit of information in which identity and privacy is at the mercy of system. The picture of the urban city today painted by Luke is one in which the individuals have minimal power in the rise of corporate surveillance.

Neighbour before the House problematises Luke’s dystopian view of the phoneur. The picture painted by Neighbour before the House is much more ambivalent. However it does make the audience reflect upon the changing nature of surveillance in an age of Big Data.[20]

These tensions around the dystopian phoneur and a more embodied and emplaced version can be found running as an undercurrent in the work of Neighbour before the House.

Conclusion

In this chapter we have explored the cross-cultural video collaboration, The Neighbour before the House, to consider the changing relationship between a sense of place, information and the politics of visuality. As we have suggested, with the rise of location-based camera phone practices and Big Data we are seeing new forms of visuality that are best described as emplaced rather than networked. The notion of emplaced reflects some of the tensions around contemporary representations of mobility and movement, particularly prevalent in the often displaced and diasporic experiences of Palestine.

Filmed in Palestine,The Neighbour before the House explores the notion of place as entangled and embedded at the same time as displaced through the rise of ICTs. By providing some of the paradoxes and ambivalences surrounding contemporary media practices and its relationship between information and place, it allows for a space for reflection and contemplation about the surveillence and privacy.

---

[1]. Jean Burgess, Vernacular creativity and new media (Doctoral dissertation), 2007. Retrieved from http://eprints.qut.edu.au/16378/

[2]. Sarah Pink and Larissa Hjorth Emplaced Cartographies: Reconceptualising camera phone practices in an age of locative media’, Media International Australia, 145 (2012): 145-156.

[3]. Doreen Massey

[4]. Shaina Anand interviewed by Nishant Shah, December 2012.

[5]. Raine, L. and B. Wellman 2012, Networked, Cambridge, Mass, MIT Press.

[6]. Ibid.

[7]. Mizuko Ito, ‘Mobiles and the Appropriation of Place’. Receiver 8, 2002, (consulted 5 December 2012) http://academic.evergreen.edu/curricular/evs/readings/itoShort.pdf ; Hjorth, L. (2005) ‘Locating Mobility: Practices of Co-Presence and the Persistence of the Postal Metaphor in SMS/MMS Mobile Phone Customization in Melbourne’, Fibreculture Journal, 6, (consulted 10 December 2006) http://journal.fibreculture.org/issue6/issue6_hjorth.html.

[8]. Rowan Wilken and Gerard Goggin, ‘Mobilizing Place: Conceptual Currents and Controversies’, in R. Wilken and G. Goggin (Eds) Mobile Technology and Place, New York, Routledge, 2012, pp. 3-25 (5).

[9].Ibid 6.

[10]. Doreen Massey,For Space, London, Sage, 2005 (130).

[11]. Sarah Pink, Doing Sensory Ethnography, London, Sage, 2009.

[12]. Anne Beaulieu, ‘From Co-location to Co-presence: Shifts in the Use of Ethnography for the Study of Knowledge’. Social Studies of Science, 40 (3) 2010: June. 453-470.

[13]. Dong-Hoo Lee, ‘Women’s creation of camera phone culture’. Fibreculture Journal 6, 2005, URL (consulted 3 February 2006) http://www.fibreculture.org/journal/issue6/issue6_donghoo_print.html; Larissa Hjorth, ‘Snapshots of almost contact’. Continuum, 21 (2) 2007: 227-238.

[14]. Alison Gazzard, ‘Location, Location, Location: Collecting Space and Place in Mobile Media’. Convergence: The International Journal of Research into New Media Technologies, 17 (4) 2011: 405-417.

[15]. Lisa Gye, ‘Picture this: the impact of mobile camera phones on personal photographic practices,’ Continuum: Journal of Media & Cultural Studies 21(2) 2007: 279–288.

[16]. Ibid 279.

[17]. Ibid 279.

[18]. Søren Mørk Petersen,Common Banality: The Affective Character of Photo Sharing, Everyday Life and Produsage Cultures, PhD Thesis, ITU Copenhagen.

[19]. Robert Luke, ‘The Phoneur: Mobile Commerce and the Digital Pedagogies of the Wireless  Web’, in P. Trifonas (ed.) Communities of Difference: Culture, Language, Technology, pp. 185-204, Palgrave, London, 2006.

[20]. Sites such as www.pleaserobme.com, that seek to raise awareness about over-sharing of personal data, highlight not only the localised nature of privacy but also that privacy is something  we do rather than something we possess.

The expanding scope and extent of massive data collection and surveillance undertaken by bodies like the USA’s National Security Agency compromises our privacy and stifles our freedom of speech and expression in its most vital public spheres, affecting the civil liberties of citizens of countries all across the world.

The previous year has been a watershed year for reclaiming the internet as a free and open space, primarily through the exposure of the unwarranted systems of surveillance that threaten it, by whistle-blowers like Edward Snowden and WikiLeaks. Despite all these efforts, they have only managed a dent in the surveillance regimes, which continue unbridled, with the protection of the state and the surveillance industry. The future of a free internet depends upon the systematic challenge of these programs by the millions of internet users they affect.

February 11, 2014 is the day we fight back against mass surveillance. Organized by the Electronic Frontier Foundation, and supported by thousand of organizations like Mozilla and the Centre for Internet and Society, on this day of action, citizens around the world will demand an end to these programs that threaten the freedom of the internet. You can support this cause by signing and supporting the 13 Principles (International Principles on the Application of Human Rights to Communications Surveillance), and contacting your local media, petitioning your local legislators and telling your friends and colleagues about the topic. Publicizing the movement and creating a buzz around it will help spread the message to many others across the internet. Do anything that will make the fight more visible and viable, such as organizing or attending public lectures, or creating tools or memes or art to spread information. For more ways in which you can contribute, and more information on the event, visit the website.

The users of the internet deserve a free and open internet and deserve and end to mass surveillance. If we can make enough noise, make enough of an impact, we can greatly bolster the movement for reclaiming the internet.

---

Click to download the file (PDF, 2436 Kb). Dr. Nishant Shah's review can be found on page 16.

---

The Age of Amazon’ is not just the title of a book, it is a retrospective on the history of e-commerce as well as a prophecy for the shape of things to come. In his meticulously reported book, Brad Stone takes us through the roller coaster ride of the ‘Everything Store’ that Amazon has become, building a gripping tale of an idea that has become synonymous to the world of online shopping in just over two decades.

The book reads well as a biopic on the visionary lunacy of Jeff Bezos, the founder of Amazon, as well as a gripping tale of how ideas grow and develop in the digital information age. Stone is an expert storyteller, not only because of his eye for the whimsical, the curious and the enchantment of the seemingly banal, but also because of his ability to question his own craft.

At the very outset, Stone warns us that the book has been compiled through workers at employee, but not Bezos himself. This helps Stone separate the maker from the brand — unlike Steve Jobs who became the cult icon for Apple, Bezos himself has never become the poster child of his brand, allowing

Amazon to become not only an everything store but everybody store. But it means that Stone’s task was to weave together the personal biography of Bezos, his dramatic journey through life with the tumultuous and adventurous inception and growth of Amazon, and his skill lies in the meeting of the twines, which he does with style, ease and charm.

One of the easiest accusations to throw at a book like this is to state that it reduces the murky, blurred, messy and incoherent set of events into a narrative that establishes causes and attributes design and intention where none existed. However, Stone was confronted with the idea of ‘Narrative Fallacy’ — a concept coined by Nassim Nicholas Taleb in his Black Swan, referring to the tendency of human beings to reduce complex phenomenon to “soothing but oversimplified stories”. In fact, the challenge to not reduce the book to a series of connected anecdotes was posed by Bezos when Stone pitched the book to him. And what has emerged is a book about accidents, serendipity, risk, redundancy, failure charting the ineffable, inscrutable and inexplicable ways in which digital technologies are shaping the worlds we live in.

With the rigour and journalistic inquiry that Stone has displayed in his regular writings in The Businessweek, The Everything Store has stories which are as memorable as they are unexpected. Stone does a fantastic job of charting Bezos’ life — from tracking down the lost father who had no idea what his son, who he had abandoned at age three, has become, to the chuckleworthy compilation of Bezos’ favourite quotes (Stone calls it his ‘greatest hits’), the book is filled with pointed and poignant observations and stories that give us an idea of the extraordinary life of Jeff Bezos. But unlike the expected character creation of a mad genius, what you get is the image of a man who lived in contradictions: wedded to his internal idea of truth but also ruthless in his business policies which were predatory and competitive to say the least; a businessman who once wrote a memo titled ‘Amazon.love’ about how he wanted a company to be “loved not feared” but also used the metaphor of a “cheetah preying on the gazelles” in its acquisition of smaller businesses; a man who thought of himself as a “missionary rather than a mercenary” and yet built a business empire that embodies some of the most discriminatory, exploitative and stark conditions of adjunct, adhoc, underpaid and contract-based labour of our precariously mobile worlds.

Stone is masterful as he segues from Bezos’ personal life and ambitions into the monomaniacal and turbulent trajectory of Amazon. Amazon is not a simple success story. It tried and failed at many things, but what remains important is how, it failed at the traditional way of doing things and succeeded at the internet way of thinking. So when Amazon failed, it was not a failure to succeed, but a failure that resulted because the infrastructure needed to make it succeed was not yet in place. Stone’s narrative that effortlessly takes us through the economics, trade, policies, regulation, administration and struggles of Amazon, shows how it was a company that had to invent the world it wanted to succeed in, in order to succeed. In many ways, the book becomes not only about Amazon and its ambitions to sell everything from A-Z, but about how it built prototypes for the rest of the world so that it could become relevant and rule.

But the book is not a Martin-Scorsese-type homage to the scoundrel or the villain. While it is imbued up and spit you out. And if you are good, he will jump on your back and ride you into the ground.” Or as Stone himself suggests, that is the way the company is going to grow “until either Jeff Bezos exits the scene or no one is left to stand in his way”. This policy of taking everything from its employees and channelling it to the relentless growth of the company accounts for not only the high attrition rate of top executives but also the growing controversies about work and labour conditions in Amazon warehouses and on-the-ground delivery services.

Stone’s book does not go into great detail about the new work force that companies like Amazon produce — a work force that is reduced to being a cog in a system, performing mechanical tasks, working at minimal wage, and without the protections that are offered to the white collar high-level technology executives that are the popup children of the digital trade. Stone reminds us that behind the incredible platform that Amazon is, is a massive physical infrastructure which almost reminds us of the early industrial days where the labourer was in a state of exploitation and precariousness. And even as we celebrate the rise of these global behemoths, we might forget that behind the seductive interfaces and big data applications, that under the excitement of drone-based delivery systems and artificial intelligence that will start delivering things even before you place the order, is a system that pushes more and more workers in unprotected and exploitative work conditions.

All in all, The Everything Store is a little bit like Amazon itself. It is a love story of a man with his ideas, and how the rest of the world has shifted, tectonically, to accommodate these eruptions. In its historical retrospective, it shows us the full scope of the ideas and possibilities that inform Amazon, and thus the future that it is going to build for us. And with masterful craftsmanship, Brad Stone writes that it is as much about the one man and his company, as it is about the physical and affective infrastructure of our rapidly transforming digital worlds.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

---

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

---

Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology

---

The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward.

The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY  clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.

Broadly, the Standing Committee sought input from DEITY  on eight different aspects of cyber crime, cyber security, and privacy in India - namely:  the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime,  the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY  sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.

The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:

Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act: When asked by the Standing Committee about the right to privacy and cyber security, DEITY  highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY  also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY  should coordinate with the DoPT and become involved in the process.

As recognized by the Standing Committee, the Centre for Internet and Society would like to  further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India.  Inadequate aspects of the provisions have been pointed out by a number of sources. For example:

1. The Report of the Group of Experts on Privacy: Prepared by the committee chaired by Justice AP Shah
2. First Analysis of the Personal Data Protection Law in India: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security
3. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha
4. India’s U-Turns on Data Privacy: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011

Unclear Enforcement of 43A and associated rules: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24).  The Standing Committee did not directly respond to this comment.

The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies  that have been found to be compliant.  The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.

UIDAI not in compliance with 43A and associated Rules:  In evidence provided, DEITY  noted that “..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.

The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.

The potential harms of metadata: In evidence provided, the Department noted  “...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.” (pg.47) The Standing Committee did not respond directly to this comment.

The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.

Inadequacy of the Information Technology Act: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY  highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner.  DEITY  also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training  is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.

The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:

1. Breaking Down Section 66A of the IT Act
2. Short note on IT Amendment Act, 2008

Implications of domestic servers:  In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY  noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY  to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.

The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.

Incorporation of safeguards into MOU’s for international cooperation: When asked about MOU’s for international cooperation that DEITY  has engaged in with other countries, DEITY  reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY  is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported  India entering into MOU’s for purposes of international cooperation, and encouraged DEITY  to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.

The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY  to ensure that all MOU’s and/or  Mutual Legal Assistance Agreements:

• Uphold the principle of dual criminality
• Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance
• Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.
• Are clearly documented and publicly available
• Contain provisions guaranteeing  procedural fairness.[1]

Hactivism as a benefit to society: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.

The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism  can benefit society and strengthen cyber security by  finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.

This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.[2]

Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.

While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.

Conclusion

Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID,  the Centre for Internet and Society welcomes the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.

---

[1]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance”  https://en.necessaryandproportionate.org/text

[2]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: http://www.iwar.org.uk/cyberterror/resources/denning.htm

In early 2013 the Centre for Internet and Society drafted the Privacy (Protection) Bill 2013 as a citizen’s version of privacy legislation for India. The Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

The Centre for Internet and Society has been collecting comments to the Privacy Protection Bill since April 2013 with the intention of submitting the Bill to the Department of Personnel and Training as a citizen’s version of a privacy legislation for India.  If you would like to submit comments on the Privacy Protection Bill to be included as part of the Centre for Internet and Society’s submission to the Department of Personnel and Training, please email comments to [email protected].

---

Download the latest version of the Privacy Protection Bill (February 2014)

In continuance of research around the Draft Human DNA Profiling Bill that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.

Indian Provision

35 (1) “On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely –

(a) As to whether the DNA profile received is already contained in the Data Bank; and

(b) Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.

(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”

Canadian Provision vs. Indian Provision

According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:

1. The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals.
2. The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank.
3. The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including:

1. (a) if the DNA profile is not already contained in the data bank, the fact that it is not;
2. (b) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;
3. (c) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and
4. (d) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (c) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.

While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.

Concerns with 35(1) and Best Practices

The Centre for Internet and Society finds 35(1) problematic because a  DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.”

Though it is common for DNA Banks to communicate responses such as “match”,  “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:

• “The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability.
• Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations.
• The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made.
• The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large.
• Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”

Recommendations

Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The  Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:

• Response to Law enforcement agency and DNA Laboratory: The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .
• Response to Court and tribunal: When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:

1. The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random.
2. The frequency with which the matching DNA characteristics are likely to be found in the population at large.
3. The probability of contamination.

The Bill should also provide for the database upon which the calculations were based to be made available when requested.  In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.

---

[]. http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

[2]. http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf

This article by Maria Xynou was published by OpenDemocracy on 10 February 2014.

Worried about the secret, mass surveillance schemes being carried out by the NSA? While we should be, some of the surveillance schemes in the world's largest democracy, India, are arguably in the same league.

Surveillance is being globalised to the extent that even India, a country with huge poverty issues, is investing millions of dollars in creating an expansive surveillance regime. However, why would communications monitoring interest Indian authorities, when the majority of the population lives below the line of poverty and only 17% of the population has access to the Internet?

The official political motivation behind surveillance in India appears to be the government's determination to tackle terrorism in the country. The 2008 Mumbai terrorist attacks were arguably a similar landmark to the 9/11 terrorist attacks in the US, and both governments officially announced their intention to carry out surveillance as a counter-terrorism measure. However, unlike in the west, terrorist attacks in India are much more common, and the National Security Adviser reported in 2008 that 800 terrorist cells were operational in the country. With India’s history of major terror attacks in India over the last 25 years, it's easy for one to be persuaded that terrorism is actually a major threat to national security.

India's surveillance schemes

India’s surveillance programs mostly started following the 2008 Mumbai terror attacks. That was when the Ministry of Home Affairs first proposed the creation of a National Intelligence Grid (NATGRID), which will give 11 intelligence and investigative agencies real-time access to 21 citizen data sources to track terror activities. These citizen data sources will be provided by various ministries and departments, otherwise called “provider agencies”, and will include bank account details, telephone records, passport data and vehicle registration details, among other types of data.

The Ministry of Home Affairs has sought over Rs. 3,400 crore (around USD 540 million!) for the implementation of NATGRID, which aims to create comprehensive patterns of intelligence by collecting sensitive information from databases of departments like the police, banks, tax and telecoms to supposedly track any terror suspect and incident.

But NATGRID is far from India's only data sharing scheme. In 2009 the Cabinet Committee on Economic Affairs approved the creation and implementation of the Crime and Criminal Tracking Network & Systems (CCTNS), which would facilitate the sharing of databases among 14,000 police stations across all 35 states and Union Territories of India, excluding 6,000 police offices which are high in the police hierarchy. Rs. 2,000 crore (around USD 320 million) have been allocated for the CCTNS, which is being implemented by the National Crime Records Bureau under the national e-governance scheme. The CCTNS not only increases transparency by automating the function of police stations, but also provides the civil police with tools, technology and information to facilitate the investigation of crime and detection of criminals.

But apparently, sharing data and linking databases is not enough to track criminals and terrorists. As such, in the aftermath of the 2008 Mumbai terror attacks, the Indian government also implemented various interception systems. In September 2013 it was reported that the Indian government has been operating Lawful Intercept & Monitoring (LIM) systems, widely in secret. In particular, mobile operators in India have deployed their own LIM systems allowing for the so-called “lawful interception” of calls by the government. And possibly to enable this, mobile operators are required to provide subscriber verification to the Telecom Enforcement, Resource and Monitoring (TERM) cells of the Department of Telecommunications.

In the case of Internet traffic, the LIM systems are deployed at the international gateways of large Internet Service Providers (ISPs) and expand to a broad search across all Internet traffic using “keywords” and “key-phrases”. In other words, security agencies using LIM systems are capable of launching a search for suspicious words, resulting in the indiscriminate monitoring of all Internet traffic, possibly without court oversight and without the knowledge of ISPs.

India has also automated and centralized the interception of communications through the Central Monitoring System (CMS). This project was initially envisioned in 2009, following the 2008 Mumbai terror attacks and was approved in 2011. The CMS intercepts all telecommunications in India and centrally stores the data in national and regional databases. The CMS will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Intelligence Bureau (IB), the Central Bureau of Investigation (CBI), the Directorate of Revenue Intelligence (DRI), the Research and Analysis Wing (RAW) and the National Investigation Agency (NIA).

Unlike mainstream interception, where service providers are required to intercept communications and provision interception requests to law enforcement agencies, the Central Monitoring System will automate the entire process of interception. This means that the CMS authority will have centralized access to all intercepted data and that the authority can also bypass service providers in gaining such access. Once security agencies have access to this data, they are equipped with Direct Electronic Provisioning, filters and alerts on the target numbers, as well as with Call Details Records (CDR) analysis and data mining tools to identify the personal information of target numbers.

Given that roughly 73% of India's population uses mobile phones, this means that the Central Monitoring System can potentially affect about 893 million people, more than double the population of the United States! However, how is it even possible for Indian authorities to mine the data of literally millions of people? Who supplies Indian authorities with the technology to do this and what type of technology is actually being used?

India's surveillance industry

India has the world's second largest population, consisting of more than a billion people and an expanding middle class. Undoubtedly, India is a big market and many international companies aspire in investing in the country. Unfortunately though, along with everything else being imported into India, surveillance technologies are no exception.

Some of the biggest and most notorious surveillance technology companies in the world, such as ZTE, Utimaco and Verint, have offices in India. Even FinFisher command and control servers have been found in India. However, in addition to allowing foreign surveillance technology companies to create offices and to sell their products and solutions in the country, local companies selling controversial spyware appear to be on the rise too.

Kommlabs Dezign is an Indian company which loves to show off its Internet monitoring solutions at various ISS trade shows, otherwise known as “the Wiretapper's Ball”. In particular, Kommlabs Dezign sells VerbaNET, an Internet Interception Solution, as well as VerbaCENTRE, which is a Unified Monitoring Centre that can even detect cognitive and emotional stress in voice calls and flag them! In other words, Kommlabs Dezign makes a point that not only should we worry about what we text and say over our phones, but that we should also worry about what we sound like when on the phone.

Vehere is another Indian company which sells various surveillance solutions and notably sells vCRIMES, which is a Call Details Records (CDR) analysis system. VCRIMES is used to analyse and gather intelligence and to unveil hidden interconnections and relations through communications. This system also includes a tool for detecting sleeper cells through advanced statistical analysis and can analyse more than 40 billion records in less than 3 seconds.

Paladion Networks is headquartered in Bangalore, India and sells various Internet Monitoring Systems, Telecom Operator Interception Systems, SSL Interception and Decryption Systems and Cyber Cafe Monitoring Systems to law enforcement agencies in India and abroad. In fact, Paladion Networks even states in its website that its customers include India's Ministry of Information Technology and the U.S Department of Justice.

ClearTrail Technologies is yet another Indian company which not only sponsors global surveillance trade shows but also sells a wide range of monitoring solutions to law enforcement agencies in India and abroad. ComTrail is a solution for the centralised mass interception and monitoring of voice and data networks, including Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls. Furthermore, ComTrail is equipped to handle millions of communications per day, correlating identities across multiple networks, and can instantly analyse data across thousands of terabytes.

ClearTrail also sells xTrail, which is a solution for the targeted interception, decoding and analysis of data traffic over IP networks and which enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. Interestingly, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID.

Apparently, some the biggest challenges that law enforcement agencies face when monitoring communications include cases when targets operate from public Internet networks and/or use encryption. However, it turns out that ClearTrail's QuickTrail solution is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. This device can remotely deploy spyware into a target's computer and supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS.

Additionally, QuickTrail can identify a target machine on the basis of metadata, such as an IP address, and can monitor Ethernet LANs in real time, as well as monitor Gmail, Yahoo and all other HTTPS-based communications. ClearTrail's mTrail is designed for the passive 'off-the-air' interception of GSM communications, including the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information. MTrail also identifies a target's location by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation of so-called “lawfully intercepted” calls in near real-time.

In short, it looks like India is reaching the top league when it comes to surveillance technologies, especially since many of its companies and their products appear to be just as scary as some of the most sophisticated spying gear sold by the West. India may be the world's largest (by population) democracy, but that means that it has a huge population with way too many opinions...and apparently, the private and public sectors in India appear to be joining forces to do something about it.

So do Indians have nothing to hide?

A very popular rhetoric in both India and the west is that citizens should not be concerned about surveillance because, after all, if they are not terrorists, they should have nothing to hide. However, privacy advocate Caspar Bowden has rightfully stated that this rhetoric is fundamentally flawed and that we should all indeed “have something to hide”. But is privacy just about “having something to hide”? Jacob Appelbaum has stated that this rhetoric is merely a psychological copying mechanism when dealing with security.

It's probably rather comforting and reassuring to think that we are not special or important enough for surveillance to affect us personally. But is that really up to us to decide? Unfortunately not. The very point of data mining is to match patterns, create profiles of individuals and to unveil hidden interconnections and relations. A data analyst can uncover more information about us than what we are even aware of and it is they who decide if our data is “incriminating” or not. Or even worse: in many cases it's up to data mining software to decide how “special” or “important” we are. And unfortunately, technology is not infallible.

The world's largest democracy, which is also one of the most corrupt countries in the world, is implementing many controversial surveillance schemes which lack transparency, accountability and adequate legal backing, and which are largely being carried out in secret. And to make matters worse, India lacks privacy legislation. Over a billion people in a democratic regime are exposed to inadequately regulated surveillance schemes, while a local surveillance industry is thriving without any checks or balances whatsoever. What will this mean for the global future of democracy?

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

• UIDAI practices are in line with section 43A and the Rules,
• UIDAI practices are not in line with section 43A and the Rules,
• UIDAI practices are partially in with section 43A and the Rules
• Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

• Clear and easily accessible statements of its practices and policies
• Type of personal or sensitive personal data or information collected
• Purpose of collection and usage of such information
• Disclosure of information including sensitive personal information
• Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

• Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
• The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”
  
  Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]
  
  The privacy policy goes on to state:  “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
• The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
• The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
• The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form  for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

• The fact that the information is being collected
• The purpose for which the information is being collected
• The intended recipients of the information
• The name and address of the agency that is collecting the information
• The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

• The intended recipients of the information
• The name and address of the agency collecting the information
• The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct  personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time.  Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field  - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO  27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal  data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

---

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

---

The article was published in the Indian Express on February 18, 2014

---

The age of volunteerism is officially over. The last decade of the mass adoption of the internet has been fuelled by endless human hours being spent in producing information which is the new currency of our times. The big transition to Web 2.0 began when the individual “user” became more than either an individual or the user. The individual found herself as a part of a collective, finding a voice and a community of others to belong to. Simultaneously, instead of being a passive consumer of the web, the user started producing data — blogs, videos, tweets, content management systems, online discussion boards, massively multiple online role-playing platforms, social network transactions — all of which became a part of the new Web’s widespread popularity.

Almost everything that we understand as the social web today is contingent upon people producing data in their interactions with the world around them. From knowledge producing websites like Wikipedia to entertainment platforms like YouTube, visualisation and data gathering spaces like Pinterest to photographs of self, food and cute animals on Instagram, political and social commentaries on Tumblr to Listicles and memes on Buzzfeed, the internet is a veritable smorgasbord of new information forms, formats and functions that are generated by the users.

What is possibly the most exciting about this burgeoning information universe has been the amount of free labour that goes into it, and often remains invisible. As digital labour scholar Trebor Schulz points out, the internet has become both a factory and a playground, where our leisure time is capitalised into producing work that sustains the new attention and information economies. For instance, the world’s largest social networking site, Facebook, does not produce any of its contents. It is, in fact, a system of information mining and sorting, which works as long as a growing user base continues to produce information on it. Tomorrow, if all of us stop producing Facebook, and only lurk on it, the platform will collapse. Which is why, Facebook continues to acquire new platforms and applications to be integrated into its universe.

Similarly, the real effort that goes into the sustenance of sites like Wikipedia, which has become the de facto reference for global knowledge systems, is carried out by unsung and invisible editors who patiently, meticulously, and without almost any expectation, continue to add, verify, strengthen and curate reliable information that we can use. When the non-profit organisation WikiMedia Foundation prides itself in running one of the least expensive websites in the top 10 most visited sites in the world, it is signalling its deep appreciation for the countless human hours that have made Wikipedia possible.

But, in recent years, there is noticeable stagnation in the wave of free information production on the Web. Oh, don’t get me wrong. We are producing an unprecedented amount of data — we are constantly being watched by surveillance technologies that detect biometric and genetic make-up of all our transactions, or we are inviting people to watch us on social network sites where we reveal some of our deepest secrets and desires, or we are watching ourselves, quantifying everything from things we ate to the number of hours we sleep. And yet, as we live in a world of Big Data, there is a definite decrease in people contributing to production of free information.

As the digital natives move from the web to mobile phones, traditional websites are already facing a crisis. News and media agencies that have celebrated the global citizen media networks have started realising that the individual user is more interested in local networks and information ecologies which are independent of mainstream conglomerates. And people are realising that their time and effort is worth money. They can be easily compensated for their online activities and gain reputation and importance.

The tension only becomes more palpable when people start realising that there are others who are being paid to work on the platforms that they are contributing to. We all knew that this model of depending on free information was not a sustainable one. But it seems the day has arrived, especially with the recent drives on Wikipedia to build specialised knowledge editors. In the last few months, we have seen people in the FemTechNet project — an academic activist feminist project that seeks to remind us of the intersections of feminism and technology in network societies — carry out “Wikistorming”, where students are adding pages of women’s contribution to technologies on Wikipedia. More recently, medicine students at University of Chicago have taken to correcting and adding accurate information to Wikipedia, which is often a source of health information.

Both of these are fantastic efforts to add to the platform that was the underdog that overthrew the mammoth encyclopaedia like The Encyclopaedia Britannica. We hope more specialised users in different locations, fields, disciplines and languages continue to edit and contribute to Wikipedia. However, it is also a signal that the generalist information producer is on the decline. We are transitioning into a new age, where people are going to need rewards, incentives and benefits for performing information transactions on the web. The user is no longer going to be available for free labour, and it is time we started thinking of “paid usership”.

Gautam Bhatia's blog post was originally published on Indian Constitutional Law and Philosophy Blog

---

We have seen that Gobind essentially crystallized a constitutional right to privacy as an aspect of personal liberty, to be infringed only by a narrowly-tailored law that served a compelling state interest. After the landmark decision in Gobind, Malak Singh v State of P&H was the next targeted-surveillance history-sheeter case to come before the Supreme Court. In that case, Rule 23 of the Punjab Police Rules was at issue. Its vires was not disputed, so the question was a direct matter of constitutionality. An order of surveillance was challenged by two individuals, on the ground that there were no reasonable bases for suspecting them of being repeat criminals, and that their inclusion in the surveillance register was politically motivated.  After holding that entry into a surveillance sheet was a purely administrative measure, and thus required no prior hearing (audi alteram partem), the Court then embarked upon a lengthy disquisition about the scope and limitations of surveillance, which deserves to be reproduced in full:

“But all this does not mean that the police have a licence to enter the names of whoever they like (dislike?) in the surveillance register; nor can the surveillance be such as to squeeze the fundamental freedoms guaranteed to all citizens or to obstruct the free exercise and enjoyment of those freedoms; nor can the surveillance so intrude as to offend the dignity of the individual. Surveillance of persons who do not fall within the categories mentioned in Rule 23.4 or for reasons unconnected with the prevention of crime, or excessive surveillance falling beyond the limits prescribed by the rules, will entitle a citizen to the Court’s protection which the court will not hesitate to give. The very rules which prescribe the conditions for making entries in the surveillance register and the mode of surveillance appear to recognise the caution and care with which the police officers are required to proceed. The note following R. 23.4 is instructive. It enjoins a duty upon the police officer to construe the rule strictly and confine the entries in the surveillance register to the class of persons mentioned in the rule. Similarly R.23.7 demands that there should be no illegal interference in the guise of surveillance. Surveillance, therefore, has to be unobstrusive and within bounds. Ordinarily the names of persons with previous criminal record alone are entered in the surveillance register. They must be proclaimed offenders, previous convicts, or persons who have already been placed on security for good behaviour. In addition, names of persons who are reasonably believed to be habitual offenders or receivers of stolen property whether they have been convicted or not may be entered. It is only in the case of this category of persons that there may be occasion for abuse of the power of the police officer to make entries in the surveillance register. But, here, the entry can only be made by the order of the Superintendent of Police who is prohibited from delegating his authority under Rule 23.5. Further it is necessary that the Superintendent of Police must entertain a reasonable belief that persons whose names are to be entered in Part II are habitual offenders or receivers of stolen property. While it may not be necessary to supply the grounds of belief to the persons whose names are entered in the surveillance register it may become necessary in some cases to satisfy the Court when an entry is challenged that there are grounds to entertain such reasonable belief. In fact in the present case we sent for the relevant records and we have satisfied ourselves that there were sufficient grounds for the Superintendent of Police to entertain a reasonable belief. In the result we reject both the appeals subject to our observations regarding the mode of surveillance. There is no order as to costs.”

Three things emerge from this holding: first, the Court follows Gobind in locating the right to privacy within the philosophical concept of individual dignity, found in Article 21’s guarantee of personal liberty. Secondly, it follows Kharak Singh, Malkani and Gobind in insisting that the surveillance be targeted, limited to fulfilling the government’s crime-prevention objectives, and be limited – not even to suspected criminals, but – repeat offenders or serious criminals. And thirdly, it leaves open a role for the Court – that is, judicial review – in examining the grounds of surveillance, if challenged in a particular case.

After Malak Singh, there is another period of quiet. LIC v Manubhai D Shah, in 1993, attributed – wrongly – to Indian Express Newspapers the proposition that Article 19(1)(a)’s free expression right included privacy of communications (Indian Express itself had cited a  UN Report without incorporating it into its holding).

Soon afterwards, R. Rajagopal v State of TN involved the question of the publication of a convicted criminal’s autobiography by a publishing house; Auto Shankar, the convict in question, had supposedly withdrawn his consent after agreeing to the book’s publication, but the publishing house was determined to go ahead with it. Technically, this wasn’t an Article 21 case: so much is made clear by the very manner in which the Court frames its issues: the question is whether a citizen of the country can prevent another person from writing his biography, or life story. (Paragraph 8) The Court itself made things clear when it held that the right of privacy has two aspects: the tortious aspect, which provides damages for a breach of individual privacy; and the constitutional aspect, which protects privacy against unlawful governmental intrusion. (Paragraph 9) Having made this distinction, the Court went on to cite a number of American cases that were precisely about the right to privacy against governmental intrusion, and therefore – ideally – irrelevant to the present case (Paras 13 – 16); and then, without quite explaining how it was using these cases – or whether they were relevant at all, it switched to examining the law of defamation (Para 17 onwards). It would be safe to conclude, therefore, in light of the clear distinctions that it made, the Court was concerned in R. Rajagopal about an action between private parties, and therefore, privacy in the context of tort law. It’s confusing observations, however, were to have rather unfortunate effects, as we shall see.

We now come to a series of curious cases involving privacy and medical law. In Mr X v Hospital Z, the question arose whether a Hospital that – in the context of a planned marriage – had disclosed the appellant’s HIV+ status, leading to his social ostracism – was in breach of his right to privacy. The Court cited Rajagopal, but unfortunately failed to understand it, and turned the question into one of the constitutional right to privacy, and not the private right. Why the Court turned an issue between two private parties – adequately covered by the tort of breach of confidentiality – into an Article 21 issue is anybody’s guess. Surely Article 21 – the right to life and personal liberty – is not horizontally applicable, because if it was, we might as well scrap the entire Indian Penal Code, which deals with exactly these kinds of issues – individuals violating each others’ rights to life and personal liberty. Nonetheless, the Court cited Kharak Singh, Gobind and Article 8 of the European Convention of Human Rights, further muddying the waters, because Article 8 – in contrast to American law – embodies a proportionality test for determining whether there has been an impermissible infringement of privacy. The Court then came up with the following observation:

“Where there is a clash of two Fundamental Rights, as in the instant case, namely, the appellant’s right to privacy as part of right to life and Ms. Akali’s right to lead a healthy life which is her Fundamental Right under Article 21, the RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court, for the reason that moral considerations cannot be kept at bay.”

With respect, this is utterly bizarre. If there is a clash of two rights, then that clash must be resolved by referring to the Constitution, and not to the Court’s opinion of what an amorphous, elastic, malleable, many-sizes-fit “public morality” says. The mischief caused by this decision, however, was replicated in Sharda v Dharmpal, decided by the Court in 2003. In that case, the question was whether the Court could require a party who had been accused of unsoundness of mind (as a ground for divorce under the wonderfully progressive Hindu Marriage Act) to undergo a medical examination – and draw an adverse inference if she refused. Again, whether this was a case in which Article 21 ought to be invoked is doubtful; at least, it is arguable, since it was the Court making the order. Predictably, the Court cited from Mr X v Hospital Z extensively. It cited Gobind (compelling State interest) and the ECHR (proportionality). It cited a series of cases involving custody of children, where various Courts had used a “balancing test” to determine whether the best interests of the child overrode the privacy interest exemplified by the client-patient privilege. It applied this balancing test to the case at hand by balancing the “right” of the petitioner to obtain a divorce for the spouse’s unsoundness of mind under the HMA, vis-à-vis the Respondent’s right to privacy.

In light of the above analysis, it is submitted that although the outcome in Mr X v Hospital Z and Sharda v Dharmpal might well be correct, the Supreme Court has misread what R. Rajagopal actually held, and its reasoning is deeply flawed. Neither of these cases are Article 21 cases: they are private tort cases between private parties, and ought to be analysed under private law, as Rajagopal itself was careful to point out. In private law, also, the balancing test makes perfect sense: there are a series of interests at stake, as the Court rightly understood, such as certain rights arising out of marriage, all of a private nature. In any event, whatever one might make of these judgments, one thing is clear: they are both logically and legally irrelevant to the Kharak Singh line of cases that we have been discussing, which are to do with the Article 21 right to privacy against the State.

As it noted in the NTIA's press release:

NTIA’s responsibility includes the procedural role of administering changes to the authoritative root zone file – the database containing the lists of names and addresses of all top-level domains – as well as serving as the historic steward of the [Domain Name System (DNS)]. NTIA currently contracts with [the Internet Corporation for Assigned Names and Numbers, ICANN] to carry out the Internet Assigned Numbers Authority (IANA) functions and has a Cooperative Agreement with Verisign under which it performs related root zone management functions. Transitioning NTIA out of its role marks the final phase of the privatization of the DNS as outlined by the U.S. Government in 1997.

This move was welcomed by "Internet technical leaders".

While this announcement cannot be said to be unexpected, it is nonetheless an important one and is also a welcome one. The NTIA seems to have foreclosed any option of the US government's role being performed by any government-led organization by noting in their press release, "NTIA will not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution," once again reaffirming their belief in American exceptionalism: the NTIA could fulfil its role despite being a government, but now even a body involving multiple stakeholders can't replace the NTIA's role if it is going to be government-led.

Unfortunately, this announcement to relax American "stewardship" or "oversight" over some aspects of the Internet's technical functioning cannot restore the trust that has been lost due to actions taken by the US government and US companies. This new announcement won't change the US government's ability to 'tap' the Internet, nor will it affect their ability to unilaterally seize .com/.net/.name/.org/.edu/.tv/.cc/.us and other US-based domain names. Nor will a shift away from NTIA oversight lead to any of the chilling visions that some believe might lie in our future: the fears of the Association of National Advertisers and of some politicians and members of the US Congress is based on ignorance of what NTIA's role is.

The European Commission in a communiqué last month noted: "recent revelations of large-scale surveillance have called into question the stewardship of the U.S. when it comes to Internet governance". Unfortunately, the U.S. giving up that stewardship role will not prevent the continuation of their large-scale surveillance, just as the lack of such a stewardship role has not prevented other governments — U.K., India, Canada, Sweden, France, etc. — from engaging in large-scale surveillance.

There are three main benefits from the U.S. giving up this role.

• First, it will put an end to the political illegitimacy of the U.S. government having a core authority in a global system, somehow making it first among equals;

• Second, will focus light on ICANN, which under US oversight performs the IANA functions, and might, one hopes, lead to needed reform in ICANN's other functions;

• Third, it will allow us to collectively move on from this dreaded political issue at the heart of Internet governance, which nevertheless is of little practical consequence if ICANN's accountability mechanisms are strengthened. As difficult as it may be, ICANN has to be accountable not just to one government or another but to the world, and ensuring that accountability to all doesn't become accountability to none, as NetChoice's Steve DelBianco put it, is the formidable task ahead of us.
  

Yet, all the ICANN reform in the world will still not lead to a less spied-upon, more open, and more equitable Internet.

The principle behind net-neutrality, simply put, is that the data being transmitted to and from the user should be treated equally, i.e. that data carriage, at the level of ISP’s, should be ‘dumb’. This would mean that internet service providers cannot discriminate between different data based on the content of the data. Without the principle of net-neutrality being followed, ISP’s would become the ‘internet gatekeepers’, choosing what data gets to reach the end-user and how. There are many arguments for favouring or disfavouring net-neutrality, however, advocates of privacy on the internet should be wary of the possible implications of endorsing a non-neutral internet and allowing greater network management by ISP’s. So, how does the net-neutrality debate affect privacy?

It all depends upon what kind of network management ISP’s employ. Deep Packet Inspection (DPI) is a method of data inspection which allows the network manager to scrutinize data at the application level, and in real time. As compared to shallow packet inspection, which identifies based on headers like IP addresses or protocols like TCP and UDP, which are analogous to envelopes on a letter, DPI would be akin to having access to the contents. DPI-based network management can identify the programs, software and applications being used, and what they are being used for in real time. Unlike any ordinary online service provider ISP’s are in the unique position of having comprehensive access to all of their customers’ data. Allowing DPI-based network management for prioritizing certain data or applications, an almost certain outcome if net-neutrality is weakened, would mean that ISP’s would be able to intercept and scrutinize any and all user data, which would reveal substantial information about the user, and would be a serious blow to privacy. While DPI can have several benefits in its application (such as finding and fighting malware or viruses), but where it is used, must be for a targeted and legitimate aim. Even where DPI is not used, if network discrimination is allowed, based on a user-to-user basis it would require inspecting the IP addresses of the user, which can also be a problematic intrusion of privacy, especially since the ISP also has other data like addresses and names of users which it can use to identify them.

Privacy may not necessarily be affected through non-neutral internet systems, but in all probability, with the growth of systems like the DPI and commercial incentives for “gatekeeper ISP’s” who are in a position to profit greatly from an ability to scrutinize and discriminate between data, it is likely that it will. In India, though government ISP’s like MTNL and BSNL deny using DPI,[1] it’s likely that it is still applied by others, and that the government is aware of this (http://www.theinquirer.net/inquirer/news/2161541/indian-isps-block-104-websites). Even as the TRAI advocates and supports net-neutrality, Indian ISP’s seem to be heading the other way.[2] Before the trend becomes the norm, it’s high time for a comprehensive discussion about how policies should be framed for keeping the internet a more neutral, and more private, space.

---

References

1. Apar Gupta, TRAI(ing) to keep it neutral, http://www.iltb.net/2010/09/traiing-keep-it-neutral/
2. For a lay discussion on Deep Packet Inspection and net-neutrality, visit http://arstechnica.com/gadgets/2007/07/deep-packet-inspection-meets-net-neutrality/

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

---

Resources

1. http://cis-india.org/internet-governance/resources/rule-419-a-indian-telegraph-rules-1951
2. http://www.thehindu.com/news/national/centre-issues-new-guidelines-for-phone-interception/article5559460.ece

---

Read the original published in the Economic Times on March 14, 2014

---

Activists have five main concerns.

1. Facebook has a track record of not keeping its promises to users.
2. The ethos of both companies when it comes to privacy is diametrically opposite.
3. The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
4. Facebook slurping WhatsApp's large repository of phone numbers.
5. Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

The article was published in Index on Censorship in August 2012. This is an unedited version of the article.

---

In a matter of three days, in August 2012, India’s central government ordered internet service providers to block around 309 pieces of online content – mostly individual web pages, YouTube videos and Facebook groups. The blocking orders came days after people originally from north-eastern India living in Bangalore began fleeing the city in fear of attack. Rumours that some Muslims in the city were planning violence in retaliation for recent clashes between the indigenous Bodo tribe and Muslim settlers in Assam spread quickly via text messages and through the media. The Nepali migrant community in Bangalore also received text messages from their families, warning them that they might be mistaken for north-eastern Indians and also be targeted. Indian Railway, catering to the huge demand, organised special trains to Assam for the crowds of people.

Freedom of speech is enshrined in the Constitution of India, which came into force in 1952, and specifically in Article 19(1)(a), which guarantees that ‘all citizens shall have the right to freedom of speech and expression’. While in the United States, it wasn’t until the 1920s that the Supreme Court struck down a law or governmental action on freedom of speech grounds, in India, just one year after the constitution was adopted, government actions against both left- and right-wing political speech were struck down for violating Article 19(1)(a). Enraged, the Congress government then amended Article 19, expanding the list of restrictions to the right to free expression. These included speech pertaining to ‘friendly relations with foreign states’, ‘public order’ and ‘incitement to an offence’. In 1963, in response to the 1962 war with China, the ‘sovereignty and integrity of India’ was also added, taking the number of categories of permissible restrictions up to eight. While the constitution categorically stipulates that no further restrictions should be imposed, courts have on occasion added to the list (privacy, for instance) through judicial interpretation without explicitly stating that they are doing so. Comparisons are often drawn between the constitution’s ‘reasonable restrictions’ and the categorical prohibition enshrined in the US Constitution’s First Amendment: ‘Congress shall make no law … abridging the freedom of speech, or of the press’ – a meaningless comparison as there are indeed many categories of speech that are seen as being protected under the US constitution and even speech that is protected may be restrained in a number of ways.

Today, there are a number of laws that regulate freedom of speech in India, from the Indian Penal Code (IPC), the Victorian legislation meant to codify crimes, to the Information Technology Act, which was amended in 2008 and in some cases makes behaviour that is perfectly legal offline into a criminal activity when online.

Sedition and social harmony

The Indian Penal Code criminalises sedition; speech intended to cause enmity between communities; speech intended to ‘outrage religious feelings of any class’; selling, singing or displaying anything obscene; and defamation. It also prohibits ‘causing someone, by words or gestures, to believe they’re the target of divine displeasure’. Each of these provisions has been misused, as there are indeed many catagories of speech that are not seen as being protected under thw US constitution, and even speech that is protected may be restrained in a number of ways.

In recent years, sedition charges have been brought against human rights activists (Binayak Sen and Arundhati Roy), journalists (Seema Azad), cartoonists (Aseem Trivedi) and protesters (thousands of villagers in Koodankulam and neighbouring villages who demonstrated against a nuclear reactor in their area). It is usually the higher judiciary that dismisses such cases, while the lower judiciary seems to be supplicant to the bizarre claims of government, the police and complainants. Similarly, the higher judiciary has had to intervene in cases where books and films have been banned for ‘causing enmity between communities’ or for intentionally hurting the sentiments of a religious group.

Of the last six books banned by the Maharashtra government, all but one (RV Bhasin’s Islam: A Concept of Political World Invasion by Muslims) have been overturned by the Mumbai High Court. In one case, the court criticised the government for using a violent protest (organised by the Sambhaji Brigade, one of many right-wing political groups that frequently stage demonstrations) as reason enough for banning an academic book on the Maratha king Shivaji. In its decision, the judge pointed out that it is the government’s job to provide protection against such violence. Given India’s history of communal violence there is indeed a need for the law to address incitement to violence – but these laws should be employed at the actual time of incitement, not after the violence has already taken place. But, as recent events have shown, the government is willing to censor ‘harmful’ books and films and less likely to take action against individuals who incite violence during demonstrations.

Online speech and the law

There are regular calls for the government to introduce legislation that deals specifically with online behaviour, despite the fact that the vast majority of the laws regarding sedition and social harmony apply online as well as offline. One example is the recent move to introduce amendments to the Indecent Representation of Women Act (1986) so that it applies to ‘audiovisual media and material in electronic form’.

But the government’s attempts to control online speech began long before the introduction of any internet-specific legislation. Indeed, when state-monopoly internet service provider VSNL censored content, it did so under the terms of a contract it had entered with its customers, not under any law. In 1998, a mailing list called Middle East Socialist Network was blocked on national security grounds. In 1999, Pakistani newspaper Dawn’s website was blocked during the Kargil conflict. In both of the latter cases, the government relied on the Indian Telegraph Act (1885) to justify its actions, though that act contains no explicit provisions for such censorship.

In 2000, the Information Technology (IT) Act was passed and the Indian Computer Emergency Response Team (CERT-In) was created, which (unlawfully) assumed the role of official online censor. Importantly, while the IT Act did
make the publication of obscene content online illegal (though it already was under the IPC), it did not grant permission for authorities to block websites. Despite this, an executive order passed on 27 February 2003 granted CERT-In the power to block. Had this been challenged in a court, it may well have been deemed unconstitutional since, in the absence of a statutory law, an executive order cannot reverse the freedom granted under Article 19. And although the telecommunications sector in India was being liberalised around this time, as part of their licence agreements, all internet service providers (ISPs) have to agree to block links upon being requested to do so by the government. In 2008, when the IT Act was amended, it clearly stated that the government can block websites not only when it deems it necessary to do so but also when it is deemed expedient in relation to matters of public interest, national security and with regard to maintaining friendly relations with foreign states. The power to block does not, however, extend to obscenity or defamation offences. At the same time, further categories of speech crimes were introduced, along with other new offences, including the electronic delivery of ‘offensive messages through communication services’ or anything ‘for the purpose of causing annoyance or inconvenience’. This has often been abused, including by the chief minister of West Bengal, who issued proceedings against a professor for forwarding an email containing a cartoon that mocked him. Under this draconian and unconstitutional provision, the police do not need an arrest warrant and the punishment can be as much as three years’ imprisonment, longer than even the punishment for causing death by negligence. The amendment also granted the government extensive powers to monitor and intercept online speech and data traffic, greatly extending the powers provided under colonial laws such as the Indian Telegraph Act (1885). As legislation has been introduced, the penalties for online offences have increased significantly. For example, the penalty for the first-time publication of an obscene ebook is up to five years in prison and a 1,000,000 rupee (US$18,800) fine, compared with two years’ imprisonment and a 2,000 rupee (US$38) fine as stipulated in the IPC for publishing that same material in print version. New laws introduced in 2009 pertain specifically to blocking (section 69a), interception, decryption and monitoring (69 and 69b) and are in accordance with the constitution. However, the amendments were brought in without any attempt at transparency or accountability.

Power in the hands of intermediaries

In April 2011, despite critical submissions received during its public consultation, the government announced new ‘intermediary guidelines’ and ‘cyber cafe rules’, both of which have adverse effects on freedom of expression. The rules, which were issued by the Department of Information and Technology (DIT), grant not only the government but citizens significant powers to censor the internet. They require all intermediaries – companies that handle content, including web hosts, telecom companies, domain name providers and other such intermediaries – to remove ‘disparaging’ content that could ‘harm minors in any way’. They prohibit everything from jokes (if the person sharing the joke does not own copyright to it) to anything that is disparaging. In a recent case, in December 2011, thousands of people used the hashtag #=IdiotKapilSibal on Twitter to criticise the minister of communications and information technology, Kapil Sibal, who had requested that officials from Google, Microsoft, Yahoo! and Facebook in India pre-screen online content. These guidelines and rules are badly drafted and unconstitutional, as they go beyond the limits allowed under Article 19 in the constitution. And do so in a manner that lacks any semblance of due process and
fairness. They are inconsistent with offline laws, too: for example, because the guidelines also refer to gambling, the government of Sikkim can publish advertisements for its PlayWin lottery in newspapers but not online. It’s far easier to persuade officials to remove online material than it is to persuade them to remove books from a bookstore or artwork from a gallery. Police are only empowered to seize books if the government or a court has been persuaded that it violates a law and issues such an order. This fact is always recorded, in government or legal records, police files or in the press. By contrast, web content can be removed on the basis of one email complaint; intermediaries are required to ‘disable’ the relevant content within 36 hours of the complaint. A court order is not required, nor is there a requirement to notify the owner of the content that a complaint has been received or that material has been removed. The effect is that of almost invisible censorship.

This assertion – that it only takes one complaint – may seem far-fetched. But a researcher from the Centre for Internet and Society sent complaints to several intermediaries on a number of occasions, resulting in content being removed in a majority of cases. If intermediaries choose not to take action, they risk losing their immunity against punishment for content. In essence, the law is the equivalent of punishing a post office for the letters that people send via the postal service.

The amendments were brought in without any attempt at transparency or accountability

In 1984, Indira Gandhi was forced to sue Salman Rushdie for defamation in a London court in order to ensure one sentence was expurgated from his novel Midnight’s Children. Today Gandhi wouldn’t need to win a lawsuit against publishers. She would merely have to send a complaint to websites selling the book and it would have to be removed from sale. It is easier to block Akbari.in – the online newspaper run by Vinay Rai, who filed a criminal complaint against multiple internet companies in December 2011 for all manner of materials – than it is to prevent its print publication. There is no penalty for frivolous complaints, such as those sent by researchers from the Centre for Internet and Society, nor is there any requirement for records to be kept of who has removed what. Such great powers of  censorship without any penalties for abuse of these powers are a sure-fire way of moving towards greater intolerance, with the internet – that republic of opinions and expressions – being a casualty.

Censorship outside the law

Since 2011, governments and private companies alike have increasingly engaged in internet censorship. In April 2011, in response to a right to information request, the DIT released a list of 11 websites that had been officially blocked under the IT Act since 2009, when the amended act came into force. But, according to a recent Google Transparency Report, government requests for the removal of material far exceeds that number. The report reveals that the government (including state governments) requested that Google remove 358 items from January 2011 to June 2011. Of this number, only eight were considered to be hate speech and only one item was related to concerns over national security. The remaining material, 255 items (71 per cent of all requests), was taken down because of ‘government criticism’. Criticism of the government is protected under the country’s constitution but, nonetheless, Google complied with take-down requests 51 per cent of the time. It’s clear, then, that governmental censorship is far more widespread than officially acknowledged.

In July 2011, Reliance Entertainment obtained a ‘John Doe’ order to protect its intellectual property rights with regard to its film Singham, which was scheduled for release that month. The order prohibited both online and offline  infringement of copyright for the film and was sent to a number of ISPs, which then blocked access to file-sharing websites, even though there was no proof of the film having been available on any of them. According to Reliance Entertainment, they merely asked ISPs ‘not to make the film available’ on their networks, even though the order did not authorise it. But a right to information request pertaining to a similar case dealing with the distribution of the film Dhammu showed that the entertainment company’s lawyers had in fact asked for dozens of websites – not just deep-link URLs to infringing content – to be blocked, despite publicly claiming otherwise. If web users encountered any information at all about why access to the sites was blocked, it was that the Department of Telecom had ordered the blocking, which was plainly untrue. In February 2012, following a complaint from the Indian Music Industry (a consortium of 142 music companies), the Calcutta High Court ordered 387 ISPs to block 107 websites for music piracy. At least a few of those, including Paktimes.com and Filmicafe.com, were general interest entertainment sites. The most famous of these sites, Songs.pk, re-emerged shortly after the block as Songspk.pk, highlighting the pointlessness of the block. And outside the realm of copyright, in December 2011, the domain name CartoonsAgainstCorruption.com was suspended based on an unlawful complaint from the Mumbai police requesting its suspension, despite there being no powers for them to do so under any law.

Between August and November 2011, the DIT also went to great efforts to compel big internet companies including Indiatimes, Facebook, Google, Yahoo!, and Microsoft, to ‘self-regulate’. This revealed the department’s desire to gain ever greater powers to control ‘objectionable’ content online, effectively bypassing the IT Act. It’s obvious, too, that by encouraging internet companies to ‘self-regulate’ the government will avoid embarrassing statistics such as those revealed by Google’s Transparency Report.

New dangers

A way forward, at least for internet-specific laws, could be to rekindle the Cyber Regulations Advisory Committee – a multi-stakeholder committee required by the IT Act – and to practise at home what we preach abroad on matters of internet governance: the value of a multi-stakeholder system, which includes industry, academia and civil society and not just governments. The idea of a multi-stakeholder framework has gained prominence since it was placed at the core of the ‘Declaration of Principles’ at the first World Summit on Information Society in Geneva in 2003. It has also been at the heart of India’s pronouncements at the Internet Governance Forum and the India-Brazil-South Africa Dialogue Forum. The Internet Governance Division, which formulates the country’s international stance on internet governance, has long recognised that these decisions must be taken in an open and collaborative manner. It is time the DIT’s Cyber-Law and ESecurity Group, which formulates the country’s national stance on the internet, realises the same.

Freedom of speech means nothing in a democratic society if it does not allow everyone to speak. Despite the internet being a very elite space, the number of people who have used it to express themselves since its introduction in India in 1994 is vast, especially when compared to the number of people in India who have expressed themselves in print since 1947 when the country won its independence. Online speech is indeed a big shift from edited and usually civil discussions in the world of print media. Perhaps this gives us some indication of why there is some support among the mass media for government regulations on speech. Too many discussions of online speech laws in India descend into arguments about the lack of civility online. However, the press – and all of us – would do well to remember that civility and decency in speech, while desirable in many contexts, cannot be the subject of legislation. But in India, the greatest threat to freedom of expression is not a government clampdown on dissent but threats from political and corporate powers with a range of tools at their disposal, including fostering a climate of selfcensorship. The government has passed bad laws that have given way to private censorship. And many of these laws are simply a result of gross ineptitude.

We cannot take sufficient comfort in the fact that, in India, censorship is limited and nowhere on the scale that it is in China or Iran. It is crucial that, from a legal, cultural and technological standpoint we do not open the door for further censorship. And currently, we are failing.

---

Pranesh Prakash is Policy Director at the Centre for Internet and Society in Bangalore. Part of this article appeared in a blog by the author on the centre’s website, cis-india.org, in January 2012

---

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

---

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions.  Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

• Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India.  The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
• Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.
  

Terms that have been added in the 2014 Bill and the definitions

1. Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
2. Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
3. Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
4. Notification: Notification issued under this Act and published in the Official Gazette
5. Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
6. Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
7. Privacy standards: The privacy standards or protocols or codes of practice.  developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

1. Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
2. Data subject : Any living individual, whose personal data is controlled by any person
3. Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
4. Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban  local body, or any other officer, agency or instrumentality of the state.
5. Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation.  Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
6. Individual: a resident of Indian
7. Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device  in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
8. Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
9. Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
10. Direct marketing: Direct Marketing means sending of a commercial communication to any individual
11. Data controller:  any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
12. Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

1. Consent: Includes implied consent
2. Maintain: Includes maintain, collect, use, or disseminate.
3. Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
4. Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
5. Prescribed: Prescribed by rules made under this Act.
6. Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
7. DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

1. Authority: The Data Protection Authority of India
2. Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
3. Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
4. Member: Member of the Authority
5. Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
6. Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

• Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

1. Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
2. Preventing incitement to the commission of any offence
3. Prevention of public disorder or the detection of crime
4. Protection of rights and freedoms of others
5. In the interest of friendly relations with foreign state
6. Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

• Acts not to be considered deprivations of privacy:  The 2011 Bill lists five instances that  will not be considered a deprivation of privacy  - namely

1. For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
2. Processing data for personal or household purposes,
3. Installation of surveillance equipment for the security of private premises,
4. Disclosure of information via the Right to Information Act 2005,
5. And any other activity exempted under the Act.

The 2014 limits these instances to:

1. The processing of data purely for personal or household purposes,
2. Disclosure of information under the Right to Information Act 2005,
3. And any other action specifically exempted under the Act.

• Privacy Principles:  Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

• Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

1. Collection of personal data,
2. Processing of personal data,
3. Data quality,
4. Provisions relating to sensitive personal data,
5. Retention of personal data,
6. Sharing (disclosure) of personal data,
7. Security of personal data,
8. Notification of breach of security,
9. Access to personal data by data subject,
10. Updation of personal data by data subject
11. Mandatory processing of data,
12. Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

1. Collection of personal data,
2. Processing of personal data,
3. Access to personal data,
4. Updating personal data
5. Retention of personal data
6. Data quality,

The 2014 Bill has further includes provisions addressing:

1. Openness and accountability,
2. Choice,
3. Consent,
4. Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

1. Provisions relating to sensitive personal data,
2. Sharing (disclosure of personal data),
3. Notification of breach of security,
4. Mandatory processing of data
5. Security of personal data
6. Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

1. For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
2. Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

1. The documented purposes for which such personal data is being collected
2. Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
3. The consequences of the failure to provide the personal data
4. The recipient or category of recipients of the personal data
5. The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
6. If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

1. What data is being collected and
2. The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

1. The use to which the personal data will be put
2. Whether or not the personal data will be disclosed to a third party and if so the identity of such person
3. If the personal data being collected is intended to be transferred outside India  and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
4. The security and safeguards established by the data controller in relation to the personal data
5. The processes available to a data subject to access and correct  his personal data
6. The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
7. The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing.  In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.  As a safeguard, the 2014 Bill requires that any person to whom  personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of  security.

• Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy  will not apply to personal data.  Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill  carves out an exception for Government Intelligence Agencies  - stating that the provisions of  updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
• Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
• Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

• The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority.  For example, new functions of the Authority include:

1. Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
2. Suggesting international instruments relevant to the administration of the Act,
3. Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement,  if for the objectives of  (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

• The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
• Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’  and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
• Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception,  2014 Bill changes  the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees,  removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
• Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

• Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them.  For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
• Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish.  If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

• Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

• Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

1. Unauthorized interception of communications
2. Disclosure of intercepted communications
3. Undertaking unauthorized Covert Surveillance
4. Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

1. Penalty for obtaining personal data on false pretext
2. Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
3. Penalty for disclosure of other personal information
4. Penalties for contravention of directions of the Authority
5. Penalties for data theft
6. Penalties for unauthorised collection, processing, and disclosure of personal data
7. Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines
   
   

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not  below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies:  Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law  Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

Introduction:

1. Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
2. Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law,  the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified  the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
3. Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight  principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
4. Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
5. Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive  and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
6. Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications,  available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
7. The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
8. The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation  and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
9. Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at:  http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes  including EU and US.
10. Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf.  This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
11. Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’  the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
12. The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

---

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability:  APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

The 2014 seminar is jointly organized by the Center for Global Communication Studies (CGCS) at the University of Pennsylvania’s Annenberg School for Communication, the American Austrian Foundation (AAF), and the Diplomatic Academy of Vienna (DA).  For more information visit the seminar webpage and Facebook Page. Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India.

Nishant Shah's post was published on April 1st, 2014 | by cgcsblog

---

An imagined and perceived gap between the global and the local informs transnational politics and internet policy. The global views the local as both the site upon which the global can manifest itself as well as the microcosm that supports and strengthens global visions by providing mutations, adaptations and reengineering of the governance practices. The local is encouraged to connect with the global through a series of outward facing practices and policies, thus producing two separate domains of preservation and change.  On the one hand, the local, the organic and the traditional, needs to be preserved and make the transnational and the global the exotic other. On the other hand, the local also needs to be in a state of aspiration, transforming itself to belong to global networks of polity and policy that are deemed as desirable, especially for a development and rights based vision of societies.

While these negotiations and transactions are often fruitful and local, national, and transnational structures and mechanics have been developed to facilitate this flow, this relationship is precarious. There is an implicit recognition that the local and the transnational, dialectically produced, are often opaque categories and empty signifiers. They sustain themselves through unquestioned presumptions of particular attributes that are taken for granted in these interactions. There have been many different metaphors that have been used to understand and explain these complex transfers of knowledge and information, resources and capital, bodies and ideologies. Vectors, Flows, Disjunctures, Intersections are some of the examples. However, with the rise of the digital technologies and vocabularies, especially the internet, the metaphor of the Network with its distributed nodes has become one of the most potent explanations of contemporary politics. This idea of living in networked worlds is so seductive and ‘common-sense,’ that it has become an everyday practice to think of the global as a robust, never-ending, all-inclusive network where the local becomes an important node because it enables both connectivity within but also an expansion of the edges, in order to connect to that which is outside the traffic capacities of the network.

The ‘Network Society’ paradigm is distinct from earlier rubrics of information and open society that have informed existing information and communication policies. In this paradigm we have the opportunity to revisit and remap the ways in which local governments and populations function and how they produce locals who can feed into the transnational and global discourse. The network facilitates some knowledge that is valuable and allows us to map inequity and mal-distribution of resources by offering comparisons between the different nodes. Networks force our attention to the edges, the no-person’s-zone which is porous but still serves as an osmotic filter that often keeps the underprivileged and the unintelligible outside its fold. Networks as metaphors are valuable because they produce a cartographic vision of the world with multiple boundaries and layers, dealing with big data sets to create patterns that might otherwise be invisible. They enable the replication of models that can be further localised and adapted to fit the needs of the context.  Networks make the world legible – we write it through the lens of the network, intelligible – we understand it through the language and vocabulary of the network, and accessible – it allows for knowledge and practices to transfer across geographies and times.

At the same time, networks are a vicious form of organisation because they work through the logic of resource maximisation, efficiency and optimisation, often disallowing voices of dissent that threaten the consensus making mechanisms of the network. Networks have a self-referential relationship with reality because they produce accounts of reality which can easily stand in for the material and the real. They are the new narratives that can operate with existing data sets and produce such rich insights for analysis that we forget to account for that which cannot be captured in the database structures of these data streams. Networks work through a principle of homogeneity and records, thus precluding forms of operation which cannot be easily quantified.

Given this complex nature of networks and the fact that they are emerging as the de facto explanations of not only social and cultural relationships but also economic and political transactions, it might be fruitful to approach the world of policy and politics, the local and the transnational, through the lens of the network. Building a critique of the network while also deploying the network as a way to account for the governmental practices might produce key insights into how the world operates. What does it mean to imagine the world in the image of the internet as a gigantic network? What are the ways in which a networked visualisation of policy and governmental processes can help us analyse and understand contemporary politics? What tools can we develop to expose the limitations of a network paradigm and look at more inclusive and sensitive models for public discourse and participation? How do we document events, people, and drivers of political change that often get overlooked in the networked imagination of transnational politics? These are the kind of questions that the Center for Global Communication Study’s Internet Policy Observatory (IPO) could initiate, building empirical, qualitative and historical research to understand the complex state of policy making and its relationship with enforcement, operationalization and localisation.

Given the scope and scale of these questions, there are a few specific directions that can be followed to ensure that research is focused and concentrated rather than too vague and generalised:

1. Bird’s eye views: The big picture understanding of transnational political and policy networks is still missing from our accounts of contemporary discourse. While global representative networks of multi-stakeholder dialogues have been established, there is not enough understanding of how they generate traffic (information, knowledge, data, people, policies) within the network through the different nodes. Producing an annotated and visual network map that looks at the different structural and organisational endeavours and presences, based on available open public data, bolstered by qualitative interviews would be very useful both as a research resource but also an analytic prototype to understand the complex relationships between the various stakeholders involved in processes of political change.
2. Crisis Mapping: One of the most important things within Network studies is how the network identifies and resolves crises. Crises are the moment when the internal flaws, the structural weaknesses, and the fragile infrastructure become visible. The digital network, like the internet, has specific mechanisms of protecting itself against crises. However, the appearance of a crisis becomes an exciting time to look at the discrepancy between the ambition of the network and its usage. A crisis is generally a symptom that shows the potentials for radical subversion, overthrowing, questioning and the abuse of network designs and visions. Locating ICT related crises with historical and geographical focuses could similarly reveal the discrepancies of the processes of making policy and orchestrating politics.
3. Longitudinal Studies: The network remains strong because it works through a prototype principle. Consequently, no matter how large the network is, it is possible to splice, slice, and separate a small component of the network for deep dive studies. This microcosm offers rich data sets, which can then be applied across the network to yield different results. Further, working with different actors – from individual to the collective, from the informal the institutional – but giving them all equal valency provides a more equal view of the roles, responsibilities, and aspirations of the different actors involved in the processes. This kind of a longitudinal study, working on very small case-studies and then applying them to analyse the larger social and political conditions help in understanding the transnational and global processes in a new way.

These research based inquiries could result in many different outputs based on the key users that they are working with and for. The methods could be hybrid, using existing local and experimental structures, with predefined criteria for rigour and robustness. The research, given its nature, would necessitate working with existing networks and expanding them, thus building strong and sustainable knowledge networks that can be diverted towards intervention through capacity building and pedagogy directed at the different actors identified within these nodes.

---

Dr. Nishant Shah is the co-founder and Director-Research at the Centre for Internet and Society, Bangalore, India. He is an International Tandem Partner at the Centre for Digital Cultures, Leuphana University, Germany and a Knowledge Partner with the Hivos Knowledge Programme, The Netherlands. In these varied roles, he has been committed to producing infrastructure, frameworks and collaborations in the global south to understand and analyse the ways in which emergence and growth of digital technologies have shaped the contemporary social, political and cultural milieu. He is the editor for a series of monographs on ‘Histories of Internet(s) in India’ that looks at the complicated relationship that technologies have with questions of gender, sexuality, body, city, governance, archiving and gaming in a country like India. He is also the principle researcher for a research programme that produced the four-volume anthology ‘Digital AlterNatives With a Cause?’ that examines the ways in which young people’s relationship with digital technologies produces changes in their immediate environments.

Dr. Nishant Shah's column was published in the Indian Express on March 30, 2014.

---

Within the online space, where wonderments often run rife, and conspiracy theories travel at the speed of light, there are many dark recesses where netizens half-jokingly, self-referentially, in a spirit of part-truth, part-exaggeration, often wonder on what the real reason is for the internet to exist.

One suggestion, and probably the most persuasive one, drawing from the Broadway musical Avenue Q, is that the internet was made for porn. Positing a competing argument is a clowder of cat lovers, who insist that the internet was made for cats. Or, at least, it is definitely made of cats.

From the first internet memes like LOL Cats (and then subsequently Grumpy Cat, Ceiling Cat and Hipster Kitty), which had pictures of cats used for strong social, cultural and political commentary, to Caturday — a practice where users on the Web’s largest unmoderated discussion board, 4Chan, post pictures of cats every Saturday — cats are everywhere.

I want to add to this list and suggest that the internet was meant for “shame”. With the explosion of the interactive Web, more people getting access to mobile computing devices, and more websites inviting users to write reviews, leak pictures, expose videos and reveal more personal and private information online, there seems to be no doubt that we live in the age of digital shaming.

The aesthetic, also embedded in peer-to-peer platforms like chatroulete, or snapchat, where people often engage in sexting, is also becoming common in popular media. The ability to spy, to capture private images and videos, and expose the people who violate some imagined moral code has dangerous implications for the future of the Web and our own private lives. And as more of it goes unpunished and gets naturalised in our everyday digital practices, it is time to realise that the titillation it offers through scandal is far outweighed by the growing stress and grief it causes to victims. While there are some values to public shaming that ask for more transparency and accountability, we need to reflect on how it is creating societies of shame.

It sometimes emerges as an attempt to shame governments, private institutions, places of consumption, for compromise of the rights of the users.

Anything, from denial of service and corruption in government offices to bad food and substandard goods in restaurants and malls, is now reported in an attempt to shame the people responsible for it. This kind of “citizen journalism” allows for individual voices and experiences to be heard and documented, and the people in question are forced to be accountable for their jobs.

From fascinating websites like IPaidABribe.com to restaurant review sites like Zomato, we have seen an interesting phenomenon of “naming and shaming” that gives voice to individual discontent and anger. And so commonplace has this become, that most managers of different services and goods track, respond and mitigate the situation, often offering apologies and freebies to make up for that one bad experience.

Most big organisations have Twitter handles that function in a similar way, addressing grievances of users in real time, and helping to deliver better services and products. It is a new era of granular accountability that ensures that individual acts of discrimination, neglect or just disservice get reported and have direct impact on those responsible for it.

On the other end of the spectrum of this call for transparent and accountable structures, is the phenomenon of shaming and cyber bullying that is also increasing, especially with digital natives who spend more time online. On social networking sites, it has become almost passé, for personal and sensitive information to be leaked in order to shame and expose a person’s weaknesses and vulnerabilities. Especially for young teens who might be in a disadvantaged position — for reasons of sexual orientation, location, practices or interests — the shaming through exposing their private information often creates extremely traumatic conditions, even leading people to take their lives.
Shaming takes up particularly dire forms on websites and platforms that are designed to leak this kind of information. Hunter Moore, who has recently earned the title of being the most hated man on the internet, was the founder of a revenge-porn website, which invited male users to reveal sexual and embarrassing pictures of their former girlfriends and even spouses, to reveal them in compromising positions and shame them for being “sluts”.

Moore’s website has been shut down now and he is facing multiple charges of felony in the US, but that one site was just the tip of the iceberg. Slut shaming and trying to humiliate women has become a strong underground practice on the dark web. Hidden by anonymity and the security that the Web can sometimes offer, people betray the trust of their friends and lovers and expose them to be punished by voyeuristic audiences.

---

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

---

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African,  American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for  "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable.  Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” –  and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as  "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

---

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014  See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated:  14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

---

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill

Constitutional Right to Privacy

The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.

Nine National Privacy Principles

The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data.  An analysis of the principles as compared in the Report and the Bill is below:

• Notice: The principle of notice as recommended by the Report of the Group of Experts on Privacy differs from the principle of notice in the 2014 Privacy Bill.  According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons;  Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information;  Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.
  
  In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India  and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.
  
  Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.

• Choice and Consent: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data.
  
  Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.

• Collection Limitation: The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken.

• Purpose Limitation: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data.

• Access and Correction: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual.

• Disclosure of Information: The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim).  As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.

• Security: The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.

• Openness: The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect.

• Accountability: The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles.

Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).

With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.

Additional Protection for Sensitive Personal Data

The Report of the Group of Experts on Privacy broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The 2014 Privacy Bill incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions;  password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including:  collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual;  such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India,  the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.

Privacy Officers

The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.

Co-regulatory Framework

The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.

Recommendations in the Report that are not in the Bill

Scope

The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India.  The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.

Exceptions

The Report of the Group of Experts recommends the following as exceptions to the right to privacy:

1. National security
2. Public order
3. Disclosure in the public interest
4. Prevention, detection, investigation, and prosecution of criminal offenses
5. Protection of the individual and rights and freedoms of others

The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.

The Privacy Bill 2014 reflects only the exception of  “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:

1. Sovereignty, integrity or security of India or
2. Strategic, scientific or economic interest of India; or
3. Preventing incitement to the commission of any offence; or
4. Prevention of public disorder; or
5. The investigation of any crime; or
6. Protection of rights and freedoms others; or
7. Friendly relations with foreign states; or
8. Any other legitimate purpose mentioned in this Act.

Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.

Constitution of Infringement of Privacy

The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.

The Data Protection Authority

The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should  be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy,  the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs,  and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers.  Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.

Tribunal and System of Complaints

Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization.  The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.

Penalties and Offenses

The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.

Conclusion

The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.

---

References

1. Leaked Privacy Bill: 2014 vs. 2011
2. Report of the Group of Experts on Privacy

Let us take, for the purposes of this post, the following definition:

“The idea that all Internet traffic should be treated equally is known as network neutrality. In other words, no matter who uploads or downloads data, or what kind of data is involved, networks should treat all of those packets in the same manner.”

In other words, put simply, net neutrality in its broadest form requires the extant gatekeepers of the internet – such as, for instance, broadband companies – to accord a form of equal and non-discriminatory treatment to all those who want to access the internet. Examples of possible discrimination – as the quote above illustrates – include, for instance, blocking content or providing differential internet speed (perhaps on the basis of a tiered system of payment for access).

Net neutrality has its proponents and opponents, and I do not have space here to address that dispute. In its broadest and absolutist form, net neutrality is highly controversial (including arguments that existing status quo is not neutral in any genuine sense). I take as given, however, that some form of net neutrality is both an important and a desirable goal. In particular, intentional manipulation of information that is available to internet users – especially for political purposes – is, I assume, an undesirable outcome, as are anti-competitive practices, as well as price-discrimination for the most basic access to the internet (this brief article in the Times of India provides a decent, basic primer on the stakes involved).

An example of net neutrality in practice is the American Federal Communications Commission’s Open Internet Order of 2010, which was the subject of litigation in the recently concluded Verizon v. FCC. The Open Internet order imposed obligations of transparency, no blocking, and no unreasonable discrimination, upon internet service providers. The second and third requirements were vacated by a United States Court of Appeals. The rationale for the Court’s decision was that ISPs could not be equated, in law, to “common carriers”. A common carrier is an entity that offers to transport persons and/or goods in exchange for a fee (for example, shipping companies, or bus companies). A common carrier is licensed to be one, and often, one of the conditions for license is an obligation not to discriminate. That is, the common carrier cannot refuse to carry an individual who is willing and able to pay the requisite fees, in the absence of a compelling reason (for example, if the individual wishes the carrier to transport contraband). Proponents of net neutrality have long called for treating ISPs as common carriers, a proposition – as observed above – was rejected by the Court.

With this background, let us turn to India. In India, internet service providers are both state-owned (BSNL and MTNL), and privately-owned (Airtel, Spectranet, Reliance, Sify etc). Unlike many other countries, however, India has no network-neutrality laws. As this informative article observes:

“The Telecom Regulatory Authority of India (TRAI), in its guidelines for issuing licences for providing Unified Access Service, promotes the principle of non-discrimination but does not enforce it… the Information Technology Act does not provide regulatory provisions relating to Internet access, and does not expressly prohibit an ISP from controlling the Internet to suit their business interests.”

In the absence of either legislation or regulation, there are two options. One, of course, is to invoke the rule of common carriers as a common law rule in court, should an ISP violate the principles of net neutrality. In this post (and the next), however, I would like to analyze net neutrality within a constitutional framework – in particular, within the framework of the constitutional guarantee of freedom of speech and expression.

In order to do so, two questions become important, and I shall address them in turn. First, given that most of the ISPs are privately owned, how does the Constitution even come into the picture? Our fundamental rights are enforceable vertically, that is, between individuals and the State, and not horizontally – that is, between two individuals, or two private parties. Where the Constitution intends to depart from this principle (for instance, Article 15(2)), it specifically and expressly states so. As far as Article 19 and the fundamental freedoms are concerned, however, it is clear that they do not admit of horizontal application.

Yet what, precisely, are we to understand by the term “State”? Consider Article 12:

“In this part, unless the context otherwise requires, the State includes the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India.”

The key question is what, precisely, falls within the meaning of “other authorities”. The paradigmatic example – and this is something Ambedkar had in mind, as is evidenced by the Constituent Assembly Debates – is the statutory corporation – i.e., a company established under a statute. There are, however, more difficult cases, for instance, public-private partnerships of varying types. For the last fifty years, the Supreme Court has struggled with the issue of defining “other authorities” for the purposes of Part III of the Constitution, with the pendulum swinging wildly at times. In the case of Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, a 2002 judgment by a Constitution bench, the Court settled upon the following definition:

“The question in each case would be whether in the light of the cumulative facts as established, the body is financially, functionally and administratively dominated by or under the control of the Government. Such control must be particular to the body in question and must be pervasive. If this is found then the body is a State within Article 12. On the other hand, when the control is merely regulatory whether under statute or otherwise, it would not serve to make the body a State.”

Very obviously, this dooms the ISP argument. There is no way to argue that ISPs are under the pervasive financial, functional and administrative domination or control of the State. If we step back for a moment, though, the Pradeep Kumar Biswas test seems to be radically under-inclusive. Consider the following hypothetical: tomorrow, the government decides to privatize the nation’s water supply to private company X. Company X is the sole distributor of water in the country. On gaining control, it decides to cut off the water supply to all households populated by members of a certain religion. There seems something deeply wrong in the argument that there is no remedy under discrimination law against the conduct of the company.

The argument could take two forms. One could argue that there is a certain minimum baseline of State functions (ensuring reasonable access to public utilities, overall maintenance of communications, defence and so on). The baseline may vary depending on your personal political philosophy (education? Health? Infrastructure?), but within the baseline, as established, if a private entity performs a State function, it is assimilated to the State. One could also argue, however, that even if Part III isn’t directly applicable, certain functions are of a public nature, and attract public law obligations that are identical in content to fundamental rights obligations under Part III, although their source is not Part III.

To unpack this idea, consider Justice Mohan’s concurring opinion in Unnikrishnan v. State of Andhra Pradesh, a case that involved the constitutionality of high capitation fees charged by private educational institutions. One of the arguments raised against the educational institutions turned upon the applicability of Article 14’s guarantee of equality. The bench avoided the issue of whether Article 14 directly applied to private educational institutions by framing the issue as a question of the constitutionality of the legislation that regulated capitation fees. Justice Mohan, however, observed:

“What is the nature of functions discharged by these institutions? They discharge a public duty. If a student desires to acquire a degree, for example, in medicine, he will have to route through a medical college. These medical colleges are the instruments to attain the qualification. If, therefore, what is discharged by the educational institution, is a public duty that requires… [it to] act fairly. In such a case, it will be subject to Article 14.”

In light of Pradeep Kumar Biswas, it is obviously difficult to hold the direct application of the Constitution to private entities. We can take Justice Mohan, however, to be making a slightly different point: performing what are quintessentially public duties attract certain obligations that circumscribe the otherwise free action of private entities. The nature of the obligation itself depends upon the nature of the public act. Education, it would seem, is an activity that is characterized by open and non-discriminatory access. Consequently, even private educational institutions are required to abide by the norms of fairness articulated by Article 14, even though they may not, as a matter of constitutional law, be held in violation of the Article 14 that is found in the constitutional text. Again, the content of the obligation is the same, but its source (the constitutional text, as opposed to norms of public law) is different.

We have therefore established that in certain cases, it is possible to subject private entities performing public functions to constitutional norms without bringing them under Article 12’s definition of the State, and without the need for an enacted statute, or a set of regulations. In the next post, we shall explore in greater detail what this means, and how it might be relevant to ISPs and net neutrality.

---

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

The article was originally published in GeneWatch (January - April 2014) issue.

---

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

---

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

This post maps the discussion across the NETmundial submissions and presents six emerging evolution scenarios related to the IANA functions:

1. Separation of IANA from policy/ICANN, control of IANA to a multilateral body
2. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
3. No separation of IANA from policy/ICANN, control of IANA to a multilateral body
4. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
5. Multiplication of TLD registries and root servers
6. Maintenance of status quo

---

I. Separation of IANA from policy/ICANN, control of IANA to a multilateral body

The proposal under this category demands for the separation of IANA function from technical policy making, and suggests that the IANA function be transferred to an intergovernmental body.

Such proposal is listed below:

Sl.No.	Proposal No.	Name of Proposal	Organization	Sector	Region	Link
1	186	The Next Best Stage for the Future of Internet Governance is Democracy	Global Geneva	Civil Society	Geneva, Switzerland	http://content.netmundial.br/contribution/the-next-best-stage-for-the-future-of-internet-governance-is-democracy/305

This proposal by Global Geneva seeks the establishment of an intergovernmental organisation called World Internet Organisation (WIO), under which IANA (which is understood to be essentially technical and concerning safety and security of the Internet would be located. WIO would additionally have a special link/status/contract with IANA to avoid unwanted interference from governments. A 75% majority at WIO would be requested to act/modify/contest an IANA decision, making it difficult for governments to go beyond reasonable and consensual demands. WIO would act in concert with World Internet Forum, under which ICANN would be located, whereby it would make policy decisions regarding gTLDs apart from its other present functions.

II. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

There are certain proposals whereby it is proposed that IANA function should be separated from technical policy making, or ICANN, and IANA function, which is perceived to be a purely administrative one in such submissions, should be handed over to some sort of non-multilateral organisation, which take different forms in each proposal.

Most such submissions have emerged from the civil society or the technical community.

The Internet Governance Project submission envisions the creation of a DNS Authority under whose umbrella IANA would function. The DNS Authority would be separate from ICANN. This proposal has been endorsed by the submissions of InternetNZ as well as Article 19 and Best Bits. Avri Doria’s submission, along with the submission of APC, envisions the establishment of an independent IANA, separate from the technical policy function. Such independence is sought to be preceded by a transition period by a body called IANA Stewardship Group which would be constituted mostly by members from the technical community. IANA is sought to be governed via MoUs with all stakeholders, on the same lines as the MoU between ICANN and the IETF, as described in RFC2860, RFC6220. The focus of these MoUs would not be policy but will be on performance and adherence to service level agreements.

These submissions are listed below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	19	Roadmap for Globalising IANA: Four Principles and a Proposal for Reform	Internet Governance Project	Civil Society	North America	http://content.netmundial.br/contribution/roadmap-for-globalizing-iana-four-principles-and-a-proposal-for-reform-a-submission-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/96
2	26	Roadmap for the Further Evolution of the Internet Governance Ecosystem- ICANN	Article 19 and Best Bits	Civil Society	Global	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem-icann/109
3	42	Content Contribution to NetMundial on the Roadmap for the Futher Evolution of the IG Ecosystem regarding the Internationalisation of the IANA Function	InternetNZ	Technical Community	New Zealand	http://content.netmundial.br/contribution/content-contribution-to-netmundial-on-the-roadmap-for-the-futher-evolution-of-the-ig-ecosystem-regarding-the-internationalisation-of-the-iana-function/130
4	60	One Possible Roadmap for IANA Evolution	Avri Doria, Independent Researcher	Other	USA	http://content.netmundial.br/contribution/one-possible-roadmap-for-iana-evolution/153
5	162	APC Proposals for the Further Evolution of the Internet Governance Ecosystem	Association for Progressive Communications (APC)	Civil Society	APC is an international organisation with its executive director's office in South Africa	http://content.netmundial.br/contribution/apc-proposals-for-the-further-evolution-of-the-internet-governance-ecosystem/280

III. No separation of IANA from policy/ICANN, control of IANA to a multilateral body

These submissions propose that the IANA function should come under a multilateral body. However they do not suggest the separation of IANA function from policymaking, or from ICANN; or they are at least silent on this latter issue. 2 such proposals come from the civil society and 2 from the government.

A list of these submissions is provided below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	8	Roadmaps for Further Evolution of Internet Governance	Association for Proper Internet Governance	Civil Society	Switzerland	http://content.netmundial.br/contribution/roadmaps-for-further-evolution-of-internet-governance/65
2	45	Russian Parliament Submission to NET mundial	State Duma of the Russian Federation (Parliament of the Russia)	Government	Russian Federation	http://content.netmundial.br/contribution/themes/133
3	121	Contribution from the Islamic Republic of Iran to the Global Multiskaeholder (sic) Meeting for the Future of the Internet, 23-24 April 2014 Sao Paulo, Brazil	Cyber Space National Center, Iran	Government	Islamic Republic of Iran	http://content.netmundial.br/contribution/contribution-from-the-islamic-republic-of-iran-to-the-global-multiskaeholder-meeting-for-the-future-of-the-internet-23-24-april-2014-sao-paolo-brazil/236
4	125	Towards Reform of Global Internet Governance	The Society for Knowledge Commons	Civil Society	India and Brazil	http://content.netmundial.br/contribution/towards-reform-of-global-internet-governance/240

IV. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

These submissions do not consider the issue of separation of IANA function from policymaking, or ICANN, or at least do not state an opinion on the separation of IANA function from ICANN. However, they do suggest that the control of IANA should be held by a non-multilateral body, and not the US Government.

Many of these submissions also suggest that the oversight of ICANN should be done by a non-multilateral body, therefore it makes sense that the IANA function is administered by a non-multilateral body, without its removal from the ICANN umbrella.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
2	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
3	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
4	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
5	61	French Government Submission to NETmundial	French Ministry of Foreign Affairs	Government	France	http://content.netmundial.br/contribution/french-government-submission-to-netmundial/154
6	63	Nominet Submission on Internet Governance Principles and the Roadmap	Nominet	Private Sector	UK	http://content.netmundial.br/contribution/nominet-submission-on-internet-governance-principles-and-the-roadmap/156
7	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
8	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
9	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10	94	Roadmap for the Future Development of the Internet Governance Ecosystem	Ministry of Foreign Affairs of Argentina	Government	Argentina	http://content.netmundial.br/contribution/roadmap-for-the-future-development-of-the-internet-governance-ecosystem/196
11	97	Orange Contribution for NETmundial	Orange Group	Private Sector	Deputy to the Chief Regulatory Officer Orange Group	http://content.netmundial.br/contribution/orange/199
12	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
13	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
14	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
15	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany / Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
16	148	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
17	146	Evolution and Internationalisation of ICANN	CGI.br- Brazilian Internet Steering Committee	Other	Brazil	http://content.netmundial.br/contribution/evolution-and-internationalization-of-icann/263
18	176	Addressing Three Prominent “How To” Questions on the Internet Governance Ecosystem Future	Luis Magalhes, Professor at IST of University of Lisbon, Portugal; Panelist of ICANN’s Strategy Panel on the Role in the Internet Governance System	Academia	Portugal	http://content.netmundial.br/contribution/addressing-three-prominent-how-to-questions-on-the-internet-governance-ecosystem-future/294
19	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

V. Multiplication of TLD registries and Root Servers

These submissions are based on the assumption that reform in the current ICANN/IANA administrative structure is impossible as the US government is unlikely to give up its oversight role over both. Instead, these submissions suggest that multiple TLD registries and root servers should be created as alternatives to today’s IANA/ICANN so that a healthy market competition can be fostered in this area, rather than fostering monopoly of IANA.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	41	Internet Governance: What Next?	EUROLINC	Civil Society	France, Europe	http://content.netmundial.br/contribution/internet-governance-what-next/129
2	175	The Intergovernance of the InterPLUS	INTLNET	Civil Society	France	http://content.netmundial.br/contribution/the-intergovernance-of-the-interplus/293

VI. Maintenance of status quo

These submissions are based on the “if it ain’t broke, don’t fix it” principle, and are of the opinion that there is no need to change the administration of IANA function as it functions efficiently in the current system.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	12	United Kingdom Government Submission	Department For Culture Media and Sport, United Kingdom Government	Government	Government	http://content.netmundial.br/contribution/united-kingdom-government-submission/79
2	133	Perspectives from the Domain Name Association	Domain Name Association	Private Sector	Private Sector	http://content.netmundial.br/contribution/perspectives-from-the-domain-name-association/249

---

Read more on ICANN/IANA: Role and Structural Considerations (PDF Document, 1215 Kb)

This post analyses the contributions of the academic community to draw out broad agreements and divergences concerning Internet governance principles.

I. Introduction

In two days, a large measure of the global Internet community – governments, the private sector, civil society, technical community and academia – gather in São Paulo, Brazil, for the Global Multi-stakeholder Meeting on the Future of Internet Governance. The NETmundial (April 23-24, 2014), touted as the World Cup of Internet governance, is a global conference convened and supported by the Brazilian president, Dilma Rousseff, and organized by the Brazilian Internet Steering Committee (CGI.br) and /1Net, a forum comprising various stakeholders involved and interested in Internet governance. It hopes, importantly, “to establish strategic guidelines related to the use and development of the Internet in the world”. To this end, it sought open-ended Contributions from interested stakeholders on the topics, “Set of Internet governance principles” and “Roadmaps for the further evolution of the Internet governance system”. The agenda for NETmundial may be found here.

To fully utilize the 2 short days available, knowledge of the stakeholder positions, especially their broad agreements and divergences on the two topics, is of immense help. Through a series of posts, I analyse the contributions to NETmundial on the question of Internet governance principles, seeking to dig deep into definitions and interpretations of suggested principles, such as management of Critical Internet Resources (such as the Domain Name System), human rights including freedom of expression and privacy, cyber-security, inclusiveness and participation in Internet governance, etc. In separate posts, I shall analyse contributions of each sector (governments, the private sector, civil society, technical community, academia and ‘Other’) and finally, present an overall analysis of the contributions pitted against the Draft Outcome Document, which is presently under discussion.

II. The Contributions

The NETmundial has received 187 contributions from 46 countries. Sector break-ups are given below:

Sector	Number of Contributions (187)
Academia	20
Governments	28
Private Sector	43
Civil Society	61
Technical Community	16
‘Other’ (such as UNESCO, the European Commission, etc.)	19

A quick look at the contributors indicates that contributions are primarily from North America, Europe, South and East Asia, and South America. No or very few contributions were made from large parts of Africa and South East Asia, Central and West Asia, Eastern Europe and Western South America. We present a graphical representation of contributing countries here.

Of the contributions, stakeholders from various sectors contributed to the two topics listed above in the following manner:

Sector	Set of Internet Governance Principles	Roadmaps for Further Evolution of the Internet Governance System	Combined: Internet Governance Principles & Roadmaps
Academia	7	7	6
Government	7	4	17
Private Sector	11	3	29
Civil Society	25	21	15
Technical Community	8	5	3
‘Other’	7	4	8

Despite the above classification, I focus on all 187 contributions for analysis. This is as some contributions expressly set out principles while others do not. Therefore, eliciting and analyzing principles from stakeholder contributions has involved a certain amount of subjective maneuvering. However, such elicitation has been restricted on the following bases:

1. The contribution is externally categorized as falling under either “Set of Internet governance principles” or “Combined – Internet governance principles & Roadmaps”.
2. Internally, the document places principles under rubrics of ‘Internet governance principles’.
3. Internally, the document makes references to Internet governance principles before setting out (without rubrics) principles.

With this caveat, I go on to discuss the NETmundial contributions from the academic community to Internet governance principles.

Part I: Academia

Of the academic contributions, the main contributors are Africa (Kenya – 1, Sudan – 3), Europe (Germany – 1, Poland – 1, Portugal – 1, Russia – 2, Ukraine – 1), South America (Argentina – 1, Brazil – 3) and the United States (8). No Asian country has made an academic contribution, and as evident from above, academia is geographically severely under-represented. Furthermore, only 4 out of 20 contributions expressly set out Internet governance principles. These four are:

1. Report of the Experts Meeting on Cyberspace Law
2. Proposed Internet Governance Principles
3. Taking Consent Seriously
4. Internet Governance Principles: Securing the Future of the Internet
   

Semantics aside, certain broad, high-level consensus emerges within the academic community. On substantive principles of governance on the Internet, the greatest support is found for freedom of express and access to information, with 6 contributions emphasizing this. Equally important is Internet universality and non-discriminatory (3 contributions), universal access to the Internet (6). Protection of privacy and permissible levels of surveillance come a close second, with 5 contributions referring to these. Cyber-security (5), respect for human rights (4) and support for net neutrality (3) and cultural and linguistic diversity on the Internet (3) also emerge as issues of concern for the academic community. The UNESCO and academics from Sudan emphasize training and education to use the Internet. Inter-operability (2) and a single, unfragmented Internet (2) also find a place in the academic community’s contributions.

With regard to processual principles for Internet governance, inclusiveness and participation are the most important concerns (5). The academic community asks for an open, transparent and multi-stakeholder Internet governance system (4), calling for international cooperation (2) among governments and other stakeholders. Interestingly, one contribution requires that the role of governments in the multi-stakeholder model be limited to “the facilitation of the participation of their domestic stakeholder communities in Internet governance processes”, while a Brazilian contribution advocates a multilateral model.

While no contribution expressly calls for these principles to underscore global Internet governance, the author believes that a high-level consensus may be gleaned in favour of respect for and protection of human rights, especially freedom of expression, access to information, privacy and protection from unwarranted domestic or extraterritorial surveillance. This is further supported by cyber-security concerns. The call for universal access to the Internet, alongside mention of net neutrality, emphasizes inclusiveness and non-discrimination. Processually as well, inclusiveness and participation (including equal participation) of all stakeholders finds the largest support, reflected in the calls for multi-stakeholder models of Internet governance.

No glaring divergences exist with regard to human rights or principles of governance on the Internet. The only major divergence amongst academia is the call for multilateral or multi-stakeholder models of Internet governance. While a majority of the contributions call for multi-stakeholder models, the Brazilian contribution (linked above) calls for “Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector”, while at the same time supporting a “real multi-stakeholder governance model for the Internet based on the full involvement of all relevant actors and organizations”. Indeed, even this divergence is marked by a common emphasis on open, transparent and inclusive participation in Internet governance.

---

These documents were obtained from the websites of the respective banks, and wherever they were lacking, from the branches of the banks themselves. Attempts were made to obtain any information required for the project that was not available on the website or in the forms from the officers of the respective banks.

The State Banks of India (hereinafter ‘SBI’), Central Bank of India (hereinafter ‘CBI’), ICICI Bank (hereinafter ‘ICICI’), IndusInd Bank (hereinafter ‘IndusInd’) and Standard Chartered Bank (hereinafter ‘SCB’) are the banks chosen for this project. As mentioned, these banks have been chosen to ensure a diverse sample pool. SBI is an Indian public multinational bank, CBI is an Indian public bank and it is not multinational, ICICI is an Indian private and multinational bank, IndusInd is an Indian private bank which isn’t multinational, and SCB is a British bank operating in India.

The forms and other documents of each of the banks have been compared against a template of twenty nine questions created from the nine principles given in Justice A.P. Shah Group of Experts’ Report on Privacy.

The two services provided by these banks that have been analysed are Opening an Account and Taking out a Personal Loan. This comparison has been done keeping in mind the obligations of the banks under the Master Circular and the KYC Norms detailed in it, Code of Conduct, and the Rules under Section 43A of the IT Act. Attempts have been made to clarify the basis of the response as much as possible. An analysis of the obligations of the banks is present below, along with an explanation of the relevance of various parts of the two services that are analysed.

---

Click to download:

1. Banking Policy Guide
2. Banking Practices

Image above: Comparing Absolute Appearance of Fifty Most Frequent Words

Image above: Comparing Relative Appearance of Fifty Most Frequent Words

Created by Sumandro using R. Download the R code. Download the data.

These heatmaps compare the appearance of fifty most frequently appearing words (for all 187 contributions) across the contributions made by different types of organisation. Click on them to see the larger images. Hit *escape* to come back to this page. The first heatmap shows the absolute appearance of the words -- that is the total number of times each word appears in contributions by a type of organisation. The second heatmap shows the relative appearance of the words -- that is the ratio of the word's appearance in contribution by a type of organisation divided by total number of contributions by that type of organisation.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities. The analysis was done by Geetha Hariharan, Jyoti Pandey, and Sumandro Chattapadhyay, with data entry support from Chandrasekhar.

Created by Sumandro using Google Charts. Google Terms of Use and Data Policy. Download the data.

This treemap chart divides up contributions submitted to NETmundial 2014 into their countries of origin, which are also clustered into regional divisions. The size of the rectangles indicate the total number of submissions from the respective region/country. Right click on the regions to see the division of submissions from the countries within that region. Left click to go back. Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart. Also, Russia has been included within Europe, and China has been included within East Asia.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

Created by Sumandro using Google Charts. Google Terms of Use and Data Policy. Download the data.

This Sankey diagram shows all the countries/regions from where contributions have come in on the left side, and all the various types of organisations on the right side. Use the mouse cursor to hover over a country to see what proportion of the submissions from that country has come from which type of organisation, or hover over an organisation type to see what proportion of submission from such organisations have come in from which countries. The height of the blue bars next to the country/region names and organisation types indicate at the respective proportions among all the contributions. Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

Created by Sumandro using Datamaps.

The map shows (in *green*) all the countries from where no contributions (by any kinds of organisation) have been submitted to NETmundial. Countries appearing in *white* are those from where contributions have been submitted. Organisations that have indicated (in their submitted contribution) that they are either 'global' or 'international' organisations with headquarter in a specific country(ies), or a coalition of several organisations from different countries, have not been considered while making the above map. Such organisations (not considered while making this map) include African ICT/IG Stakeholders, Association for Progressive Communications, Best Bits, Just Net Coalition, OECD, etc. To see the map of all the countries from where the respective governments have not submitted any contributions to NETmundial, click here.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

Built on Bootstrap by Sumandro

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

Created by Sumandro using Datamaps.

The map shows (in *green*) all the countries from where no government agency has submitted any contribution to NETmundial. Governments of the countries appearing in *white* have contributed to the NETmundial process. Inter-governmental and international bodies that have submitted contributions to NETmundial -- such as OECD and UNESCO -- have not been considered while creating the above map. To see the map of all the countries from where there have been no contributions (by any kinds of organisation) to NETmundial, click here.

---

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Panday, and with data entry support from Chandrasekhar.

Built on Bootstrap by Sumandro.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

---

---

Created by Sumandro using R. Download the R code. Download the data.

These word clouds show the hundred most frequently appearing words in the aggregated contribution text of each type of organisations. The size of the words in these diagrams refer to their frequency of appearance. A larger size refers to higher frequency of appearance. The colour of the words have been differentiated to group the words according to their freuqency of appearance. The color hierarchy is as follows: Green, Pink, Blue, Red. While creating these word clouds, certain common English words (like, 'the' and 'and') and obvious words for the contributions (like, 'internet' and 'governance') have been ommitted. The full list of ommitted words have been documented in the R code used to generate the diagrams.

Built on Bootstrap by Sumandro.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

The issue of how to ensure the legitimacy and accountability of ICANN is a concern which finds voice in many of the proposals. Generally speaking, the issue of representation, and legitimacy of ICANN members is a point which all proposals regarding ICANN accountability consider. The issue of funding also came up in several of the submissions. The Brazilian Internet Steering Committee, Joint Contribution of Civil Society from Latin America, submissions from University of Gezira in Sudan and NIC Mexico, called for increased funding for participation of stakeholders from developing countries in ICANN and other multistakeholder meetings. The Government of Austria expressed concern over dwindling funding of IGF and called for improvement of the same. In this scenario of crunched funds, submissions by Article 19 and BestBits as well as Net Coalition proposed the use of a percentage of ICANN’s gTLD revenues to fund inclusive participation in the multistakeholder process.

Apart from these concerns, submissions to NetMundial '14 also raised a myriad of different issues around the functioning of ICANN. Nevertheless, four broad stands can be gleaned from the issue of accountability of ICANN. These are as follows:

I. Submissions which suggest that oversight over ICANN should end, and ICANN accountability should be internalised.

8 submissions to the NetMundial 2014 were of the opinion that ICANN should become an independent body with no oversight exercised by any other body on it. In other words, these proposals opposed the replacement of current US government oversight on ICANN, by oversight through any other body. In such a case, accountability of ICANN was sought to be ensured through strengthening multistakeholderism and reform within the ICANN structure.

Most of these submissions came from the civil society (4) or the technical community (2); 1 from Panel on Global Internet Cooperation and Governance Mechanisms, which identifies as “other”, and 1 from the Government of France. 3 of these proposals represent a global community, 2 come from North America or USA, 1 from France, 1 from New Zealand and 1 from the Democratic Republic of Congo.

The ICANN model proposed in the submission from Internet Governance Project (IGP), from the North American civil society, found support among other contributors in this category. The proposal was based on the principle that oversight of ICANN must not be internationalised but ended. The rationale behind such proposal was that giving additional stakeholders besides the NTIA a say in IANA function and ICANN oversight will only politicise ICANN and make it a subject of possible geopolitical power struggles by governments, ultimately ignoring the interests of internet users all over the world. While calling for an end to ICANN oversight through any or all government agencies, the proposal also called for the strengthening of multistakeholderism within ICANN. This proposal was explicitly supported by InternetNZ, from the New Zealand technical community, in its proposal, as well as to quite an extent by Article 19 and BestBits, from the global civil society, in their proposal.

IGP’s submission also suggested whittling down of ICANN’s powers in order to separate management of IANA functions from ICANN’s present mandate. This is a point where the submissions in this category diverge. Submissions from IGP with Article 19 and BestBits, Association for Progressive Communications (APC) from the civil society and InternetNZ and Avri Doria, from the technical community, recommended the separation of IANA functions from the ICANN. The French Government submission, on the other hand, did not envisage separation of management IANA function from ICANN, but rather the internalisation of the former within the latter, even as proposing an independent and multistakeholder structure for ICANN with suitable accountability mechanisms for all stakeholders.

The submission from Article 19 and BestBits, in fact, suggested further narrowing of ICANN’s mandate by explicitly including a clause in its bylaws to prevent it from engaging in content regulation or conduct that could violate freedom of expression or privacy on the internet, including technical policy making involving trademarks and intellectual property. Such suggestions were made based on the fear that, if unregulated, ICANN might increasingly make its foray into public policy issues like content regulation, as happened in the .xxx controversy. Consequently, the submission from Article 19 and BestBits also suggested that ICANN’s bylaws include a provision whereby private parties can legally challenge ICANN’s actions on grounds of human rights violations before local courts or arbitration tribunals.

This approval for local dispute resolution when the submission agrees with the suitability of Californian law for ICANN incorporation is, however, likely to cause consternation amongst non-American stakeholders. While the submission is not averse to the idea of ICANN expanding its reach globally through creation of subsidiaries (preferably in western Europe), it also takes a firm stand on ICANN not moving its headquarters out of the US. The advantages of such status quo are seen in stability of current agreements with registrars etc., but the idea of ICANN being ultimately subject to Californian law and its courts is unlikely to go down well with other global stakeholders.

One concern found across board, but more explicitly in submissions of Article 19 and BestBits and Avri Doria was the strengthening of ICANN board by making it more representative and accountable through mechanisms of internal accountability like the ATRT2 Transparency and Accountability Review process. Avri Doria of USA, in her submission suggested, the improvement of accountability mechanisms in ICANN by supplementing the ATRT process with a strong appeals mechanism, as found in IETF, for accountability process and results with powers to remove officers from their roles if they do not fulfil their responsibilities. Strengthening of GAC within ICANN by making it more participatory and representative is another concern which is highlighted.

II. Submissions which suggest that oversight of ICANN should be transferred to a multilateral or intergovernmental body

A second, small category of 4 submissions argued that the oversight function of the ICANN should be transferred from the present unilateral U.S. government (NTIA) oversight, to oversight by all countries. This was suggested to counter the power imbalance exercised by one country over critical internet infrastructure, over others, by sharing oversight of ICANN with all others.

In their details, submissions in this category can be vague. While some of them envisioned transfer of ICANN control by the US Government to an intergovernmental body like the ITU, others do not specify the details of the transfer, but merely mention that ICANN oversight should be multilateral in nature. Submissions from CIPIT, part of the Kenyan academia and The Society for Knowledge Commons, civil society stakeholder covering India and Brazil, mentioned that the oversight of technical policy functions should be “multilateral” in nature, while the submission by the Government of Iran called for restructuring ICANN as an “international” organisation.

The submission by Swiss civil society organisation, Association for Proper Internet Governance, referred to the response by the Syrian representative in ITU to RFC sought by the US Department of Commerce, to bring ICANN in the aegis of ITU by signing of a MoU between the two entities, as far as technical policy decisions (eg. development of policies relating to operation of root servers and those relating to operation and administration of gTLDs and ccTLDs) are concerned. Such a proposal was found necessary in light of the non-binding advisory nature of GAC in ICANN, especially when technical policy decisions by ICANN have public policy implications. In such a scenario, the submission dubs it “strange” to relegate government to a subsidiary role within ICANN and “unusual (to say the least)” for governments to constitute a sub-committee of the board of a private company like ICANN. Consequently, the MoU between ITU and ICANN is sought to make GAC a group within ITU so as to strengthen its legitimacy and accountability.

III. Submissions which suggest that oversight of ICANN should be transferred to another body not intergovernmental in nature.

10 submissions suggested the transfer of ICANN oversight to a non-intergovernmental or multilateral body. 2 of these proposals came from governments and 1 from the Brazilian Internet Steering Committee, which identifies as “other”, 3 from the private sector, 2 from civil society and 1 from technical community and academia each. Most of these proposals come from European stakeholders (5), 1 each from Brazil and Argentina, 1 from India, 1 from Nigeria, and 1 from the global civil society group, Just Net Coalition.

Like the last category, these submissions also expressed their dissatisfaction with the unilateral US Government oversight of ICANN, but suggested replacing it with a non-multilateral body. Details of the composition of such bodies vary. Some called for replacement by a technical body, other envision a wholly newly created multistakeholder body, yet others called for signing of the present ICANN AoC with US Government, by a number of stakeholders, which would not include just governments.

One such submission came from Portuguese academic, Luis Magalhaes, which called for the signature of ICANN AoCs with all the stakeholders in internet governance, thus effectively replacing oversight by NTIA to oversight by all stakeholders. This submission also expressed concern over the incorporation of ICANN under Californian law, and suggests that ICANN should be regulated in an international law framework, though without relinquishing its control to merely governments. Submission by the private sector stakeholder Orange Group also looked to expand the AoC of ICANN to include within it, the “ICANN community and stakeholders including Governments represented through the GAC.”

Private sector stakeholder from the UK, Nominet, similarly, called for wider engagement in the ICANN AoC and ensuring wider engagement for transparency and accountability in the AoC process. It also called to end ambiguity about the legal jurisdiction for ICANN, while including and strengthening ITU and IGF in the internet governance ecosystem. Submission by private player, Data Security Council of India, while endorsing “a multistakeholder model with defined roles of relevant stakeholders” was vaguer about the model it sought for ICANN. But it called for nomination of stakeholders by Governments rather than ICANN selecting them without transparency.

The Austrian Government submission, on the other hand, was more ambiguous. It envisaged the extension of AoCs regarding ICANN and IANA while ensuring “the full participation of all stakeholders, from both developed and developing countries, within their respective roles and responsibilities.” In its submission, the Government of Argentina sought to “promote the internationalisation of ICANN through a deep revision of the current structure,” and ensure “active representation from all regions and all actors in the ICANN structure, including representatives of governments on an equal footing,” especially in the structures of ICANN Board, SSAC and GNSO.

The submission by Brazilian Internet Steering Committee similarly, looked to export oversight to entities outside of ICANN in its submission, as long as such entities are recognised as representative of the international public interest. This was suggested with the rationale to avoid a situation where the same organisation is responsible is responsible for policy making as well as its implementation. The Committee also suggested strengthening of ATRT2 process, as well as reform of GNSO and of ALAC so that the latter can have transparent processes for nomination of members, as well as participate in policy development processes in GNSO, along with increased government participation in GNSO. It was also suggested that the number of ICANN Board seats allocated by NomCom should be reduced in order to increase slots for Board members directly elected by the SOs.

Other submissions offered a more detailed view into the composition of the oversight entity recommended to replace NTIA. The submission by global civil society organisation, Just Net Coalition, for example, proposed the formation of a “Internet Technical and Advisory Board” to discharge ICANN oversight function by replacing the present NTIA oversight role. In addition, this board was recommended to advice on public policy perspectives to various technical standards bodies, and thus act as the link between public policy bodies and these standards bodies. The composition of such a board was recommended to consist of people with specialised technical expertise but also with appropriate political legitimacy, ensured via a democratic process. 10-15 members were envisaged in such a board which could include 1 member from each of the Regional Internet Registries (RIRs). 2-3 members from each of the 5 geographic regions as understood in the UN system to be selected through an appropriate process by the relevant technical standards bodies and/or country domain name bodies of all the countries of the respective region were suggested to be part of the board. It was preferred that these members would come from the top recognised technical academic bodies of each country/region, but the entire constitution of the board was left open to other suggestions in Just Net Coalition’s submission.

The technical community stakeholder, Nigeria Internet Registration Association, on the other hand, offered a rather confused proposal for the formation of a “World Internet Governance Organisation (WIGO),”envisaged as “a global organisation with equal participation of the Government, Private sector, Civil Society, Technical Community in a multi-stakeholder consensus building NET-NATIONS.” But while in the beginning the submission suggests a multistakeholder composition of WIGO, seemingly for oversight of ICANN, later the submission sparks the idea that ICANN itself should be changed to WIGO.

Global Geneva’s submission proposed to transfer ICANN oversight to a body called World Internet Forum, which, while part of the UN system, is envisioned as a multistakeholder venue for citizens globally, where constituencies are not governments. ICANN is allowed to pursue technical policy functions like gTLD management under the supervision of WIF, while not encroaching on public policy matters. IANA function is envisaged to be managed separately from the ICANN.

In many of these submissions, like those of Argentinian Government and Brazilian Internet Steering Committee emphasis was also paid on the strengthening of GAC, while taking into consideration stakeholders other than governments.

IV. Submissions which endorse globalisation and multistakeholder governance of ICANN but are vague about the specifics of such governance model

Lastly, there are submissions which call for the globalisation of ICANN and express their dissatisfaction with the U.S. Government oversight of it, while endorsing multistakeholder governance. However, these submissions are also vague about the details of such ICANN globalisation, and the structures in which it will be held accountable.  4 such submissions emerge from governments (Spain, Norway, Mexico and the European Commission), 6 from the private sector, 2 from the technical community, and 2 from the civil society. Europe leads in this category of proposals with 6 of these proposals emerging from there, 2 from Latin America and Mexico each (4 altogether), 1 from Kuwait, 1 from Japan, 1 from the NRO (identifying itself from Mauritius) and 1 from the global GSM Association of mobile operators.

A list of these submissions is provided below.

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10.	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
10.	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
11.	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany/Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
12.	135	Joint Contributions of Civil Society Organisations from Latin America to NetMundial	Group of individuals and Civil Society Organizations from Latin America	Civil Society	Latin America	http://content.netmundial.br/contribution/joint-contributions-of-civil-society-organizations-from-latin-america-to-netmundial/251
13.	143	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
14.	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

***

A previous version of this post performed preliminary analysis of the NETmundial submissions. It may be found here.

Every evening is capped by a music performance, and the opening act was a stand-out two-hour visual extravaganza by Tom Zé, Tropicalia's most avant-garde exponent. Lula (Luiz Inácio Lula da Silva, the previous President of Brazil) was supposed to join us at 7 p.m. today to discuss Marco Civil da Internet - the Brazilian bill for "civil rights" on the Internet - but was a no show.

No matter: Marco Civil was passed into law by the Senate at about 8 p.m. this evening, and President Dilma Rousseff (who reportedly willed this meeting into being) is expected to sign her assent to it tomorrow morning at the opening of NETmundial, which she is scheduled to attend. (While the global press around Marco Civil is unanimously positive and upbeat, it's worth noting that there is one problematic provision — the issue of data retention — that many folks from Brazilian civil society see as a huge loss).

A host of civil society groups spent the day at Arena NETmundial figuring out how to stage a coordinated, detailed and forceful response to what many saw as watered-down text from the NETmundial organisers. (Several corporate representatives and some academics also saw it as watered-down, but from another direction).

There are several puzzling aspects to the shape NETmundial has assumed. What began as a response to the Snowden leaks — the unprecedented scale of the US government sponsored, NSA-executed surveillance — has become a meeting that strangely doesn't have all that much to say about surveillance, perhaps thanks to the various partners roped in to manage the process. There is little that references the bitter SOPA/PIPA battles of two years ago, and not much in the NETmundial outcome document that addresses the manner in which a sovereign state has outrageously sought to export its national application of copyright onto the global Internet landscape. The civil society meeting produced language to address both these situations.

Perhaps the most confounding aspect of this meeting is the manner in which the word "multistakeholder" is thrown about by people of every political stripe. Seemingly, if there is one thing that most everyone, from governments to businesses to civil society activists at NETmundial agree on, it is that multistakeholderism has an essential place in the future of Internet governance.

That being as it is, I asked a bunch of people what their interpretation of the term was, and many agreed to be recorded. Their answers were surprising, to say the least.

This is what they said:

Q: What does "multi-stakeholder" mean? What is "multi-stakeholderism"?

I think multistakeholderism is a kind of democracy, which means, in the public policy area, other than the critical internet resources, usually only governments make public policy. They sometimes consult with other stakeholders, but it is not usually open or transparent and it is very selective. They only choose the experts they like. I think "multistakeholder" is useful in comparison with an inter-governmental or governmental process.

Byoungil Oh from the Korean Progressive Network Jinbonet

Multistakeholderism is a mechanism to ensure that people who are affected or have the potential to be affected by a policy or a technical decision get to have a say in the decision, in the process, or in coming to a decision, so that their rights — the rights of the affected people — are assured. I think there should be some sort of equity, currently the way multistakeholderism is being carried out is that certain stakeholders carry much higher weight and I think that is something that needs to be addressed.

YoungEum Lee from Korea National Open University (Korea)

If multistakeholderism is a form of institutionalising participatory democracy, then it's good. But public policy decision making is only something that the representatives of people can do. For me, that's sacrosanct. When you're taking in views, in consultation, multistakeholderism works. But public policy decision-making, at a global level, has to be a multilateral process. However, it has to be embedded into a huge amount of public consultations, transparencies, accountabilities, etc., which could be a multistakeholder system.

Parminder Jeet Singh from IT for Change (ITFC) (India)

I hate with a passion the concept of multistakeholderism. For me, how it can make sense is by recognising there are multiple stakeholders. And they’re not fixed. But issues affect different people in different ways and these people need to be involved in decision making processes. It's an approach that can potentially democratise processes by identifying who is affected by those processes and making sure they participate in them. But turning them into an -ism which is undifferentiated, which doesn't recognise conflict, power, voice, and that there are differences, makes it meaningless and also possibly dangerous.

Anriette Esterhuysen from the Association for Progressive Communications (APC) (South Africa)

This multistakeholderism thing I think is bullshit. We now a have a clear picture of technology as a whole being turned against its users, being turned into a tool for oppression, for control. And when you look at the most important struggles of the 20th century, whether women's rights or civil rights or gay rights, it never happened with a total global consensus. This is an illusion. What we need is to affirm that we citizens have the right to decide. We are the only stakeholders here, because we are the co-owners of the Internet as a public good.

Jérémie Zimmermann, co-founder of La Quadrature du Net (France)

Everyone has to participate, and everyone has to decide what is the future of the Internet. I think that we need to improve our networks. There is no real answer here: for me it is very difficult to think of the kind of discussion we will have, but I know that my voice is probably useful for others who are in a similar situation to me.

Pilar Saenz from the Karisma Foundation (Colombia)

Multistakeholderism means that we are going to smash the patriarchy. Ask me what the colour blue means? [Ok: What does the colour blue mean?] The colour blue means we are going to smash the patriarchy.

Jacob Appelbaum, journalist, activist and core member of the TOR Project (USA/Germany)

Ultimately rights are embedded in laws. But when it comes to an international framework, in the current Internet governance model, nothing is based in law, including the domain name system. So the whole structure of international Internet governance is divorced from international law, and that's why, when you talk of a multistakeholder model, what you are really saying is that the market will finally determine what happens. No stakeholder is going to operate against its own interest whether it be governments or corporations. We need an international legal framework, from which the powers - or rights - of Internet governance emerge. Without that you're leaving it to the market. In reality, even today, what we have is a private-sector-led multistakeholder model.

Prabir Purkayastha from Knowledge Commons and the JustNet Coalition (India)

What does multistakeholderism mean? Listen, I'm a brown person from a developing country, and I'm female.

Anonymous

Introduction

A technically borderless Internet, in a world defined by national boundaries, brings many challenges in its wake. The social, ethical and legal standards of all countries are affected by technical standards and procedures, created by a few global players. This disparity in capacity and opportunities to participate and shape Internet policy, fuelled by Edward Snowden's revelations led to the development of the Global Multi-stakeholder Meeting on the Future of Internet Governance or NETmundial. Set against, an urgent need for interdisciplinary knowledge assessment towards establishing global guiding principles with respect to the technological architecture and the legal framework of the Internet–NETmundial is seen as a critical step in moving towards a global policy framework for Internet Governance (IG). As stakeholder groups from across the world come together to discuss future forms of governance, one of the most widely discussed issues will be that of Multistakeholderism (MSism).

Multistakeholderism

The governance structure of the Multistakeholder model is based on the notion, that stakeholders most impacted by decisions should be involved in the process of decision making. The collaborative multistakeholder spirit has been widely adopted within the Internet Governance fora, with proponents spread across regions and communities involved in the running, management and use of the Internet. So far, MSism has worked well in the coordination of technical networking standards and efforts to set norms and best practices in defined areas, in the realm of technical governance of the Internet.  However, the extension  of MSism beyond truly voluntary, decentralized and targeted contexts and expanding its applicability, to other substantive areas of Internet Governance is proving a challenge. Beyond defining how the process of policymaking should be undertaken, MSism does not provide any guidance on substantive policy issues of Internet governance. With the increasing impact of Internet technology on human lives and framed against the complexity of issues such as security, access and privacy, the consensus on MSism is further rendered unattainable.

The need for contextualizing the model aside, as with most policy negotiations certain open concepts and words have also prevented agreement and adoption of MSism as the best way forward for IG. One such open and perhaps, the most contentious issue with respect to the legitimacy of MSism in managing Internet functions is the role of stakeholders. A key element of MSism is that decisions will be made by and including all relevant stakeholders. Stakeholder groups are broadly classified to include governments, technical community and academia, private sector and civil society. With each stakeholder representing diverse and often conflicting interests, creating a consensus process that goes beyond a set of rules and practices promising a seat at the negotiation table and is supportive of broad public interest is a challenging task that needs urgent addressing.

This post aims to add to the discourse on defining the role and scope of stakeholders' decision-making powers, towards a better understanding of the term "in their respective role". Addressing the complexity of functions in managing and running the Internet and the diversity of stakeholders that are affected and hence should be included in decision making, I have limited the scope of my analysis to cover three broad internet management functions:

1. Technical: Issues related to infrastructure and the management of critical Internet resources
2. Policy: Issues relating to the developmental aspects, capacity building, bridging digital divide, human rights
3. Implementation: Issues relating to the use of the Internet including jurisdictional law, legislation spam, network security and cybercrime

While this may be an oversimplification of complex and interconnected layers of management and coordination, in my opinion, broad categorisation of issues is necessary, if not an ideal starting point for the purpose of this analysis. I have considered only the submissions categorised under the theme of Roadmap, seeking commonalities  across stakeholder groups and regions on the role of stakeholders and their participation in the three broad functions of technology, policy and implementation.

Towards a definition of respective roles: Analysis NETmundial submissions on Roadmap

There were a total of 44 submissions specific to Roadmap with civil society (20) contributing more than any other group including academia (7), government (4), technical community (5), private sector (3) and other (5). MSism sees support across most stakeholder groups and many submissions highlight or agree on participation and inclusion in decision making processes.

Regionally, submissions from North (24) were dominated by USA (10) with contributions cutting across academia (4), civil society (2), technical community (2) and other (2). Brazil (5) contributed the most to submissions from South (15), followed by Argentina (3). The submissions were consistent with the gender disparity prevalent in the larger technology community with only 12 females contributing submissions. An overwhelming number of submissions (38), thought that the multistakeholder (MS) model needs further definition or improvements, however, suggestions on how best to achieve this varied widely across stakeholders and regional boundaries. Only 16 submissions referenced or suggested Internet Governance Forum (IGF) in its present capacity or with an expanded policy role as a mechanism of implementing MSism on the Internet.

Many submissions referred to issues related to the management of critical internet resources (CIRs), the role of ICANN and US oversight of IANA functions. A total of 11 submissions referred to or specified governance processes with respect to technical functions and issues related to critical resources with civil society (5) and academia (3) contributing the most. In an area that perhaps has the most direct relevance to their work, the technical community was conspicuous with just two submissions making any concrete recommendations. The European Commission was the only governmental organisation that addressed this issue, recommending an expansion of the role of IGF.  There were no specific recommendations from the private sector.

The suggestions on oversight and decision making mechanism were most conflicted for this category of Internet functions and included:

• setting up a technical advisory group, positioned within a new intergovernmental body World Internet Organization (WIO) framework;
• splitting IANA functions into protocol parameters, that Internet Engineering Task Force (IETF) will be responsible for and IP address-related functions retained by ICANN
• expanding the role of IGF, possibly creating an IGF Secretariat
• expanding the role of Government Advisory Committee (GAC) to mainstream government representatives participation within supporting organisations, in particular the Generic Name Supporting Organisation (GNRO)
• expanding the role of private sector
• expanding the role of ICANN with multistakeholder values
• expanding the role of all stakeholders
• implementing changes that do not necessarily require legislative acts or similar hard law approaches and implementation does not necessitate international treaties or intergovernmental structures
• establishing a new non-profit corporation DNS Authority (DNSA) combining the IANA Functions and the Root Zone Maintainer roles in
• improving transparency and accountability of current bodies managing CIRs

16 submissions referred to issues related to policy development and implementation including developmental aspects, capacity building, bridging digital divide and human rights. All submissions called for a reform or further definition of MSism and included recommendations from civil society (5), academia (4), technical community (2), governments (2), private sector (1) and Other (2). All stakeholder groups across regions, unanimously agreed that all stakeholders within their respective role should have a role in decision making and within public policy functions. There was however, no broad consensus on the best way to achieve this.

Specific recommendations and views captured on who should be involved in policy related decision making and what possible frameworks could be developed included:

• improving existing intergovernmental organizations
• creating Internet Ad Hoc Group
• modularization of ICANN’s functions
• creating a stewardship group IETF, ICANN and the RIRs
• creating an independent IANA as an International NGO with host country agreements  governed by its MOUs-defined by the IANA Stewardship Group prior to the signing of MOUs with IANA Partners
• creating a 'new body' to develop international level public policies in concerned areas; seek appropriate harmonization of national level policies; and facilitate required treaties, conventions and agreements
• responsibility of the definition of these policies rests within the States as an inalienable right
• continuity of bottom-up oversight enables a better view of an organization and thus better accountability as government oversight will destroy multistakeholder character
• evolving global governance norms that separate DNS maintenance from policies on TLDs, as well as public policies that intersect with nations’ rights to make them
• policy makers incrementally develop formal and informal relationships
• dealing with conflict of interest and ensuring pluralism
• full multi-stakeholder framework including possible establishment of Working Groups where all parties concerned are represented

18 submissions referred to issues related to the implementation of standards including issues relating to the use of the Internet including jurisdiction, law, legislation, spam, network security and cybercrime. All submissions called for a reform or further definition of MSism values and included recommendations from civil society (8), academia (3), technical community (3), governments (2), private sector (1) and other (1). Stakeholders from academia (5), civil society (3) and government (1) collectively called for the reform of ICANN guided by multistakeholder values, but did not specify how this reform would be achieved.

Specific recommendations on the improvements of institutional frameworks and arrangements for issues related to implementation of  standards included:

• establishment of double system of arbitrage/settlement placed under World Internet Forum (WIF) scrutiny and under the neutral oversight and arbitrage of the UN general secretariat
• new legal instruments in establishing MS model need to be adopted
• establishment of the Internet Technical Oversight and Advisory Board (ITOAB) replace the US government's current oversight role
• multilateral frameworks with oversight role of governments

In summation,  the classification of Internet functions discussed above, presents a very broad view of complex, dynamic and often, interrelated relationships amongst stakeholder groups. However, even within these very broad categories there are various interpretations of how MSism should evolve.

To come back to the very beginning of this post,  NETmundial is an important step towards a global policy framework for Internet governance. This is the first meeting outside formal processes and it is difficult to know what to expect, partly as the expectations are not clear and range widely across stakeholders. Whatever the outcome,  NETmundial's real contribution to Internet Governance has been sparking anew, the discourse on multistakeholderism and its application on the Internet through the creation of a spontaneous order amongst diverse actors and providing a common platform for divergent views to come together.

NETmundial Day 1

>
>***LIVE SCRIBING BY BREWER & DARRENOUGUE - WWW.QUICKTEXT.COM***
>------
>>> LADIES AND GENTLEMEN, GOOD MORNING. IN SOME MINUTES WE WILL HAVE OUR OPENING SESSION OF OUR GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF THE INTERNET GOVERNANCE. PLEASE TURN OFF YOUR MOBILE PHONES OR TURN THEM INTO VIBRATING. PLEASE TAKE YOUR SEATS. OR SHUT IT OFF. THANK YOU VERY MUCH.
>------
>------
>>> LADIES AND GENTLEMEN, PLEASE TAKE YOUR SEATS AND PLEASE TURN OFF YOUR MOBILE PHONES OR SET THEM INTO SILENT MODE. IN SOME MINUTES, WE ARE GOING TO START OUR OPENING CEREMONY OF OUR GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE GOVERNANCE OF THE INTERNET.
>------
>------
>>> PLEASE TAKE YOUR SEATS AND TURN OFF YOUR MOBILE PHONES OR SET THEM INTO SILENT MODE. IN A FEW MINUTES, WE WILL START OUR OPENING CEREMONY OF THE GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE.
>------
>------
>------
>------
>>> LADIES AND GENTLEMEN, IN SOME MINUTES WE WILL START OFF THE OPENING CEREMONY OF THE GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE.
>------
>------
>[MUSIC ] >> THIS IS MY INTERNET.
>>> THIS IS MY INTERNET.
>------
>------
>------
>------
>------
>>> LADIES AND GENTLEMEN, THE PRESIDENT OF BRAZIL, HER EXCELLENCY DILMA ROUSSEFF. THE CHAIRMAN OF NETmundial, VIRGILIO ALMEIDA, AND THE MIKE RODENBAUGH OF SAO PAULO, THE COO OF ICANN, FADI CHEHADE, AND THE REPRESENTATIVE OF THE TECHNICAL SECTOR AND CREATOR OF THE WEB, TIM BERNERS-LEE. REPRESENTATIVE OF THE PRIVATE SECRETARY AND VICE PRESIDENT OF GOOGLE, VINT CERF, AND THE REPRESENTATIVE OF THE -- OF CIVIL SOCIETY, COFOUNDER, NNENNA NWAKANMA.
>[APPLAUSE ] >> WE ARE STARTING OFF THIS EFFORT AND WE ARE GOING TO LISTEN TO THE NATIONAL ANTHEM OF BRAZIL.
>[ PLAYING OF NATIONAL ANTHEM. ] [APPLAUSE ] >> WE ARE GOING TO LISTEN TO THE WORDS OF THE MINISTER OF COMMUNICATIONS, PAULO BERNARDO.
>>>PAULO BERNARDO SILVA: GOOD MORNING, HER EXCELLENCY DILMA ROUSSEFF, MEMBERS HERE AND PARTICIPANTS OF THIS MEETING.
>LADIES AND GENTLEMEN, WELCOME TO BRAZIL AND TO NETmundial. WE ARE VERY PROUD AND FEEL VERY RESPONSIBLE FOR RECEIVING YOU IN SAO PAULO.
>ALL OF YOU WHO CARE ABOUT INTERNET IN THE FUTURE HAVE REASONS FOR BEING PLEASED WITH WHAT WE ARE GOING TO DO TODAY.
>THIS MEETING IS THE CONCRETIZATION OF ALL OUR WISHES. WE NEEDED AN ADEQUATE ENVIRONMENT FOR THIS TO BE VOICED. WE BELIEVE THAT NETmundial IS THIS ENVIRONMENT WE NEED. FREE PARTICIPANTIVE AND PLURAL, AS WELL AS THE INTERNET WE BELIEVE IN.
>AND THIS IS SO BECAUSE THE CONCERN THAT GETS US TOGETHER IS GREATER THAN THE CONCERNS OF EACH PARTY. WE ARE DISCUSSING THIS INTERNET AROUND THIS TABLE OR OTHERWISE WE WILL HAVE NO FUTURE FOR THE INTERNET FROM THE VERY FIRST MOMENT, THE DIFFERENT STAKEHOLDERS GOT INVOLVED IN THE ORGANIZATION OF THIS EVENT AND THE PROOF OF THIS ENVIRONMENT IS HERE IN THE GREAT DIVERSITY OF CONTRIBUTIONS RECEIVED.
>WE ALSO HAVE HERE MANY AUTHORITIES AND PARTICIPANTS. WE'D LIKE TO THANK EACH ONE OF YOU AND CONGRATULATE EACH ONE OF YOU FROM DIFFERENT COUNTRIES. WE'RE ALL PROTAGONISTS OF AN HISTORICAL MOMENT AND TODAY WHAT WE HAVE BEFORE US IS A CHALLENGE TO MAKE THE MOST FOR ALL THE DIFFERENT OPINIONS IN FAVOR OF A UNIQUE PATH.
>THIS PATH HAS A VERY STRAIGHT SENSE OF ORIENTATION, A FREE AND UNFRAGMENTED INTERNET. THAT'S THE BEST WE CAN HAVE, THE CAPACITY TO CONNECT, TO MOBILIZE, TO INNOVATE, TO CREATE RICHNESS OF CULTURE OR WHATEVER, AND RESPECT THE LINKS. SO INTERNET BEING RULED BY MORE PEOPLE COULD REACH MORE PEOPLE IN THE WORLD.
>SO I WISH THAT WHEN WE LEAVE SAO PAULO, WE CAN 81BRATE A NEW AND PROMISSORY BEGINNING. THIS IS OUR RESPONSIBILITY HERE, AND THANK YOU VERY MUCH. AND HAVE A GOOD MEETING. THANK YOU.
>[APPLAUSE ] >> NOW, MR. HONKING, SECRETARY-GENERAL OF THE UNITED NATIONS FOR BUSINESS MATTERS WILL DELIVER HIS MESSAGE FROM THE SECRETARY-GENERAL, BAN KI-MOON.
>>>WU HONGBO: YOUR EXCELLENCY, PRESIDENT ROUSSEFF, DISTINGUISHED MINISTERS, EXCELLENCIES, DISTINGUISHED DELEGATES, COLLEAGUES, LADIES AND GENTLEMEN.
>I'M HONORED TO BE HERE WITH YOU FOR THIS IMPORTANT EVENT. IT IS MY GREAT PLEASURE TO DELIVER A MESSAGE ON BEHALF OF THE UNITED NATIONS SECRETARY-GENERAL, MR. BAN KI-MOON.
>HERE I QUOTE: I THANK THE GOVERNMENT OF BRAZIL FOR HOSTING THE NETmundial MEETING, AND I COMMEND THIS GLOBAL MULTISTAKEHOLDER NATURE. ONLY THROUGH INCLUSIVE AND BOTTOM-UP PARTICIPATION WE BE ABLE TO FOSTER AN ACCESSIBLE, OPEN, SECURE, AND TRUSTWORTHY INTERNET.
>THE INTERNET IS TRANSFORMING SOCIETIES IN ALL REGIONS. IT IS THE BACKBONE OF OUR GLOBAL ECONOMY AND AN ESSENTIAL VEHICLE FOR DISSEMINATING INFORMATION AND IDEAS.
>ONE-THIRD OF THE PEOPLE NOW HAVE ACCESS TO THE INTERNET AND THE KNOWLEDGE AND THE TOOLS IT PROVIDES. INCREASING NUMBER OF PEOPLE NOW HAVE A PLATFORM TO VOICE THEIR OPINIONS AND PARTICIPATE IN SOCIETY FROM COMMERCE TO DEMOCRATIC DECISION-MAKING. THAT IS WHY IT IS ESSENTIAL THAT INTERNET GOVERNANCE POLICIES CONTINUE TO FOSTER FREEDOM OF EXPRESSION AND THE FREE FLOW OF INFORMATION.
>THE INTERNET AND THE INFORMATION SOCIETY HOLD TREMENDOUS PROMISE FOR THE POST-2015 DEVELOPMENT AGENDA.
>THE INTERNET CAN STRENGTHEN EFFORTS TO ERADICATE POVERTY, ADDRESS INEQUALITY, AND PROTECT AND RENEW THE PLANET'S RESOURCES.
>BUT REALIZING THE PROMISE MEANS EXPANDING INTERNET ACCESS TO NEARLY 1.3 BILLION PEOPLE WHO CURRENTLY LACK IT.
>MOST ARE IN DEVELOPING COUNTRIES AND THERE ARE SIGNIFICANT GENDER GAPS.
>INTERNET GOVERNANCE MUST, THEREFORE, WORK TO BRIDGE THE DIGITAL DIVIDE THROUGH INCLUSIVE RIGHTS-BASED POLICIES.
>INTERNET GOVERNANCE SHOULD AIM FOR UNIVERSAL ACCESS TO AN INTEROPERABLE, GLOBALLY CONNECTED, AND SAFE ONLINE SPACE.
>TO THIS END, THE PRINCIPLES OF THE WORLD SUMMIT ON THE INFORMATION SOCIETY REMAIN RELEVANT.
>THE UNITED NATIONS INVITES ALL STAKEHOLDERS TO JOIN IN THE ONGOING SUMMIT REVIEW PROCESS.
>CONFIDENCE IN THE INTERNET AND ITS GOVERNANCE IS VITAL. IF IT IS TO BE EFFECTIVELY CONTRIBUTING TO THE SUSTAINABLE DEVELOPMENT.
>IN THIS CONNECTION, I WISH TO INFORM THE MEETING I INTEND TO APPOINT AMBASSADOR JANIS KARKLINS OF LATVIA AS THE CHAIR OF THE MULTISTAKEHOLDER ADVISORY GROUP OF THE INTERNET GOVERNANCE FORUM.
>[APPLAUSE ] >>WU HONGBO: I COUNT ON MR. KARKLINS TO PROMOTE A STRENGTHENED INTERNET GOVERNANCE THROUGH BROADER PARTICIPATION, NOT ONLY BY GOVERNMENTS BUT ALSO THE PRIVATE SECTOR AND CIVIL SOCIETY, INCLUDING THE ACADEMIC AND THE TECHNICAL COMMUNITIES.
>BUILDING CONSENSUS ON THE ROADMAP FOR THE FUTURE OF INTERNET GOVERNANCE IS CRUCIAL. THIS NETmundial IS AN IMPORTANT MILESTONE. I WISH YOU A PRODUCTIVE MEETING. UNQUOTE.
>THANK YOU VERY MUCH ON BEHALF OF UNITED NATIONS DEPARTMENT OF ECONOMIC AND SOCIAL AFFAIRS, UNDESA. I WOULD LIKE TO THANK BRAZIL AND THE BRAZILIAN INTERNET STEERING COMMITTEE FOR NOT ONLY HOSTING THIS IMPORTANT MEETING, BUT ALSO FOR BEING CONSISTENT SUPPORTERS OF INTERNET GOVERNMENT FORUM. THE IGF COMMUNITY LOOKS FORWARD TO RUNNING TO BRAZIL FOR THE SECOND TIME FOR THE 10TH IGF IN 2015.
>THANK YOU VERY MUCH.
>[APPLAUSE ] >> NOW, WE ARE GOING TO LISTEN TO MS. NNENNA NWAKANMA, A REPRESENTATIVE OF CIVIL SOCIETY AND CONTRIBUTOR OF THE OPEN SOURCE FOUNDATION OF AFRICA.
>[APPLAUSE ] >>NNENNA NWAKANMA: OOH-LA-LA. YOUR EXCELLENCIES, COLLEAGUES, PRESENT AND REMOTE LADIES AND GENTLEMEN, (NON-ENGLISH WORD OR PHRASE). MY NAME IS I COME FROM THE INTERNET. I ALSO COME FROM DIVERSE CIVIL SOCIETY TEAMS AND NETWORKS, ONE OF WHICH IS THE TEAM THAT WORKS WITH THE WORLD WIDE WEB FOUNDATION.
>AT THE WEB FOUNDATION, WE ARE ENGAGED IN THE ALLIANCE FOR AFFORDABLE INTERNET. WE'RE ENGAGED IN THE WEB INDEX AND OPEN DATA INITIATIVES. ONE THING I DO FOR A LIVING IS TO ESTABLISH THE OPEN WEB AS A GLOBAL PUBLIC GOOD AND A BASIC RIGHT, ENSURING THAT EVERYONE CAN ACCESS AND USE IT FREELY. THAT'S WHAT I DO.
>I ALSO BELONG TO THE (INDISCERNIBLE) CIVIL SOCIETY PLATFORM, THE INTERNET GOVERNANCE CAUCUS FOR THE PAST 12 YEARS, AND THE AFRICA INTERNET GOVERNANCE FORUM.
>SO FOR ME, NETmundial, IN CONVENING US TO TAKE A CRITICAL LOOK AT THE PRINCIPLES AND ROADMAP FOR THE FUTURE OF THE INTERNET GOVERNANCE AVAILS ME WITH AN OPPORTUNITY TO RAISE THREE KEY ISSUES.
>THE FIRST ISSUE IS ACCESS.
>AS MUCH AS TWO-THIRDS OF THE WORLD'S POPULATION IS NOT YET CONNECTED TO THE INTERNET. THE PENETRATION RATES IN DEVELOPED COUNTRIES AVERAGE AROUND 31%, BUT IN AFRICA WHERE I COME FROM, WE ARE ABOUT 16%.
>IN THE WORLD'S 49 LEAST DEVELOPED COUNTRIES, OVER 90% OF THE POPULATION ARE STILL NOT ONLINE.
>WE HAVE 1 BILLION PEOPLE LIVING WITH DISABILITY, AND 80% OF THESE LIVE IN THE DEVELOPING COUNTRIES. EACH ONE OF THESE DESERVE ACCESS.
>ACCESS TO INFORMATION, ACCESS TO LIBRARIES, ACCESS TO KNOWLEDGE, AND ACCESS TO AFFORDABLE INTERNET.
>MY SECOND ISSUE IS SOCIAL AND ECONOMIC JUSTICE.
>THE INTERNET IS FAST BECOMING THE DOMINANT MEANS OF WEALTH CREATION, SO THE RIGHTS TO DEVELOPMENT, I THINK, SHOULD INCLUDE SOCIAL JUSTICE.
>FOR ME, IT IS NOT ENOUGH TO DO A SUPERFICIAL CAPACITY-BUILDING JUST FOR A FEW PERSONS. I'M LOOKING FOR THE MECHANISM THAT ALLOWS THE HIGHEST NUMBER OF PERSONS TO BE INCLUDED, THE LARGEST NUMBER OF VOICES TO BE HEARD, THE WIDEST EXTENT OF ACCESS TO INNOVATION, AND THE DEEPEST CREATIVITY FOR THE HUMAN MIND TO FLOURISH.
>FOR THIS, I THINK WE NEED TO START CONSIDERING THE INTERNET AS PUBLIC COMMENTS.
>MY THIRD ISSUE IS HUMAN RIGHTS AND FREEDOM.
>NOW I WILL INVITE YOU TO LISTEN THROUGH MY VOICE TO SOMEONE THAT I GREATLY RESPECT.
>THIS PERSON IS A "SHE." SHE WAS SPEAKING AT THE UNITED NATIONS GENERAL ASSEMBLY IN NEW YORK ON THE 25TH OF SEPTEMBER RAFT YEAR. DO YOU WANT TO HEAR WHAT SHE SAID?
>>> YES!
>>>NNENNA NWAKANMA: SHE SAID, "I CANNOT BUT DEFEND IN AN UNCOMPROMISING FASHION THE RIGHT TO PRIVACY OF INDIVIDUALS. IN THE ABSENCE OF THE RIGHT TO PRIVACY, THERE CAN BE NO TRUE FREEDOM OF EXPRESSION AND OPINION AND THERE IS NO EFFECTIVE DEMOCRACY." AND THAT WAS DILMA ROUSSEFF.
>[CHEERS AND APPLAUSE ] >>NNENNA NWAKANMA: OKAY. THANK YOU. RIGHT. LADIES AND GENTLEMEN, IN LOOKING FORWARD TOWARDS THE ROADMAP, I ALSO NEED TO RAISE THREE KEY ISSUES.
>MY FIRST ISSUE IS PARTICIPATION. WHEN WE STARTED, WE KICKED OFF WITH THE BASIC UNDERSTANDING THAT ALL STAKEHOLDERS HAVE A PLACE, A ROLE, A CONTRIBUTION.
>BUT AS WE'VE MOVED FURTHER DOWN THE LINE, THE IDEA OF MULTISTAKEHOLDER ENGAGEMENT IS GETTING MUDDLED AND IT'S LOSING A BIT OF ITS MEANING, SO I WOULD REQUEST THAT WE GO BACK TO THE DRAWING BOARD AND WE REVISIT IT, AND IF IT NEEDS TO UPGRADE, PLEASE LET'S DO THAT.
>BECAUSE WE NEED TO ENGAGE ALL STAKEHOLDERS AT A GLOBAL, REGIONAL, AND NATIONAL LEVELS.
>WE NEED TO ESTABLISH RESPECT AND VALUE FOR ALL CONTRIBUTIONS COMING FROM ALL STAKEHOLDERS, AND WE NEED MEANINGFUL PARTICIPATION FROM INDIVIDUALS COMING FROM DEVELOPING COUNTRIES AND UNDERREPRESENTED GROUPS.
>MY SECOND ISSUE IS RESOURCES.
>HOW DO WE ENSURE THAT RESOURCES ARE MOBILIZED AND MAINTAINED FOR A VIABLE INTERNET GOVERNANCE MECHANISM?
>THE QUESTION IS NOT JUST AT THE GLOBAL LEVEL. IT'S AT CONTINENTAL, REGIONAL, AND EVEN NATIONAL LEVELS.
>WHO'S RESOURCES ARE WE GOING TO COMMIT?
>MY FIRST THOUGHT IS THAT THE INTERNET SHOULD BE ABLE TO PROVIDE RESOURCES FOR ITS OWN GOVERNANCE. MAYBE PART OF THE DOMAIN NAME FEES SHOULD BE REINVESTED IN THIS AREA.
>[APPLAUSE ]
>>>NNENNA NWAKANMA: NOW, MY THIRD ISSUE IS CHANGE.
>NETmundial IS OFFERING US A GREAT OPPORTUNITY FOR CHANGE. CHANGE FROM ONE STAKEHOLDER HIJACKING THE PROCESS TO AN OPEN AND INCLUSIVE PROCESS. CHANGE FROM ONE OFFICIAL ISSUING ORDERS TO COLLABORATION. CHANGE FROM JUST REPORTS TO REAL TRANSPARENCY.
>CHANGE FROM POWER TO ACCOUNTABILITY. CHANGE FROM MONOLOGUES TO DIALOGUES AND DEBATES. CHANGE FROM THE RHETORIC OF CYBER-WAR TO THE NOTION OF INTERNET FOR PEACE. CHANGE FROM CYBER-THREATS TO DIGITAL SOLIDARITY. AND I DO BELIEVE THAT ALL OF THESE PRINCIPLES WILL ALSO GUIDE US IN IANA TRANSITION.
>LADIES AND GENTLEMEN, THERE IS ONE MESSAGE I MUST LEAVE WITH YOU TODAY, IT IS THE MESSAGE OF TRUST.
>WE'RE IN BRAZIL BECAUSE WE TRUST THE PERSON OF DILMA ROUSSEFF. WE ARE HERE BECAUSE WE TRUST THE NETmundial PROCESS. WE TRUST THE MULTISTAKEHOLDER APPROACH OF BRAZIL IN ITS OWN IGF, AND WE HAVE FOLLOWED THE STORY OF MARCO CIVIL AND I WANT TO SEE CONGRATULATIONS TO ALL BRAZILIANS ON THIS.
>[CHEERS AND APPLAUSE ] >>NNENNA NWAKANMA: HANG ON. HANG ON. HANG ON.
>THE TRUST THAT WE HAVE IN BRAZIL IS NEEDED AT ALL LEVELS. BUT THIS TRUST HAS BEEN DESTROYED BY THE COLLECTION, PROCESSING, AND INTERCEPTION OF OUR COMMUNICATIONS.
>[APPLAUSE ] >>NNENNA NWAKANMA: YES. SURVEILLANCE ON INTERNET SECURITY AND OUR TRUST IN ALL PERSONAL BUSINESS AND DIPLOMATIC COMMUNICATIONS. THAT'S WHY WE SAY "NO." THE WEB WE CAN TRUST, THAT IS THE WEB WE WANT. THE WEB THAT CONTRIBUTES TO PEACE, THAT IS THE WEB WE WANT. THE WEB THAT IS OPEN AND INCLUSIVE, THAT IS THE WEB WE WANT. THE WEB OF OPPORTUNITIES AND SOCIAL JUSTICE, THAT IS WHY I AM HERE.
>LADIES AND GENTLEMEN, NETmundial, I THINK, IS THE WORLD CUP OF INTERNET GOVERNANCE. WE NEED A ROBUST STADIUM THAT CAN HOLD US. THAT IS INFRASTRUCTURE. WE NEED TO ENJOY THE GAME. THAT IS PARTICIPATION. WE SHOULD NOT DISCRIMINATE. THAT IS NET NEUTRALITY. EVERYBODY'S FREE TO SUPPORT THEIR TEAM. I SUPPORT (SAYING NAME) OF NIGERIA. THAT IS FREEDOM. I SUPPORT BRAZIL AS LONG AS THEY ARE NOT PLAYING AGAINST AFRICA, ANYWAY.
>[LAUGHTER ] >>NNENNA NWAKANMA: WE NEED TO BE ABLE TO WEAR OUR COSTUMES AS FANS AND THAT IS DIVERSITY. AND MOST IMPORTANTLY, WE NEED TO KNOW THE RULES OF THE GAME AND PLAY BY IT. THAT, FOR ME, IS TRANSPARENCY.
>SO IT'S NOT GOING TO BE ABOUT POWER AND CONTROL FOR GOVERNMENTS. IT'S NOT GOING TO BE JUST INTEREST FOR THE INDUSTRY. IT'S NOT GOING TO BE NAMES AND NUMBERS FOR TECHNICAL COMMUNITY. IT'S NOT GOING TO BE FOR OR AGAINST FOR CIVIL SOCIETY. I THINK THAT WE NEED HUMILITY. THE HUMILITY TO LISTEN TO DIVERSE VOICES IS ESSENTIAL FOR AN AUTHENTIC DIALOGUE. LET US TALK TO EACH OTHER AND NOT AT EACH OTHER. BECAUSE SOMETIMES WE CAN BE SO DROWNED IN OUR OWN VOICES THAT WE DO NOT HEAR THE OTHER STAKEHOLDERS.
>JUST BEFORE I SIT DOWN, LADIES AND GENTLEMEN, TOMORROW IS GIRLS IN ICT DAY, SO I'M GOING TO SPEAK TO LADIES.
>GIRLS, IT IS UP TO US TO SEIZE THE OPPORTUNITY THAT THE INTERNET HAS GIVEN US. LET'S SEIZE IT AND LET'S ROCK THE WORLD! LET US GET WOMEN ONLINE. LET US GET US ONLINE.
>AND THIS, I WANT TO SAY A SPECIAL TRIBUTE TO ALL THE GIRLS IN MY WORLD FOUNDATION TEAM. ALEXANDRA IS HERE, RENAT AVILA, SONIA GEORGE, ANGELA, AND NOT JUST NETmundial BUT GIRLS ACROSS THE WORLD WORK ON THE INTERNET EVERY DAY. DEBORAH BROWN IS IN THE U.S. MARION FRANKLIN IS IN EUROPE. ANNA IS IN INDIA, (SAYING NAME) IS IN LATIN AMERICA HERE, (SAYING NAME) IS IN AFRICA, JOY LID I COT IS IN NEW ZEALAND, AND SALANIETA IS SOMEWHERE IN THE ISLANDS OF FIJI. GREAT WOMEN WHO DO THIS WORK. AND EVEN HERE IN BRAZIL, WE HAVE GREAT LADIES. ONE IS (SAYING NAME) AND THE OTHER IS (SAYING NAME) BUT COME ON, IT'S NOT JUST ABOUT WOMEN. THERE ARE GUYS, MEN, WHO WORK EVERY DAY, WHO PUT IN THE ENERGY, WHO PUT IN THEIR LIFE, WHO PUT IN ALL THEY HAVE, PUT IN THEIR EXPERTISE, SO THAT WE CAN HAVE A GLOBAL, TRUE, OPEN AND RESILIENT. AND TO ALL OF US WHO LOVE THE INTERNET AND TO ALL OF US WHO ARE HERE AND TO SOMEONE CALLED EDWARD, EDWARD SNOWDEN, THANK YOU.
>[CHEERS AND APPLAUSE ]
>>> ---
>>>VINT CERF: PRESIDENT DILMA ROUSSEFF, EXCELLENCIES, DISTINGUISHED GUESTS, LADIES AND GENTLEMEN, IT IS AN HONOR AND A PRIVILEGE TO PARTICIPATE IN NETmundial. THIS DIALOGUE IS TIMELY AND MUCH NEEDED AS THE INTERNET CELEBRATES THE 40th YEAR OF ITS PUBLIC UNVEILING AND THE 31st YEAR OF ITS OPERATION. IN MAY 1974, THE DESIGN OF THE INTERNET WAS PUBLISHED IN THE IE EX-E PUBLICATIONS. ROBERT KAHN AND I FELT STRONGLY THE DESIGN AND THE PROTOCOLS OF THE INTERNET NEEDED TO BE FREELY AND OPENLY AVAILABLE TO ANY INTERESTED PARTIES AND WITHOUT ANY BARRIERS TO ADOPTION AND USE.
>OVER FOUR DECADES BY WORKING TOGETHER AND INCLUDING THE EXPERIENCES GATHERED FROM OTHER GLOBAL NETWORK EXERCISES, AN INFORMAL COALITION HAS BUILT FROM THE BOTTOM UP THE SUCCESSFUL, FREE AND OPEN INTERNET AND THE POPULAR WORLDWIDE WEB. SOME 3 BILLION PEOPLE ARE ALREADY ONLINE WORKING TOGETHER TOWARDS GROWTH IN A POWERFUL ECONOMIC ENGINE AND POSITIVE SOCIAL FORCE.
>THIS INTERNET GOVERNANCE MEETING COMES AT A TIME WHEN THE INTERNET AND ITS USE REFLECTS THE FULL RANGE OF INTERESTS OF A GLOBAL AND INCREASINGLY ONLINE SOCIETY.
>IN ADDITION TO APPRECIATING THE ENORMOUS BENEFITS ALREADY OBTAINED THROUGH THE COOPERATIVE CREATION, DISCOVERING AND SHARING OF INFORMATION ON THE INTERNET, IT IS ALSO APPARENT THAT USERS AND GOVERNMENTS ARE BECOMING CONCERNED ABOUT POTENTIAL HARMS THAT MAY BE ENCOUNTERED IN THIS DIGITAL WORLD.
>A SMALL FRACTION OF THE INTERNET'S USERS DELIBERATELY SEEK TO BENEFIT THEMSELVES AT THE EXPENSE OF OTHERS OR JUST SEEK TO DO DAMAGE THROUGH A KIND OF DIGITAL VANDALISM, AS ALSO HAPPENS OFFLINE.
>MOREOVER, IT IS APPARENT THAT THE RICH SOCIAL NETWORKING APPLICATIONSES THAT ARE RAPIDLY PROLIFERATING ALSO HAVE A POLITICAL POTENTIAL THAT MAY BE ALARMING TO SOME REGIMES.
>GOVERNMENTS UNDERSTANDABLY SEEK WAYS TO DEFEND THE GENERAL PUBLIC AND PRIVATE SECTORS AGAINST HARM, SUCH AS FRAUD, MALWARE, IDENTITY THEFT AND BULLYING. OTHERS VIOLATE HUMAN RIGHTS BY USING THE INTERNET TO CENSOR, MISINFORM, CONDUCT SURVEILLANCE AND RESTRICT SPEECH OR USE IT AS A MEANS TO IDENTIFY AND INCARCERATE THOSE WHO SPEAK TRUTH TO POWER.
>THE OPENNESS OF THE INTERNET HAS BEEN THE KEY TO ITS GROWTH AND VALUE. PERMISSIONLESS INNOVATION IS THE MAIN SPRING OF INTERNET'S ECONOMIC POWER. WE MUST FIND WAYS TO PROTECT THE VALUES THAT THE INTERNET BRINGS, INCLUDING THE RIGHTS OF ITS USERS WHILE ALSO PROTECTING THEM FROM HARM.
>THESE PRINCIPLES, TOGETHER WITH GROWING ACCESS TO THE INTERNET WILL PROVE TO BE OF LASTING VALUE TO THE DEVELOPING WORLD THAT CAN TAKE ADVANTAGE OF THE POSITIVE BENEFITS OF AN EXPANDING INFORMATION ECONOMY.
>OUR WORK IS NOT NEARLY DONE UNTIL THE INTERNET IS ACCESSIBLE TO EVERYONE AND IPv6 IS ACCESSIBLE EVERYWHERE.
>BRAZIL HAS SET A POSITIVE EXAMPLE IN NETmundial. IN A MULTIPARTY INITIATIVE LED BY CONGRESSMAN ALESANDRO MALONE, THE COUNTRY HAS JUST LEGISLATED MARCO CIVIL WHICH OFFERS IMPORTANT SAFEGUARDS TO PROTECT INTERMEDIARY INTERNET PROVIDERS AND PROTECT USER RIGHTS. ITS INTERNET STEERING COMMITTEE, CGI.BR, IS A MODEL OF NATIONAL MULTISTAKEHOLDER GOVERNANCE.
>THIS MEETING, AMONG MANY OTHERS, REPRESENTS AN IMPORTANT OPPORTUNITY TO EXAMINE A MULTISTAKEHOLDER MODEL FOR INTERNET GOVERNANCE BASED ON THE PARTICIPATION OF ALL STAKEHOLDERS, INCLUDING ROLES FOR GOVERNMENT, ACADEMICS, CIVIL SOCIETY, PRIVATE BUSINESSES AND THE TECHNICAL COMMUNITY. THIS CONFERENCE HAS BROUGHT TOGETHER A RICH AND VARIED GROUP OF INTERESTED PARTIES TO EXPLORE PRINCIPLES AND GUIDELINES FOR FUTURE INTERNET GOVERNANCE AS IT REACHES THE OTHER 4 BILLION STILL UNCONNECTED PEOPLE IN THE WORLD.
>THE INTERNET HAS BEEN BUILT ON THE BASIS OF COLLABORATION AMONG A DIVERSE AND CONSTANTLY EVOLVING SET OF INTERESTED PARTIES. AND THIS IS A FOUNDATIONAL IDEA THAT MUST BE PRESERVED. NEW INSTITUTIONS AND OPERATIONAL PLAYERS HAVE BEEN FORMED AT NEED, SUCH AS THE INTERNET ARCHITECTURE BOARD, THE INTERNET ENGINEERING TASK, THE INTERPRET SOCIETY, THE INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS, THE REGIONAL INTERNET REGISTRIES AND THE NUMBER RESOURCE ORGANIZATION, OTHER REGIONAL TLD ORGANIZATIONS SUCH AS CENTR AND LacTLD, THE ROOT SERVER OPERATORS, REGIONAL NETWORK OPERATION GROUPS, THE EMERGENCY RESPONSE TEAMS, INTERNET EXCHANGE POINTS, THE TOP-LEVEL DOMAIN REGISTRIES AND REGISTRARS AND THE NETWORK INFORMATION CENTERS SUCH AS THE BRAZILIAN NIC.
>OUT OF THE WORLD SUMMIT ON THE INFORMATION SOCIETY HAS COME THE ANNUAL INTERNET GOVERNANCE FORUM AND ITS REGIONAL AND NATIONAL ANALOGS. WE CREATE INSTITUTIONS AT NEED.
>AS WE GATHER HERE FOR THE NEXT TWO DAYS, WE HAVE TWO SPECIFIC CHALLENGES TO CONSIDER. THE LARGER ONE IS THE GENERAL DESIGN OF A GLOBAL, MULTISTAKEHOLDER INTERNET GOVERNANCE FRAMEWORK THAT PRESERVES THE FREE AND OPEN INTERNET AND PROVIDES TRANSNATIONAL PROTECTIONS FOR THE RIGHTS OF USERS.
>THE FRAMEWORK HAS TO ENABLE THE EVOLUTION OF THE INTERNET AND BE ABLE TO ADAPT TO IT. THE MORE FOCUSED CHALLENGE IS TO DEVISE A RESPONSE TO THE U.S. INVITATION TO ASSURE THAT WHEN THE U.S. GOVERNMENT AND ITS CONTRACTUAL RELATIONSHIP WITH ICANN, THE MULTISTAKEHOLDER FRAMEWORK FOR ICANN'S MANAGEMENT OF UNIQUE IDENTIFIERS AND PARAMETERS WILL ADHERE TO THE PRINCIPLES THAT HAVE MADE THE INTERNET A REMARKABLE, GLOBAL AND BENEFICIAL INFRASTRUCTURE.
>I BELIEVE THAT THE CHALLENGE BEFORE US, ASSURING ICANN'S ADHERENCE CAN BE ACCOMPLISHED BY REINFORCING ITS ACCOUNTABILITY AND TRANSPARENCY MECHANISMS. THE LARGER CHALLENGE, PROTECTING THE RIGHTS OF USERS WHILE ASSURING THEIR SAFETY WILL REQUIRE LAYERED, LOCAL, NATIONAL AND TRANSNATIONAL ENABLING MECHANISMS. WE CANNOT PRETEND TO KNOW THE SOLUTION TO ALL THE CHALLENGES AND OPPORTUNITIES THAT THE INTERNET POSES. WE CAN, HOWEVER, CREATE STRUCTURES THAT WILL ALLOW MULTISTAKEHOLDER COLLABORATIONS TO DISCOVER AND EVALUATE POSSIBLE ANSWERS.
>AMONG THE MECHANISMS THAT SHOULD BE REINFORCED AND SUPPORTED, I WOULD SINGLE OUT THE INTERNET GOVERNANCE FORUM. IT NEEDS FINANCIAL SUPPORT AND A PROPERLY STAFFED SECRETARIAT. IT HAS ILLUMINATED OUR UNDERSTANDING OF THE PROSPECTS AND PROBLEMS ARISING FROM THE GLOBAL GROWTH OF THE INTERNET.
>MOBILE TECHNOLOGY RAPIDLY DROPPING COSTS FOR INTERNET-ENABLING EQUIPMENT AND COMMUNICATIONS, AND BOUNDLESS DEVELOPMENT OF NEW APPLICATIONS HAVE CREATED A RICH PALATE FROM WHICH TO PAINT A BENEFICIAL DIGITAL FUTURE. THE GLOBAL IGF AND ITS REGIONAL AND NATIONAL COUNTERPARTS CAN BECOME AN EVEN MORE HELPFUL MECHANISM FOR HIGHLIGHTING ISSUES BY TRACKING THEIR SOLUTIONS IN A VARIETY OF FORUMS AND ENABLING THE EMERGENCE OF NEW APPROACHES WHEN THESE SEEM NECESSARY.
>WE WOULD HAVE TO BE A PRETTY SILLY SPECIES NOT TO TAKE ADVANTAGE OF THE GIFT THAT THE TECHNOLOGY HAS GIVEN US. THOSE OF US PARTICIPATING IN THE NETmundial -- WELL, I HAVE A VERY INTERESTING PROBLEM HERE, MY SPEECH ENDS BECAUSE THE REST OF IT WASN'T PRINTED OUT.
>[LAUGHTER ]
>SO I WILL END BY THANKING YOU VERY MUCH FOR THE TIME ON THIS STAGE.
>[APPLAUSE ]
>>>TIM BERNERS-LEE: TECHNOLOGY IS PERFECT THEN.
>45 YEARS AGO VINT CERF AND BOB KAHN PUT TOGETHER THE IDEA OF THE INTERNET, DESIGNED THAT, AND MADE THAT OPEN. 25 YEARS AGO -- A LONG TIME LATER, THE INTERNET WAS RUNNING. THERE WAS REMOTE --- . THERE WAS EMAIL RUNNING OVER THE INTERNET. BUT THERE WERE NO WEB, NO WEB SITES, NO WEB PAGES, NO LINKS. I FELT IT WAS REALLY IMPORTANT THERE SHOULD BE SO I INVENTED THE WEB. AND AS THE WORLDWIDE WEB PROJECT GREW, I NEEDED COLLABORATORS. I INVENTED HTML AND HTTP AND URLS BUT THE DEVELOPMENT OF THOSE HAD TO BE DONE BY A LARGE TECHNICAL COMMUNITY. I WENT TO THE INTERNET ENGINEERING TASK FORCE, I FOUNDED THE WORLDWIDE WEB CONSORTIUM THAT ASSESS THE STANDARDS FOR THE WEB AND ITS MOTTO IS TO LEAD THE WEB TO ITS FULL POTENTIAL.
>SO THE COLLABORATION BETWEEN THESE MULTISTAKEHOLDER GROUPS LIKE IETF AND W3C AND ALL THE PEERS THEY WORK WITH LIKE ECMA, TC39 FOR (SAYING NAME) THAT HAS BEEN REALLY CRUCIAL AND IT REALLY HAS BEEN HOW THIS HAS ALL WORKED.
>I HOPE YOU WILL AGREE THAT PEOPLE WORKING TOGETHER HAVE DONE A REASONABLE JOB AND LOOKING BACK AT THE 25 YEARS OF THE WEB, IT HAS BEEN -- IT HAS BEEN AN INCREDIBLE RIDE AND WE REALIZE NOW THAT RATHER THAN BEING A FUN PROJECT LIKE ALL THESE THINGS STARTED OFF WITH, IT NOW BECOMES SOMETHING WE HAVE TO REGARD AS TO BEING CRUCIAL.
>SOME OF THESE ORGANIZATIONS WHICH BELIEVE IN OPEN STANDARDS IN THIS PARTICULAR SORT OF MULTISTAKEHOLDER OPEN ON THE WEB SORT OF MEANING OF THE WORD, DEVISED THE WORD OPEN STAND. YOU CAN GO TO OPENSTAND.ORG TO EXPRESS THE WAY IT SHOULD BE ABOUT WITH OPEN DISCUSSION WITH THE DOCUMENTS BEING FREELY AVAILABLE ON THE WEB. WITH W3C SPECIFICALLY COMPANIES COMMIT THAT WHEN THEY START AND WORK TOWARDS THESE STANDARDS, THAT WHEN THE STANDARDS COME OUT THAT THEY WILL NOT CHARGE ROYALTIES TO ANYBODY WHO WANTS TO IMPLEMENT IT. SO KEEPING IT ROYALTY FREE HAS ALSO BEEN REALLY IMPORTANT.
>THE WEB GREW AS SOMETHING WHICH DID NOT INVOLVE BORDERS BECAUSE IT GREW ON THE INTERNET AND THE INTERNET, WHEN YOU CONNECT -- WHEN I WROTE A PROGRAM TO CONNECT FROM ONE COMPUTER TO THE OTHER, NEITHER PROGRAM HAD AN AWARENESS, NEEDED TO KNOW OR NECESSARILY FOUND IT EASY TO FIND OUT WHICH COUNTRY THOSE TWO COMPUTERS WERE IN. BUT INTERNET WAS TECHNICALLY -- IS A NATIONLESS THING. SO IN A NON-NATIONAL ENVIRONMENT, THE WEB GROWING UP, IT HAS BEEN A NON-NATIONAL SOCIETY WHICH HAS GROWN UP AROUND IT.
>YES, THERE HAS BEEN -- FORMALLY, THERE HAS BEEN A CONNECTION BETWEEN THE U.S. GOVERNMENT AND THE WAY INTERNET NUMBERS AND NAMES HAVE BEEN ASSIGNED. AND I'M VERY GLAD THAT THE U.S. GOVERNMENT HAS ACCEPTED TO RELEASE THAT OVERSIGHT. I THINK THAT IS VERY OVERDUE AND A VERY IMPORTANT STEP.
>IT IS AN IMPORTANT STEP BECAUSE ICANN SHOULD SERVICE -- IT SERVICES THE GLOBAL PUBLIC INTERNET, AND, THEREFORE, IT SHOULD BE A GLOBAL PUBLIC BODY. SO FOR ME, WHAT DOES THAT MEAN? IT IS EASY TO SAY IN THE PUBLIC INTEREST. FOR ME, FOR ICANN, THAT MEANS THAT DECISIONS THAT IT MAKES ABOUT TOP-LEVEL DOMAINS, ABOUT WHATEVER, ABOUT HOW TO SPEND ITS FUNDING, THEY SHOULD BE MADE BY STEPPING BACK AND THINKING, WELL, NEVERMIND THE PEOPLE WE KNOW INTIMATELY WHO ARE INVOLVED IN THAT DECISION BUT LET'S THINK ABOUT THE PLAN AS A WHOLE. WHAT IS BEST FOR HUMANITY AS A WHOLE? THAT SHOULD GUIDE EVERY DECISION THAT ICANN MAKES.
>OBVIOUSLY, ONE OF THE THINGS THAT ICANN DOES IS IT HAS FUNDS TO SPEND AND SO PARTLY IT CAN FURTHER THE WORLD BY SPENDING THOSE IN A BENEFICIAL WAY SUCH AS SUPPORTING -- WELL, SUPPORTING STANDARDIZATION, SUPPORTING HARDENING WEB TECHNOLOGY, SUPPORTING PIECES OF TECHNOLOGY LIKE THAT, THE INTERNATIONALIZATION OF THE TECHNOLOGY, KEEPING IT SO IT WORKS WITH EVERY CULTURE AND LANGUAGE, ACCESSIBILITY FOR PEOPLE WITH DISABILITIES AND, OF COURSE, CLOSING THE DIGITAL DIVIDE FOR REALLY IMPORTANT AGENDAS WHICH ICANN CAN THINK ABOUT SUPPORTING.
>THE INTERNET HAS THRIVED FROM THE EMPOWERMENT OF CAPABLE AND PUBLIC-SPIRITED PEOPLE. INITIALLY, THEY WERE FROM THE TECHNICAL COMMUNITY AND ACADEMIA BUT MORE RECENTLY THE WHOLE PRIVATE SECTOR, CIVIL SOCIETY AND GOVERNMENTS. WE NEED INTERNET GOVERNMENTS WHICH ALLOWS EACH COMMUNITY TO BRING ITS PARTICULAR STRENGTHS TO THE TABLE BUT ALLOWS NONE OF THEM TO ELEVATE ITS OWN INTEREST ABOVE THE PUBLIC GOOD.
>FIVE YEARS AGO, RELATIVELY RECENTLY IN INTERNET TIME, SOME OF US REALIZE THAT ALL THE TECHNICAL WORK WE WERE DOING WAS WONDERFUL BUT IT WAS EVERY SINGLE THING DID WAS INCREASING THE DIGITAL DIVIDE, INCREASING THE GAP BETWEEN THE POWER OF THE PEOPLE WHO HAD THE WEB AND DID NOT HAVE IT. SO AT THAT POINT, WE STARTED THE WORLDWIDE WEB FOUNDATION ABOUT WHICH YOU ALREADY HEARD SOME TO MAKE SURE THAT THE WEB -- WELL, YES, THAT IT GETS TO, FOR EXAMPLE, THE 60% OF THE PEOPLE WHO IN THE WORLD WHO DON'T HAVE IT AT ALL BUT ALSO FOR THE PEOPLE WHO HAVE IT, THAT IT REALLY IS THE WEB THAT WE WOULD WANT, THE WEB HAS NOW BECOME AN ESSENTIAL PUBLIC UTILITY SO WE HAVE TO REGARD IT AS SUCH.
>MUCH OF OUR TRADITIONAL THINKING ABOUT HUMAN RIGHTS APPLIES DIRECTLY TO EVERYTHING ON THE INTERNET SUCH AS FREE EXPRESSION. BUT NEW THINGS BECOMING IMPORTANT IN THE NETWORK CONTEXT, NET NEUTRALITY MEANS KEEPING THE NET FREE FROM DISCRIMINATION, BE IT COMMERCIAL OR POLITICAL.
>THE INNOVATIVE EXPLOSION WHICH HAPPENED ACROSS THE NET OVER THE LAST 25 YEARS HAS HAPPENED ONLY BECAUSE THAT NET HAS BEEN NEUTRAL. THE SOCIAL GROUND-BREAKING SENSE OF POSSIBILITY THAT WE CAN UNDERSTAND EACH OTHER AND POSSIBLY LIVE IN PEACE RELIES ON AN OPEN NET. OH, AND THANKS TO EVERYBODY WHO HAS EVER HELD UP A BANNER IN ANY FORUM ABOUT PUSHING FOR THE OPEN NET AND PUSHING AGAINST LAWS WHICH RESTRICT THE OPEN NET.
>SO THAT SENSE OF EXCITEMENT WHICH WE ALL HAVE GIVES US ALSO A RESPONSIBILITY THAT WE MUST KEEP THE NET NEUTRAL -- THE NET AS A NEUTRAL PLATFORM IN THE FUTURE.
>FREEDOM OF EXPRESSION IS A CRUCIAL RIGHT BUT IT HAS TO BE COUPLED ON THE NETWORK WITH A COMPLIMENTARY RIGHT TO PRIVACY AS, MADAM PRESIDENT, YOU HAVE POINTED OUT BEFORE AND HAVE ALREADY BEEN QUOTED TODAY.
>SO I WON'T QUOTE YOU AGAIN, BUT I WOULD, YES, AGREE THAT THERE ARE A LOT OF PEOPLE THAT ARE WORRIED ABOUT SURVEILLANCE AND FEEL IT IS PERHAPS THE MOST IMMEDIATE THREAT. IT FEELS THE MOST IMMEDIATE THREAT. AND, OF COURSE, SURVEILLANCE ALL AFFECTS THE INTERNET, IT IS ONE OF THE MORE INSIDIOUS ONES BECAUSE YOU DON'T SEE IT HAPPENING UNLIKE CENSORSHIP.
>IT IS GREAT TO BE BACK IN BRAZIL TODAY, NOT JUST BECAUSE BRAZIL IS A WONDERFUL COUNTRY AND ONE WHICH HAS HAD A REALLY VIBRANT SENSE OF WHAT OPPORTUNITY ON THE NET BUT, OF COURSE, ESPECIALLY TODAY IS A SPECIAL DAY. YESTERDAY WAS A VERY SPECIAL DAY, THE MARCO CIVIL GOING THROUGH IS WONDERFUL. A FANTASTIC EXAMPLE OF HOW GOVERNMENTS COMPARE POSITIVE ROLE IN ADVANCING WEB RIGHTS AND KEEPING THE WEB OPEN. YES, EUROPEANS ALSO CELEBRATE, THE EUROPEAN PARLIAMENT PASSING LEGISLATION PROTECTING USERS ON THE WEB. WELL DONE. SO TWO DATA POINTS THAT SUGGEST WE ARE MAKING PROGRESS. THAT IS GREAT, BUT, BOY, WE HAVE GOT A HUGE WAY THE PRINCIPLES OF HUMAN RIGHTS ON THE NET ARE NEW AND THEY'RE NOT UNIVERSALLY ACCEPTED.
>THE WEB BECOMES EVER MORE EXCITING WITH EVERY ADVANCING TECHNOLOGY LIKE MOBILE WEB AND SO ON, BUT 60% OF THE WEB -- OF THE POPULATION CAN'T USE THE WEB AT ALL.
>AS THE WEB GIVES PEOPLE GREATER AND GREATER POWER, INDIVIDUALLY AND COLLECTIVELY, SO MANY FORCES ARE ABUSING OR THREATEN TO ABUSE THE NET AND ITS CITIZENS. THE WEB THAT WE WILL HAVE IN ANOTHER 25 YEARS' TIME IS, BY NO MEANS, CLEAR. BUT IT IS COMPLETELY UP TO US TO DECIDE WHAT WE WANT TO MAKE THAT WEB, WHAT WE WANT TO MAKE THAT WORLD.
>THAT'S WHY I'M ASKING WEB USERS AROUND THE WORLD, NOT JUST PEOPLE HERE IN THIS CONFERENCE ROOM AND THE OTHER CONFERENCE ROOMS WHERE THIS IS BEING RELAYED, NOT JUST PEOPLE IN THIS CONFERENCE BUT PEOPLE ALL OVER THE WORLD, TO GO AND THINK ABOUT WHAT YOU WANT AND TO FIND SOME SORT OF GLOBAL MAGNA CARTA FOR THE INTERNET. THAT IS WHY --
>[APPLAUSE ] >>TIM BERNERS-LEE: THAT IS WHY I'M ASKING COUNTRIES EVERYWHERE TO FOLLOW BRAZIL'S EXAMPLE AND EUROPE'S EXAMPLE AND DEVELOP POSITIVE LAWS THAT PROTECT AND EXPAND THE RIGHTS OF USERS IN AN OPEN, FREE, AND UNIVERSAL WEB.
>[APPLAUSE ]
>>>TIM BERNERS-LEE: THANK YOU.
>[APPLAUSE ] >> LADIES AND GENTLEMEN, THE PRESIDENT OF THE REPUBLIC HAS APPROVED A LAW THAT GUARANTEES THE RIGHTS AND DUTIES FOR THE USE OF INTERNET IN THE WORLD.
>[CHEERS AND APPLAUSE ] >>H.E. DILMA ROUSSEFF: GOOD MORNING TO ONE AND ALL. I WOULD LIKE TO THANK THOSE WHO SPOKE BEFORE ME FOR PERFECTLY PRONOUNCING "GOOD MORNING" IN PORTUGUESE, (NON-ENGLISH WORD OR PHRASE) AS VOICED BY OUR DEAR REPRESENTATIVE FROM AFRICA, NNENNA NWAKANMA.
>THANK YOU VERY MUCH FOR PERFECTLY PRONOUNCING (NON-ENGLISH WORD OR PHRASE) IN BRAZILIAN PORTUGUESE. GOOD MORNING.
>AND BY GREETING HER, I WOULD LIKE TO EXTEND MY GREETINGS TO ALL WOMEN WHO ARE CURRENTLY ACTIVE ON THE WEB. BOTH THE GIRLS AND THE GUYS WHO ARE EQUALLY ACTIVE ON THE WEB.
>GREETINGS, LIKEWISE, TO THE MAYOR OF SAO PAULO WHO HAS SO KINDLY WELCOMED US, AND ABOVE ALL, I WOULD RECYCLE TO, FIRST OF ALL, GREET TWO MEMBERS OF CONGRESS FROM BRAZIL. NAMELY MR. (SAYING NAME) REPRESENTING THE HOUSE OF REPRESENTATIVES WHO SERVED AS RAPPORTEUR OF THE BILL OF LAW WHICH LED UP TO THE PASSING YESTERDAY OF THE INTERNET CIVIL FRAMEWORK, AS WELL AS REPRESENTATIVE -- RATHER SENATOR (SAYING NAME), AND THROUGH HIM, I WOULD LIKE TO FURTHER EXTEND MY GREETINGS, LIKEWISE, TO THE SENATE RAPPORTEURS WHO WERE ABLE TO PASS THE PIECE OF LAW IN A RECORD TIME, SENATOR (SAYING NAME), SENATOR (SAYING NAME), AND SENATOR (SAYING NAME). THANK YOU.
>AND SO SENATOR (SAYING NAME) AND TO REPRESENTATIVE (SAYING NAME), I WOULD LIKE TO VOICE MY THANKS FOR YOUR EFFORTS IN PASSING THE INTERNET CIVIL FRAMEWORK.
>GREETINGS, LIKEWISE, TO THE SECRETARY-GENERAL OF THE UNITED NATIONS, HONG BO. SPECIAL GREETINGS LIKEWISE TO THE INVENTOR OF THE INTERNET, TIM BERNERS-LEE.
>I WOULD LIKE TO GREET THE VICE PRESIDENT OF GOOGLE, AND A KEY PERSON -- RATHER A KEY PERSON IN THE ESTABLISHMENT OF THE INTERNET, MR. CERF.
>GREETINGS, ONCE AGAIN, TO MR. (SAYING NAME) WHO, ON OCTOBER THE 8TH LAST YEAR, 2013 -- CORRECT, FADI, IF I'M NOT MISTAKEN, WE MET IN BRAZIL YEAH AND ON THAT OCCASION DURING THAT MEETING WITH YOU THE SEMINAL IDEA SURFACED OF ESTABLISHING THIS INTERNET GOVERNANCE SUMMIT MEETING THAT IS REALIZED HERE TODAY, SO THANK YOU VERY MUCH AN ALL OF YOU, INCLUDING CABINET MINISTERS AND FOREIGN DELEGATES ATTENDING THIS SESSION TODAY. ---
>MAY I ALSO USE THE OPPORTUNITY ---
>MAY I ALSO USE THE OPPORTUNITY TO GREET ALL CABINET MINISTERS WHO HAVE BEEN ACTIVELY INVOLVED IN THE PROCESS THAT LED UP TO THE PASSING OF THE INTERNET GOVERNANCE CIVIL FRAMEWORK, AN EFFORT WHICH OF COURSE INVOLVED ALL STAKEHOLDERS AND SOCIETY.
>SPECIAL THANKS TO MINISTER OF FOREIGN AFFAIRS, AMBASSADOR (SAYING NAME), MINISTER OF JUSTICE CARDOZO, ALSO MINISTER OF COMMUNICATIONS, MINISTER OF SCIENCE AND TECHNOLOGY, (SAYING NAME), AND MAY I ALSO GREET AND THANK SENATOR AND MINISTER OF CULTURE (SAYING NAME) AS WELL AS THE BRAZILIAN SECRETARY-GENERAL OF THE PRESIDENT'S OFFICE, (SAYING NAME). GREETINGS LIKEWISE TO ALL ATTENDEES, PARTICULARLY THE MEDIA PROFESSIONALS, JOURNALISTS, PHOTOGRAPHERS, AND CAMERAMEN AND WOMEN.
>MAY I SAY THAT YOU ARE ALL MOST WELCOME TO BRAZIL.
>AS ATTENDEES TO THIS GLOBAL MULTISTAKEHOLDER MEETING ON THE FUTURE OF INTERNET GOVERNANCE, THE SO-CALLED NETmundial AS WE CALL IT IN PORTUGUESE.
>AT THIS POINT IN TIME I WOULD ALSO LIKE TO VOICE MY GREETINGS TO THE ORGANIZERS, I.E., THE INTERNET MANAGEMENT OR MANAGING COMMITTEE AS WELL AS THE 1net COMMITTEE. IT GIVES ME GREAT JOY TO SEE IN THIS PLENARY HALL REPRESENTATIVES OF ALL DIFFERENT SECTORS WHO -- OR WHICH ARE IN ONE WAY INVOLVED IN THE INTERNET GOVERNANCE.
>IN THIS HALL TODAY, WE HAVE CIVIL SOCIETY, ACADEMIA, MEMBERS OF THE TECHNICAL COMMUNITY, BUSINESSES, AND GOVERNMENTS AT LARGE.
>THIS HEALTHY DIVERSITY -- AND I STRESS IT IS A HEALTHY DIVERSITY -- IS ALSO A HALLMARK OF THOSE GROUPS THAT HAVE JOINED US THROUGH THE INTERNET AND THIS MEETING, AND I WOULD LIKE TO USE THE OPPORTUNITY TODAY TO ESTABLISH A DIALOGUE ON THE ISSUES AND THE PURPOSES THAT BRING US TOGETHER IN SAO PAULO TODAY.
>BACK IN MID-2013 WHEN THE REVELATION SURFACED ON THE COMPREHENSIVE MECHANISMS FOR COLLECTIVE MONITORING OF COMMUNICATIONS CAUSED ANGER AND REPUDIATION IN VAST CIRCLES OF PUBLIC OPINION BOTH IN BRAZIL AND IN THE WORLD AT LARGE, IN BRAZIL CITIZENS, COMPANIES, DIPLOMATIC REPRESENTATIONS AND EVEN THE PRESIDENCY OF THE REPUBLIC ITSELF WERE TARGETED, AND THEIR COMMUNICATIONS INTERCEPTED.
>THESE EVENTS ARE NOT ACCEPTABLE. WERE NOT ACCEPTABLE IN THE PAST AND REMAIN UNACCEPTABLE TODAY, IN THAT THEY ARE AN AFFRONTMENT AGAINST THE VERY NATURE OF THE INTERNET AS A DEMOCRATIC, FREE, AND PLURALISTIC PLATFORM.
>THE INTERNET WE WANT IS ONLY POSSIBLE IN A SCENARIO WHERE HUMAN RIGHTS ARE RESPECTED. PARTICULARLY THE RIGHT TO PRIVACY AND TO ONE'S FREEDOM OF EXPRESSION.
>ACCORDINGLY, IN MY ADDRESS TO THE 68TH GENERAL ASSEMBLY OF THE UNITED NATIONS, I PUT FORTH A PROPOSAL TO TACKLE SUCH PRACTICES. I THEN PROPOSED A DISCUSSION ON ESTABLISHING A GLOBAL CIVIL FRAMEWORK FOR INTERNET GOVERNANCE AND USE, AS WELL AS MEASURES TO ENSURE ACTUAL PROTECTION OF DATA THAT TRAVELS THROUGH THE INTERNET.
>ALSO, WORKING TOGETHER WITH GERMAN CHANCELLOR ANGELA MERKEL WE SUBMITTED TO THE UNITED NATIONS A DRAFT RESOLUTION ON THE RIGHT TO PRIVACY IN THE DIGITAL AGE.
>BY CONSENSUS, THE RESOLUTION WAS PASSED AS PROPOSED AND WE ALSO PASSED A CALL FOR STATES TO DISCONTINUE ANY ARBITRARY OR ILLEGAL COLLECTION OF PERSONAL DATA AND TO ENFORCE USERS' RIGHTS TO PRIVACY.
>I SHOULD ACTUALLY STRESS THE FACT THAT THE SAME RIGHTS THAT PEOPLE ARE ENTITLED TO OFFLINE OR IN THE OFFLINE WORLD SHOULD BE LIKEWISE PROTECTED ON THE ONLINE WORLD.
>THIS MEETING TODAY, NETMUNDIAL, PROVIDES FURTHER MOMENTUM TO THAT EFFORT. THIS MEETING ALSO LIVES UP TO A GLOBAL YEARNING AS WE PROPOSE CHANGES IN THE CURRENT STATE OF AFFAIRS AND FOR AN ONGOING CONSISTENT STRENGTHENING OF FREEDOM OF EXPRESSION ON THE INTERNET AS WELL AS EFFORTS TO ULTIMATELY PROTECT BASIC HUMAN RIGHTS, AS IS THE CASE OF ONE'S RIGHT TO PRIVACY. AND WITHOUT THE SHADOW OF A DOUBT, THAT IS ALSO THE CASE OF ONE'S RIGHT TO PROPER TREATMENT OF WEB-BASED DISCUSSIONS IN A RESPECTFUL FASHION, TO ENSURE ITS OPEN, DEMOCRATIC NATURE. WE HAVE ALL TO SAO PAULO, THEREFORE, WITH A SHARED PURPOSE, THE PURPOSE OF ENHANCING AND DEMOCRATIZING INTERNET GOVERNANCE BY MEANS OF CONSENSUS BUILDING. AND I MEAN CONSENSUS AROUND PRINCIPLES, AND ON A ROADMAP TO BE DEVELOPED FOR ITS FUTURE EVOLUTION.
>A POINT I'D LIKE TO MAKE PLAIN AND CLEAR IS THAT THE IDEA HERE IS NOT, OF COURSE, TO REPLACE FOR THE COUNTLESS FORA OUT THERE THAT ALREADY ADDRESS THE TOPIC OR THE MATTER AT HAND TODAY. THE IDEA, RATHER, IS TO LEND A NEW MOMENTUM TO THE ONGOING DISCUSSIONS IN A MUCH NEEDED SENSE OF URGENCY.
>WE, THEREFORE, WORK FROM TWO PREMISES OR KEY ASSUMPTIONS.
>THE FIRST SUCH PREMISE IS THAT WE ALL WANT TO PROTECT THE INTERNET AS A SPACE, AVAILABLE TO ALL, AS A SHARED ASSET, AND AS SUCH, TRULY HERITAGE OF HUMANKIND, MORE THAN SIMPLY A WORK TOOL AND WAY BEYOND ITS WELL-KNOWN CONTRIBUTION FOR ECONOMIC GROWTH, PROVIDED, OF COURSE, THAT IT BE INCREASINGLY INCLUSIVE AND THE FACT IS THAT THE INTERNET HAS ENABLED THE CONSTANT REINVENTION OF THE WAY PEOPLE AND INSTITUTIONS INTERACT, PRODUCE CULTURE, AND ORGANIZE THEMSELVES, EVEN POLITICALLY.
>AN OPEN AND DECENT NETWORK ARCHITECTURE FAVORS GREATER ACCESS TO KNOWLEDGE. IT HELPS MAKE COMMUNICATIONS MORE DEMOCRATIC AND ALSO FOSTERS CONSTANT INNOVATION. THESE BASIC FEATURES ARE THE FEATURES THAT WE WANT AND THAT SHOULD BE PRESERVED UNDER ANY CIRCUMSTANCES, AND IN ANY SCENARIO, IN ORDER TO ULTIMATELY GUARANTEE THE FUTURE OF THE INTERNET AND, THUS, BOOST ITS TRANSFORMATIVE EFFECTS FOR AND IN SOCIETIES.
>THE SECOND PREMISE OR ASSUMPTION IS THE DESIRE WE ALL SHARE TO INCORPORATE AN INCREASINGLY BROADER AUDIENCE INTO THIS PROCESS.
>OUR COMMITMENT TO AN OPEN AND INCLUSIVE DEBATE HAS GUIDED THE EFFORTS TO ORGANIZE THIS MEETING IN SAO PAULO TODAY. ALL DIFFERENT WALKS OF LIFE HAVE TAKEN PART IN ITS PREPARATION AND ARE DULY REPRESENTED IN THIS PLANE HALL TODAY.
>WE ARE TALKING ABOUT THOUSANDS OF PARTICIPANTS FROM ALL OVER THE WORLD WHO ARE JOINED BY VIRTUAL CONNECTIONS IN SEVERAL DIFFERENT POINTS OF THE PLANET.
>THE TOPICS TO BE DISCUSSED HAVE BEEN THE SUBJECT OF BROAD AND PRIOR INTERNATIONAL PUBLIC CONSULTATION AND HAVE RECEIVED INPUTS FROM PLAYERS OR STAKEHOLDERS LOCATED IN SEVERAL DIFFERENT COUNTRIES AND IN DIFFERENT GEOGRAPHIES.
>THESE PROPOSALS IN TURN, OR INPUTS, HAVE SERVED AS THE FOUNDATION TO DEVELOP A DRAFT DOCUMENT, THE DRAFT DOCUMENT TO BE DISCUSSED AND FURTHER ENHANCED HERE IN THE NEXT FEW DAYS.
>I WOULD LIKE TO WELCOME THE WORK CONDUCTED BY THE EXECUTIVE METRIC SECTORAL COMMUNITY AS WELL AS THE HIGH-LEVEL MULTISTAKEHOLDER COMMITTEE FOR THIS JOINT EFFORT.
>THE INTEREST OF BRAZILIANS IN THE INTERNET IS REFLECTED ON THE SUBSTANTIAL PARTICIPATION OF BRAZILIAN NATIONALS IN THE DOMESTIC PUBLIC CAPTION AS FACILITATED BY THE.BR PORTAL. AT THIS TIME, CIVIL SOCIETY IS ORGANIZED IN THIS FORUM, THE SO-CALLED NETmundial ARENA, WHICH IS THE BRAZILIAN LOCUS FOR ACCESS TO TODAY'S SESSIONS.
>MAY I REMIND ALL THE LADIES AND GENTLEMEN AND FRIENDS ATTENDING THIS SESSION THAT BRAZIL ADVOCATES THAT INTERNET GOVERNANCE SHOULD BE MULTISTAKEHOLDER, MULTILATERAL, DEMOCRATIC, AND TRANSPARENT IN NATURE.
>IT IS OUR VIEW THAT THE MULTISTAKEHOLDER MODEL IS THE BEST WAY TO EXERCISE INTERNET GOVERNANCE.
>VERY MUCH IN ACCORDANCE WITH THAT VIEW, OUR LOCAL GOVERNANCE SYSTEM WHICH HAS BEEN IN OPERATION FOR 20 YEARS HAS RELIED ON ACTUAL PARTICIPATION OF REPRESENTATIVES FROM CIVIL SOCIETY, MEMBERS OF ACADEMIA, THE BUSINESS COMMUNITY, AND THE GOVERNMENT AT LARGE AT THE INTERNET GOVERNANCE -- OR AT THE INTERNET MANAGEMENT COMMITTEE.
>FULLY IN LINE WITH WHAT I JUST SAID, I ALSO ATTACH A GREAT DEAL OF IMPORTANCE TO THE MULTILATERAL PERSPECTIVE, ACCORDING TO WHICH GOVERNMENT PARTICIPATION SHOULD OCCUR ON AN EQUAL FOOTING AMONG GOVERNMENTS IN SUCH A WAY AS TO ENSURE THAT NO COUNTRY WILL HAVE OR BEAR GREATER WEIGHT VIS-A-VIS OTHER COUNTRIES.
>[APPLAUSE ] >>H.E. DILMA ROUSSEFF: OUR ADVOCACY OF THE MULTILATERAL MODEL IS THE NATIONAL CONSEQUENCE OF AN ELEMENTARY PRINCIPLE THAT SHOULD GOVERN TODAY'S INTERNATIONAL RELATIONS AS ENSHRINED IN THE BRAZILIAN FEDERAL CONSTITUTION. I'M TALKING ABOUT EQUALITY AMONG STATES.
>WE, THEREFORE, SEE NO OPPOSITION WHATSOEVER BETWEEN MULTI- -- OR THE MULTILATERAL AND THE MULTISTAKEHOLDER NATURE OF THE INTERNET. ACTUALLY, THE OPPOSITE OF THAT WOULD BE A ONE-SIDED UNILATERAL INTERNET WHICH IS UNTENABLE.
>AN INTERNET THAT IS ULTIMATELY SUBJECT TO INTERGOVERNMENTAL ARRANGEMENTS THAT EXCLUDE OTHER SECTORS OF SOCIETY IS NOT DEMOCRATIC.
>MULTISTAKEHOLDER ARRANGEMENTS THAT ARE IN TURN SUBJECT TO OVERSIGHT BY ONE OR FEW STATES ARE NOT ACCEPTABLE EITHER.
>WE TRULY WANT TO MAKE RELATIONS BETWEEN GOVERNMENTS AND SOCIETIES MORE DEMOCRATIC, AS WELL AS THE RELATIONS AMONG GOVERNMENTS. WE WANT MORE, NOT LESS, DEMOCRACY.
>THE TASK OF PROVIDING A GLOBAL DONATION TO THE ORGANIZATIONS THAT ARE CURRENTLY RESPONSIBLE FOR CENTRAL FUNCTIONS OF THE INTERNET IS NOT ONLY NECESSARY, BUT ALSO AN UN-POSTPONABLE TASK.
>THE COMPLEXITY OF THE TRANSITION AT HAND, WHICH ON THE ONE HAND INVOLVES JURISDICTIONAL COMPETENCE, AS WELL AS ACCOUNTABILITY AND AN AGREEMENT WITH MULTIPLE STAKEHOLDERS, DOES NOT, NEVERTHELESS, MAKE IT LESS URGENT A TASK.
>THAT IS WHY I'D LIKE TO AGAIN WELCOME THE RECENTLY VOICED INTENTION OF THE UNITED STATES GOVERNMENT TO REPLACE ITS INSTITUTIONAL LINKAGE WITH THE AUTHORITY FOR -- OR WITH THE INTERNET AUTHORITY FOR NUMBER ASSIGNMENT, IANA, AND THE INTERNET CORPORATION FOR NAMES AND NUMBER ASSIGNMENTS, ICANN, BY A GLOBAL MANAGEMENT OF THESE INSTITUTIONS FROM NOW ONWARDS, A NEW INSTRUMENTAL AND LEGAL ARRANGEMENT OF THE ISDN UNDER THE RESPONSIBILITY OF IANA AND ICANN SHOULD BE BUILT IN SUCH A WAY AS TO INCLUDE BROAD-RANGING INVOLVEMENT OF ALL SECTORS THAT HAVE AN INTEREST IN THE MATTER WAY BEYOND THE TRADITIONAL STAKEHOLDERS OR PLAYERS.
>EACH SECTOR, OF COURSE, PERFORMS DIFFERENT ROLES BASED ON LIKEWISE DIFFERENTIATED RESPONSIBILITIES.
>THE OPERATIONAL MANAGEMENT OF THE INTERNET SHOULD CONTINUE BEING LED BY ITS TECHNICAL COMMUNITY. MAY I, AT THIS POINT, VOICE MY PUBLIC RECOGNITION -- AND THIS IS ON BEHALF OF MY GOVERNMENT -- TO THESE PEOPLE WHO DEVOTE THEIR TIME AND ENERGY ON A DAY-TO-DAY BASIS TO KEEPING THE INTERNET AS AN OPEN, STABLE, AND SECURE PLATFORM, A KEY EFFORT WHICH REMAINS LARGELY INVISIBLE IN THE EYES OF MOST OF US END USERS.
>MATTERS PERTAINING TO SOVEREIGNTY SUCH AS CYBERCRIME, BREACH OF RIGHTS, ECONOMIC ISSUES OR TRANSNATIONAL ECONOMIC ISSUES, AND THREATS OF CYBER-ATTACKS ARE THE PRIMARY RESPONSIBILITY OF STATES.
>THE TASK AT HAND IS, ABOVE ALL, TO ENSURE THAT STATES WILL HAVE AT THEIR AVAIL THE TOOLS THAT WILL ALLOW THEM TO FULFILL THEIR RESPONSIBILITIES BEFORE THEIR CITIZENS, TO INCLUDE THE GUARANTEE OF FUNDAMENTAL RIGHTS. RIGHTS WHICH ARE ENSURED OFFLINE SHOULD BE EQUALLY INSURED ONLINE.
>THESE RIGHTS THRIVE UNDER THE SHELTER AND NOT IN THE ABSENCE OF THE STATE.
>IN ORDER FOR THE GLOBAL INTERNET GOVERNANCE TO BE TRULY DEMOCRATIC, MECHANISMS ARE REQUIRED TO ENABLE GREATER PARTICIPATION OF DEVELOPING COUNTRIES IN ALL DIFFERENT SECTORS.
>THE MATTERS THAT ARE IN THE INTEREST OF THESE COUNTRIES THAT ARE THE HEAVY-DUTY USERS OF THE INTERNET, TOPICS SUCH AS, FOR EXAMPLE, EXPANDING CONNECTIVITY, ACCESSIBILITY, AND THE RESPECT TO DIVERSITY, SHOULD BE CENTRAL ON THE INTERNATIONAL AGENDA.
>IT IS NOT ENOUGH FOR FORA TO BE OPEN FROM A PURELY FORMAL STANDPOINT. WE MUST FURTHER IDENTIFY AND REMOVE THE VISIBLE AND INVISIBLE BARRIERS TO ACTUAL PARTICIPATION OF THE ENTIRE POPULATION OF EVERY COUNTRY OR ELSE WE WOULD BE ULTIMATELY RESTRICTING OR LIMITING THE DEMOCRATIC ROLE AND THE SOCIAL AND CULTURAL REACH OF THE INTERNET.
>THE EFFORT AT HAND FURTHER REQUIRES THAT THE INTERNET GOVERNANCE FORUM BE FURTHER STRENGTHENED AS A DIALOGUE FORUM CAPABLE OF PRODUCING RESULTS AND RECOMMENDATIONS.
>IT ALSO REQUIRES A COMPREHENSIVE, BROAD-RANGING REVIEW OF THE 10 YEARS FOLLOWING THE SUMMIT -- WORLD SUMMIT MEETING OF INFORMATION SOCIETY AS WELL AS A DEEPER DISCUSSION ON ETHICS AND PRIVACY AT THE UNESCO LEVEL.
>GIVEN THE ABOVE, MAY I SAY THAT WE ARE STRONG BELIEVERS THAT THE CYBER-SPACE -- AND I'M SURE THAT BELIEF IS SHARED BY ALL OF US -- THE CYBER-SPACE SHOULD BE THE TERRITORY OF TRUST, HUMAN RIGHTS, CITIZENSHIP, COLLABORATION, AND PEACE.
>TO ACHIEVE THESE OBJECTIVES, WE MUST AGREE ON BASIC PRINCIPLES THAT WILL ULTIMATELY GUIDE INTERNET GOVERNANCE.
>AS REGARDS PRIVACY, THE RESOLUTION PASSED BY THE UNITED NATIONS ORGANIZATION WAS AN IMPORTANT STEP IN THE RIGHT DIRECTION, BUT WE MUST -- BUT WE STILL HAVE MUCH PROGRESS TO MAKE.
>ANY DATA COLLECTION OR TREATMENT SHOULD ONLY BE CARRIED OUT WITH FULL AGREEMENT OF THE PARTIES INVOLVED OR AS LEGALLY PROVIDED FOR.
>HOWEVER, THE DISCUSSION ON PRINCIPLES IS MUCH MORE COMPREHENSIVE. IT SHOULD -- AND I STRESS IT SHOULD -- INCLUDE UNIVERSAL INTERNET ACCESS, WHICH IS ABSOLUTELY KEY FOR THE WEB TO SERVE AS A TOOL FOR HUMAN AND SOCIAL DEVELOPMENT SO AS TO ULTIMATELY HELP BUILD INCLUSIVE, NONDISCRIMINATORY SOCIETIES.
>IT SHOULD ALSO INCLUDE FREEDOM OF EXPRESSION AND NET NEUTRALITY AS AN SINE BRAZIL HAS ITS CONTRIBUTIONS TO MAKE FOLLOWING A BROAD RANGING DISCUSSION, DOMESTIC PROCESS THAT HAS ULTIMATELY LED TO THE PASSING OF THE INTERNET CIVIL FRAMEWORK ACT AS PASSED YESTERDAY BY CONGRESS IN WHICH I HAD THE HONOR OF SANCTIONING JUST A FEW MINUTES AGO. THE LAW -- AND I MAY QUOTE TIM BERNERS-LEE WHO QUOTED THE LAW AS A PRESIDENT TO THE WEB ON THE OCCASION OF THE 20th -- OR 25th ANNIVERSARY AS SUCH THE LAW CLEARLY SHOWS THE FEASIBILITY AND SUCCESS OF OPEN MULTISECTORIAL DISCUSSIONS AS WELL AS THE INNOVATIVE USE OF THE INTERNET AS PART OF ONGOING DISCUSSIONS AS A TOOL AND A INTERACTIVE DISCUSSION PLATFORM.
>I THINK IT IS FAIR TO SAY THAT THE PROCESS THAT LED UP TO THE CIVIL FRAMEWORK ACT CAN BE DESCRIBED AS A VIRTUOUS PROCESS IN THAT OUR CIVIL FRAMEWORK, AS IT CURRENTLY STANDS, HAS BEEN EVEN FURTHER APPRECIATED GIVEN THE PROCESS THAT PRECEDED THE EFFORTS TO ESTABLISH IT AS SUCH.
>MAY I, THEREFORE, CALL TO MIND THAT OUR CIVIL FRAMEWORK ESTABLISHES PRINCIPLES, GUARANTEES AND USER RIGHTS, CLEARLY ASSIGNING DUTIES AND RESPONSIBILITIES OF THE DIFFERENT STAKEHOLDERS AND GOVERNMENT AGENCIES ON AN ONLINE ENVIRONMENT. AND EQUALLY IMPORTANT, IT ENSHRINES NETWORK NEUTRALITY AS A KEY PRINCIPLE, A MAJOR GAIN WHICH WE WERE ABLE TO MATERIALIZE AS A CONSENSUS IN THE PROCESS.
>IT ENSHRINES NETWORK NEUTRALITY BY ESTABLISHING THE TELECOMMUNICATIONS COMPANY SHOULD TREAT ANY DATA PACKAGES ON IN A --- FASHION WITH ACCOUNT TO AGENT, DESTINATION, SERVICE, TERMINAL OR APPLICATION. THE LAW OR FRAMEWORK AS HAS TRULY ENSHRINED NETWORK NEUTRALITY. FURTHERMORE, COMPANIES MAY NOT BLOCK, MONITOR, FILTER OR ANALYZE THE CONTENT OF DATA PACKAGES.
>THE CIVIL FRAMEWORK PROTECTS CITIZENS' PRIVACY IN THE ONLY IN THE RELATION WITH THE GOVERNMENTS BUT ALSO WITH RELATION WITH THE INTERNET COMPANIES. COMMUNICATIONS ARE, BY DEFINITION, NON-VIABLE EXCEPT BY A SPECIFIC COURT ORDER TO THAT EFFECT. THE RECENTLY PASSED LAW FURTHER CONTAINS CLEAR RULES GOVERNING WITHDRAWAL OF CONTENT FROM THE INTERNET. ALWAYS, OF COURSE, WITH A VIEW TO ENSURING THAT THE APPLICABLE COURT ORDERS BE AVAILABLE.
>THE CIVIL NETWORK IS AN EXAMPLE OF THE FACT THAT THE INTERNET DEVELOPMENT CANNOT DO IT WITHOUT A DISCUSSION PROCESS AND THE INVOLVEMENT OF NATIONAL STATES. AS SUCH, IT STANDS AS AN INNOVATIVE BENCHMARK MILESTONES BECAUSE IN ITS DEVELOPMENT PROCESS, WE HEARD THE VOICES OF THE STREETS, THE NETWORKS AND OF DIFFERENT INSTITUTIONS.
>FOR ALL OF THE ABOVE, IT IS OUR FIRM CONVICTION THAT ON A NETWORK, EACH NODE MATTERS. THE LARGE NODES SUCH AS THE MEGA PORTALS TO WHICH A SUBSTANTIAL AMOUNT OF WORLD TRAFFIC CONVERGES AND SMALL NODES ARE EQUALLY IMPORTANT.
>AT THIS TIME, I WOULD LIKE TO BRING TO THE FORE A KEY FUNDAMENTAL ISSUE AND TALK ABOUT THE FACT THAT THIS COUNTRY HAS TAKEN A MAJOR STEP FORWARD AS PART OF THE ONGOING PROCESS WHEREBY WE NOT ONLY INCLUDE BUT ALSO GUARANTEE A STEADY STREAM OF INCOME TO A SUBSTANTIAL SHARE OF THE POPULATION.
>INCOME AND ACCESS ARE EQUALLY IMPORTANT. WE BELIEVE THAT IT IS EQUALLY IMPORTANT TO ENSURE WE HAVE PLACE IN SOCIETY WHERE CITIZENS HAVE THEIR OWN VIEWS AND THEY ARE ABLE TO VOICE THEIR VIEWS FREELY. HENCE, THE INVALUABLE DEGREE OF IMPORTANCE WE ATTACH TO THE INTERNET IN OUR SOCIETY.
>WE ALSO HAVE YET ANOTHER MAJOR ASSET. I'M TALKING ABOUT BRAZIL'S ETHNIC CULTURAL, POLITICAL AND RELIGIOUS DIVERSITY. IT IS OURS TO NOT ONLY RESPECT BUT ALSO PROMOTE AND FOSTER OUR CULTURAL DIVERSITY. WE DO NOT WISH TO IMPOSE BELIEFS, CUSTOMS, VALUES OR POLITICAL VIEWS ON ANYONE.
>MAY I PARTICULARLY HIGHLIGHT THE THOUSANDS OF USERS THAT MULTIPLY ON A DAY-TO-DAY BASIS NOT ONLY HERE BUT IN ALL THE DEVELOPING COUNTRIES IN THE OUTSKIRTS OF LARGE URBAN AREAS AND ALSO IN TRADITIONAL COMMUNITIES OUT THERE. ALL OF THESE NEW USERS ENRICH THE NETWORK WITH NEW ALTERNATIVE IDEAS AND ACCOUNTS OF THE WORLD, NEW WORLD VISIONS. THESE PEOPLE MAKE THE INTERNET A STRONGER AND MORE UNIVERSAL PLATFORM.
>AND IT IS ON THEIR BEHALF AND BECAUSE OF THEM, THAT I WOULD LIKE TO AGAIN VOICE MY THANKS TO ALL OF YOU FOR ATTENDING THIS MEETING IN SAO PAULO. FOR US, THE INTERNET IS A MODERN-DAY PRO EMANCIPATION, PRO TRANSFORMATION TOOL THAT CHANGES SOCIETY. SWEEPING CHANGES ARE INTRODUCED THROUGH THE INTERNET. YOU ARE ALL MOST WELCOME. AND I HOPE YOU WILL ALL COME BACK FOR THE WORLD CUP OF ALL CUPS. IF NOT, MAKE SURE YOU WATCH IT THROUGH THE INTERNET. THANK YOU VERY MUCH AGAIN.
>[APPLAUSE ]
>>> LADIES AND GENTLEMEN, WE THANK YOU FOR THE PRESENCE OF YOU ALL. WE CLOSE NOW THIS CEREMONY.
>
>
>
>

Surveillance was mentioned by a few brave souls. Two peaceful, silent - and rather effective - protests broke out during the opening speeches; one, against the data retention clause in Brazil's otherwise path-breaking and brand-new law for civil rights on the Internet, Marco Civil, and another for honouring US NSA whistleblower Edward Snowden and urging action against surveillance. Sadly for Brazilian civil society, the Marco Civil protestations went unheard, and Rousseff signed the bill into law in full.

There were lots of speeches. Lots. If you missed them, here's a handy visualisation you can use to catch up quickly: just add some prepositions and conjunctions, and you'll have a perfectly anodyne and universally acceptable bureaucrat/politician keynote address.

The afternoon was given over to assimilating previously received comments on the outcome document and adding new ones from people in the room. Much contention, much continuity, lots of hard work, lots of nitpicking (some of it even useful) and lots of ambiguity; after more consultation - the slog goes on until tomorrow afternoon - the outcome document will be laid to rest. Lunch was excellent: there's a reason the Grand Hyatt São Paulo costs as much as it does.

Our quest to plumb the depths of multi-stakeholderism continued: we thank the kind folks who gave us their time and allowed us to record them.

Q: What does "multi-stakeholder" mean? What is "multi-stakeholderism"?

Multi-stakeholderism to me is the ability to engage with every stakeholder and have them in the room, and have them understand that it is not an equal opportunity for all. I also understand that civil society and academia will never be at the same place as business, which has far more resources, or governments, which have the sovereign right to make laws, or even the technical community, which is often missing from the policy dialogue. There are three things which are important to me: (1) Will I be able to make interventions not just in the dialogue but in the decision making process? For me, that is key. (2) Do I have recourse in a process which might be multilateral or inter-governmental - do I have recourse when international treaties are  ratified or signed, because they become binding national laws? and (3) What is it that happens to dissent in a process that is not multi-stakeholder? I think even the ITU (the International Telecommunications Union) has taken cognizance of multi-stakeholderism. So it's not new, but it's also not old or accepted, which is why we contest it. We will never have equal stakeholders. And who gets to represent the stakeholder communities? I don't think power imbalances get resolved, and I think it's a deeply flawed process. It's not perfect. But what worries me is the alternative. So give me a better alternative.
Subi Chaturvedi, Media for Change/ Lady Shriram College  (India)

Simply put, multi means many components, and stakeholders are people who have the stakes. So multi-stakeholder means many people who are informed to take the process forward. The process is still on: it's evolving. The idea is that everyone who has an interest should bring it forward, and the dialogue must be balanced. Proof of concept is important - it's not about taking a dogmatic position but a scientific position. Business is concerned about the justification around return on investment.
Jimson Olufuye, Africa ICT Alliance (Nigeria)

Everyone who has a stake in the use and operation of the Internet should have a stake in the way it is managed. I think we shouldn't be considering this as a power game - it's not winner takes all. Decision making should be as much as possible consensual, where no one has a veto power.
Getachew Engida, Deputy Director-General, UNESCO (France)

It is very simple. I think people are complicating matters. It's not a power game. The Internet is fundamentally a global network of interconnected computers. People have become not only consumers of information but providers of information, so the stakes in the media/ICT world are massive. Unprecedented. Therefore, around major issues confronting the Internet, decision making should be as participatory as possible.
Indrajit Banerjee, Director, UNESCO (France)

---

Additional Links

• Watch Brazilian President Dilma Rousseff's speech at the opening of NETmundial
• Follow Swedish foreign minister Carl Bildt on Twitter

Marco Civil, on which we blogged previously, includes provisions for the protection of privacy and freedom of expression of all users, rules mandating net neutrality, etc. Brazil celebrated the beginning of NETmundial, a momentous first day about which Achal Prabhala blogs, with President Rousseff’s approval of the Marco Civil.

At about the same time, news broke that the US Federal Communications Commission is set to propose new net neutrality rules. In the wake of the Verizon net neutrality decision in January, the proposed new rules will prohibit Internet service providers such as Comcast from slowing down or blocking traffic to certain websites, but permit fast lane traffic for content providers who are willing to pay for it. This fast lane would prioritise traffic from content providers like Netflix and Youtube on commercially reasonable terms, and result in availability of video and other content at higher speeds or quality. An interesting turn-around, as Marco Civil expressly mandates net neutrality for all traffic.