Centre for Internet and Society

The Phishing Society: Why 'Facebook' is more Dangerous than the Government Spying on You - A Talk by Maria Xynou

maria — 2013-09-27T09:16:19Z

Next Wednesday, you are all invited to listen to Maria Xynou's crazy - or not-so-crazy theory of the "Phishing Society", in which surveillance, control and oppression is not imposed in a traditional top-down manner, but rather a personal and collective "choice"...come and engage in a heated debate!

We have read and heard a lot of theories on the contemporary "Surveillance Society"...but how much of that is about surveillance per se? Are we being spied on a top-down manner...or are we enabling our own surveillance? Have the masses ever directly or indirectly "pursued" their own surveillance in the past...or are we witnessing a new phenomenon in history?

Most geeks would probably agree that the term "phishing" is used to describe the act of attempting to acquire sensitive information, such as usernames, passwords, private encryption keys and credit card details, by masquerading as a trustworthy entity. In other words, "phishing" is commonly used to describe the acquisition of sensitive, personal data through the use of bait.

The aim of the talk on Wednesday is to discuss the possible existence of a "Phishing Society", through which the act of providing bait — whether it being security, commodities, services or relationships — is a common, contemporary practice on a social, political and economic level in the pursuit of the "Gold of the Digital Age": personal data. Through this discussion, the "Government spying vs. Corporate spying" debate will be looked at, in an attempt to understand why the dynamics of surveillance have changed over the last year.

Everyone with an open mind is welcome to attend this talk and to share all opinions, ideas and concerns!

Video

For more details visit https://cis-india.org/internet-governance/events/the-phishing-society-a-talk-by-maria-xynou

Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes...

maria — 2013-07-12T15:26:33Z

In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have already adopted measures to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, privacy concerns have arisen as it remains unclear how data collected will be used.

Red light cameras

Last week, the Chennai police announced that it plans to install traffic enforcement cameras, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since early 2008 and a study indicates that they have reduced the traffic violation rates. A 2003 report by the National Cooperative Highway Research Programme (NCHRP) examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.

However, how are traffic violation rates even measured? According to Barbara Langland Orban, an associate professor of health policy and management at the University of South Florida:

“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”

Last year, the Bombay state government informed the High Court that the 100 CCTV cameras installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s due-process rights?

RFID tags and Black Boxes

A communication revolution is upon us, as Maharashtra state transport department is currently including radio frequency identification (RFID) tags on each and every number plate of vehicles. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the 2001 amendment of Rule 50 of the Central Motor Vehicles Rules, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.

RFID technology has also been launched at Maharashtra´s state border check-posts. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.

By 31 March 2014, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to Dr. Joshi, the Union Minister for Road Transport and Highways:

“The RFID technology shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”

Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it uniquely identifies each vehicle, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.

The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an Event Data Recorder (EDR), otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.

Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it mandatory for cars to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.

Are monitored cars safer?

The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a 2005 Federal Highway Administration study, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other studies of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.

Furthermore, there have been claims that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.

Companies which manufacture vehicle tracking systems are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?

And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope, but us. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored, we are all suspects and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.

Maneuvering our monitoring

Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.

Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as increasing the duration of the yellow light between the green and the red, re-timing lights so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.

Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:

Should we be monitored at all?

For more details visit https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes

Microsoft releases its first report on data requests by law enforcement agencies around the world

maria — 2013-07-12T12:19:31Z

In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released 2012 Law Enforcement Requests Report depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.

As of 30 June 2012, 137 million Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his blog post:

“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”

Microsoft 2012 Law Enforcement Requests

Democratic countries requested the most data during 2012, according to Microsoft´s report. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the top-five league which accounted for the most requests, despite the country having one of the world´s highest number of Internet users.

Out of the 70,665 requests to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.

Content data is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. Non-content data, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only 2.2 percent of requests from law enforcement agencies around the world resulted in the disclosure of content data, 99 percent of which were in response to warrants from courts in the United States. Microsoft may have not disclosed any of our content data, but 370 requests from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.

Out of the 418 requests made to Microsoft by Indian law enforcement agencies, only 4 were rejected (1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:

Total number of requests	418 (0.6%)
Accounts/Users specified in requests	594 (0.5%)
Disclosure of content	0 (0%)
Disclosure of non-content data	370 (88.5%)
No data found	44 (10.5%)
Requests rejected	4 (1%)

Skype 2012 Law Enforcement Requests

Microsoft acquired Skype towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the Microsoft 2012 report, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.

The report appears to be extremely reassuring, as it states that Skype did not disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did disclose non-content data, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.

Microsoft reported that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:

Total of requests	53 (0.1%)
Accounts/identifiers specified in requests	101 (0.6%)
Requests resulting in disclosure of content	0 (0%)
No data found	47 (88.6%)
Provided guidance to law enforcement	10 (18.8%)

The Centre for Internet and Society (CIS) supports the publication of Microsoft´s 2012 Law Enforcement Requests Report and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.

For more details visit https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies

The India Privacy Monitor Map

maria — 2013-10-09T16:26:14Z

The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country.

In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.

In particular, the map in its current format includes data on the following:

UID: The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.

NPR: Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.

CCTV: Closed-circuit television cameras which can produce images or recordings for surveillance purposes.

UAV: Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.

CCTNS: The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.

Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor

This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!

For more details visit https://cis-india.org/internet-governance/blog/india-privacy-monitor-map

BigDog is Watching You! The Sci-fi Future of Animal and Insect Drones

maria — 2013-07-12T15:38:33Z

Do you think robotic aeroplanes monitoring us are scary enough? Wait until you read about DARPA´s new innovative and subtle way to keep us all under the microscope! This blog post presents a new reality of drones which is depicted in none other than animal and insect-like robots, equipped with cameras and other surveillance technologies.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Just when we thought we had seen it all, the US Defence Advanced Research Projects Agency (DARPA) funded another controversial surveillance project which makes even the most bizarre sci-fi movie seem like a pleasant fairy-tale in comparison to what we are facing: animal and insect drones.

Up until recently, unmanned aerial vehicles (UAVs), otherwise called drones, depicted the scary reality of surveillance, as robotic pilot-less planes have been swarming the skies, while monitoring large amounts of data without people´s knowledge or consent. Today, DARPA has come up with more subtle forms of surveillance: animal and insect drones. Clearly animal and insect-like drones have a much better camouflage than aeroplanes, especially since they are able to go to places and obtain data that mainstream UAVs can not.

India´s ´DARPA´, the Defence Research and Development Organisation (DRDO), has been creating UAVs over the last ten years, while the Indian Army first acquired UAVs from Israel in the late 1990s. Yet the use of all UAVs in India is still poorly regulated! Drones in the U.S. are regulated by the Federal Aviation Administration (FAA), whilst the European Aviation Safety Agency (EASA) regulates drones in the European Union. In India, the Ministry of Civil Aviation regulates drones, whilst the government is moving ahead with plans to replace the Directorate General of Civil Aviation (DGCA) with a Civil Aviation Authority. However, current Indian aviation laws are vague in regards to data acquired, shared and retained, thus not only posing a threat to individual´s right to privacy and other human rights, but also enabling the creation of a secret surveillance state.

The DRDO appears to be following DARPA´s footsteps in terms of surveillance technologies and the questions which arise are: will animal and insect drones be employed in India in the future? If so, how will they be regulated?

BigDog/LS3

Apparently having UAVs flying above us and monitoring territories and populations without our knowledge or consent was not enough. DARPA is currently funding the BigDog project, which is none other than a drone dog, a four-legged robot equipped with a camera and capable of surveillance in disguise. DARPA and Boston Dynamics are working on the latest version of BigDog, called the Legged Squad Support System (LS3), which can carry 400 pounds of gear for more than 20 miles without refuelling. Not only can the LS3 walk and run on all types of surfaces, including ice and snow, but it also has ´vision sensors´ which enable it to autonomously maneuver around obstacles and follow soldiers in the battle field. The LS3 is expected to respond to soldiers' voice commands, such as 'come', 'stop' and 'sit', as well as serve as a battery charger for electronic devices.

BigDog/LS3 is undoubtedly an impressive technological advancement in terms of aiding squads with surveillance, strategic management and a mobile auxiliary power source, as well as by carrying gear. Over the last century most technological developments have manifested through the military and have later been integrated in societies. Many questions arise around the BigDog/LS3 and its potential future use by governments for non-military purposes. Although UAVs were initially used for strictly military purposes, they are currently also being used by governments on an international level for civil purposes, such as to monitor climate change and extinct animals, as well as to surveille populations. Is it a matter of time before BigDog is used by governments for ´civil purposes´ too? Will robotic dogs swarm cities in the future to provide ´security´?

Like any other surveillance technology, the LS3 should be legally regulated and current lack of regulation could create a potential for abuse. Is authorisation required to use a LS3? If so, who has the legal right to authorise its use? Under what conditions can authorisation be granted and for how long? What kind of data can legally be obtained and under what conditions? Who has the legal authority to access such data? Can data be retained and if so, for how long and under what conditions? Do individuals have the right to be informed about the data withheld about them? Just because it´s a ´dog´ should not imply its non-regulation. This four-legged robot has extremely intrusive surveillance capabilities which may breach the right to privacy and other human rights when left unregulated.

Humming Bird Drone


Source: HighTech Edge

TIME magazine recognised DARPA for its Hummingbird nano air vehicle (NAV) and named the drone bird one of the 50 best inventions of 2011. True, it is rather impressive to create a robot which looks like a bird, behaves like a bird, but serves as a secret spy.

During the presentation of the humming bird drone, Regina Dugan, former Director of DARPA, stated:

"Since we took to the sky, we have wanted to fly faster and farther. And to do so, we've had to believe in impossible things and we've had to refuse to fear failure."

Although believing in 'impossible things' is usually a prerequisite to innovation, the potential implications on human rights of every innovation and their probability of occurring should be examined. Given the fact that drones already exist and that they are used for both military and non-military purposes, the probability is that the hummingbird drone will be used for civil purposes in the future. The value of data in contemporary information societies, as well as government's obsession with surveillance for ´national security´ purposes back up the probability that drone birds will not be restricted to battlefields.

So should innovation be encouraged for innovation’s sake, regardless of potential infringement of human rights? This question could open up a never-ending debate with supporters arguing that it´s not technology itself which is harmful, but its use or misuse. However the current reality of drones is this: UAVs and NAVs are poorly regulated (if regulated at all in many countries) and their potential for abuse is enormous, given that ´what happens to our data happens to ourselves....who controls our data controls our lives.´ If UAVs are used to surveille populations, why would drone birds not be used for the same purpose? In fact, they have an awesome camouflage and are potentially capable of acquiring much more data than any UAV! Given the surveillance benefits, governments would appear irrational not to use them.

MeshWorms and Remote-Controlled Insects


Source: NY Daily News

Think insects are creepy? Now we can have a real reason to be afraid of them. Clearly robotic planes, dogs and birds are not enough.

DARPA´s MeshWorm project entails the creation of earthworm-like robots that crawl along surfaces by contracting segments of their bodies. The MeshWorm can squeeze through tight spaces and mold its shape to rough terrain, as well as absorb heavy blows. This robotic worm will be used for military purposes, while future use for ´civil purposes´ remains a probability.

Robots, however, are not only the case. Actual insects are being wirelessly controlled, such as beetles with implanted electrodes and a radio receiver on their back. The giant flower beetle´s size enables it to carry a small camera and a heat sensor, which constitutes it as a reliable mean for surveillance.

Other drone insects look and fly like ladybugs and dragonflies. Researchers at the Wright State University in Dayton, Ohio, have been working on a butterfly drone since 2008. Former software engineer Alan Lovejoy has argued that the US is developing mosquito drones. Such a device could potentially be equipped with a camera and a microphone, it could use its needle to abstract a DNA sample with the pain of a mosquito bite and it could also inject a micro RFID tracking device under peoples´ skin. All such micro-drones could potentially be used for both military and civil purposes and could violate individuals´ right to privacy and other civil liberties.

Security vs. Privacy: The wrong debate

09/11 was not only a pioneering date for the U.S., but also for India and most countries in the world. The War on Terror unleashed a global wave of surveillance to supposedly enable the detection and prevention of crime and terrorism. Governments on an international level have been arguing over the last decade that the use of surveillance technologies is a prerequisite to safety. However, security expert, Bruce Schneier, argues that the trade-off of privacy for security is a false dichotomy.

Everyone can potentially be a suspect within a surveillance state. Analyses of Big Data can not only profile individuals and populations, but also identify ‘branches of communication’ around every individual. In short, if you know someone who may be considered a suspect by intelligence agencies, you may also be a suspect. The mainstream argument “I have nothing to hide, I am not a terrorist’ is none other than a psychological coping mechanism when dealing with surveillance. The reality of security indicates that when an individual’s data is being intercepted, the probability is that those who control that data can also control that individual’s life. Schneier has argued that privacy and security are not on the opposite side of a seesaw, but on the contrary, the one is a prerequisite of the other. Governments should not expect us to give up our privacy in exchange for security, as loss of privacy indicates loss of individuality and essentially, loss of freedom. We can not be safe when we trade-off our personal data, because privacy is what protects us from abuse from those in power. Thus the entire War on Terror appears to waged through a type of phishing, as the promise of ´security´ may be bait to acquire our personal data.

Since the 2008 Mumbai terrorist attacks, India has had more reasons to produce, buy and use surveillance technologies, including drones. Last New Year´s Eve, the Mumbai police used UAVs to monitor hotspots, supposedly to help track down revellers who sexually harass women. The Chennai police recently procured three UAVs from Anna University to assist them in keeping an eye on the city´s vehicle flow. Raj Thackeray´s rally marked the biggest surveillance exercise ever launched for a single event, which included UAVs. The Chandigarh police are the first Indian police force to use the ´Golden Hawk´ - a UAV which will keep a ´bird´s eye on criminal activities´. This new type of drone was manufactured by the Aeronautical Development Establishment (one of DRDO's premier laboratories based in Bangalore) and as of 2011 is being used by Indian law enforcement agencies.

Although there is no evidence that India currently has any animal or insect drones, it could be a probability in the forthcoming years. Since India is currently using many UAVs either way, why would animal and/or insect drones be excluded? What would prevent India from potentially using such drones in the future for ´civil purposes´? More importantly, how are ´civil purposes´ defined? Who defines ´civil purposes´and under what criteria? Would the term change and if so, under what circumstances? The term ´civil purposes´ varies from country to country and is defined by many political, social, economic and cultural factors, thus potentially enabling extensive surveillance and abuse of human rights.

Drones can potentially be as intrusive as other communications surveillance technologies, depending on the type of technology they´re equipped with, their location and the purpose of their use. As they can potentially violate individuals´ right to privacy, freedom of expression, freedom of movement and many other human rights, they should be strictly regulated. In Europe UAVs are regulated based upon their weight, as unmanned aircraft with an operating mass of less than 150kg are exempt by the EASA Regulation and its Implementation Rules. This should not be the case in India, as drones lighter than 150kg can potentially be more intrusive than other heavier drones, especially in the case of bird and insect drones.

Laws which explicitly regulate the use of all types of drones (UAVs, NAVs and micro-drones) and which legally define the term ´civil purposes´ in regards to human rights should be enacted in India. Some thoughts on the authorisation of drones include the following: A Special Committee on the Use of All Drones (SCUAD) could be established, which would be comprised of members of the jury, as well as by other legal and security experts of India. Such a committee would be the sole legal entity responsible for issuing authorisation for the use of drones, and every authorisation would have to comply with the constitutional and statutory provisions of human rights. Another committee, the Supervisory Committee on the Authorisation of the Use of Drones (lets call this ´SCAUD´), could also be established, which would also be comprised by (other) members of the jury, as well as by (other) legal and security experts of India. This second committee would supervise the first and it would ensure that SCUAD provides authorisations in compliance with the laws, once the necessity and utility of the use of drones has been adequately proven.

It´s not about ´privacy vs. security´. Nor is it about ´privacy or security´. In every democratic state, it should be about ´privacy and security´, since the one cannot exist without the other. Although the creation of animal and insect drones is undoubtedly technologically impressive, do we really want to live in a world where even animal-like robots can be used to spy on us? Should we be spied on at all? How much privacy do we give up and how much security do we gain in return through drones? If drones provided the ´promised security´, then India and all other countries equipped with these technologies should be extremely safe and crime-free; however, that is not the case.

In order to ensure that the use of drones does not infringe upon the right to privacy and other human rights, strict regulations are a minimal prerequisite. As long as people do not require that the use of these spying technologies are strictly regulated, very little can be done to prevent a scary sci-fi future. That´s why this blog has been written.

For more details visit https://cis-india.org/internet-governance/blog/big-dog-is-watching-you

Report on the 4th Privacy Round Table meeting

maria — 2013-07-12T11:04:25Z

This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting

Interview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman

maria — 2013-07-19T13:02:14Z

Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India!

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

For more details visit https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman