The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 41 to 51.
Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes...
https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes
<b>In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have <a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">already adopted measures</a> to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, <a href="http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers/2/">privacy concerns</a> have arisen as it remains unclear how data collected will be used.<span> </span></p>
<h2><b>Red light cameras</b></h2>
<p style="text-align: justify; "><span>Last week, the Chennai police announced that it plans</span><a href="http://articles.timesofindia.indiatimes.com/2011-05-12/chennai/29535601_1_red-light-camera-system-red-light-cameras-traffic-signals"> to install traffic enforcement cameras</a><span>, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since </span><a href="http://www.traffictechnologytoday.com/news.php?NewsID=2767">early 2008</a><span> and a</span><a href="http://ibnlive.in.com/news/study-finds-red-light-cameras-cuts-crashes/142065-57-132.html"> study</a><span> indicates that they have reduced the traffic violation rates. A </span><a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">2003 report by the National Cooperative Highway Research Programme (NCHRP)</a><span> examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.</span></p>
<p style="text-align: justify; "><span></span><span>However, how are traffic violation rates even measured? According to </span><a href="http://blogs.wsj.com/numbersguy/seeing-red-1208/">Barbara Langland Orban</a><span>, an associate professor of health policy and management at the University of South Florida:</span></p>
<blockquote class="italized"><i>“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”</i></blockquote>
<p style="text-align: justify; "><span>Last year, the Bombay state government informed the High Court that the </span><a href="http://www.indianexpress.com/news/cctvs-not-fit-to-detect-traffic-violations-state-to-hc/910392">100 CCTV cameras</a><span> installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s </span><a href="http://www.thehindu.com/opinion/op-ed/of-constitutional-due-process/article436586.ece">due-process rights</a><span>?</span></p>
<h2 style="text-align: justify; "><b>RFID tags and Black Boxes</b></h2>
<p style="text-align: justify; "><span>A communication revolution is upon us, as Maharashtra state transport department is currently including radio </span><a href="http://www.dnaindia.com/mumbai/report_maharashtra-rto-spy-to-breathe-down-drivers-neck_1625521">frequency identification (RFID) tags on each and every number plate of vehicles</a><span>. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the </span><a href="http://www.hsrpdelhi.com/Rule50.pdf">2001 amendment of Rule 50 of the Central Motor Vehicles Rules</a><span>, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.</span></p>
<p style="text-align: justify; "><span>RFID technology has also been launched at Maharashtra´s </span><a href="http://articles.timesofindia.indiatimes.com/2012-08-18/mumbai/33261046_1_rfid-stickers-border-check-posts">state border check-posts</a><span>. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.</span></p>
<p style="text-align: justify; "><span>By </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">31 March 2014</a><span>, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to </span><a href="http://netindian.in/news/2013/03/05/00023379/electronic-toll-collection-all-national-highways-march-2014-joshi">Dr. Joshi</a><span>, the Union Minister for Road Transport and Highways:</span></p>
<blockquote class="italized" style="text-align: justify; "><i>“</i><i>The RFID technology</i><i> shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”</i></blockquote>
<p style="text-align: justify; "><span>Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">uniquely identifies each vehicle</a><span>, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.</span></p>
<p style="text-align: justify; "><span>The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an </span><a href="http://www.thehindu.com/news/national/article3636417.ece">Event Data Recorder (EDR)</a><span>, otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.</span></p>
<p style="text-align: justify; "><span>Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it </span><a href="http://www.thehindu.com/news/national/article3636417.ece">mandatory for cars</a><span> to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.</span></p>
<h2><b>Are monitored cars safer?</b></h2>
<p style="text-align: justify; "><span>The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a </span><a href="http://www.fhwa.dot.gov/publications/research/safety/05049/05049.pdf">2005 Federal Highway Administration study</a><span>, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other</span><a href="http://www.techdirt.com/articles/20091218/1100537428.shtml"> studies</a><span> of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.</span></p>
<p style="text-align: justify; "><span>Furthermore, there have been </span><a href="http://www.usatoday.com/story/news/nation/2013/03/08/speed-camera-ruling/1974369/">claims</a><span> that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.</span></p>
<p style="text-align: justify; "><span>Companies which manufacture </span><a href="http://dir.indiamart.com/impcat/vehicle-tracking-systems.html">vehicle tracking systems</a><span> are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?</span></p>
<p style="text-align: justify; "><span>And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope,</span><a href="http://www.farnish.plus.com/amatterofscale/mirrors/omni/surveillance.htm"> but us</a><span>. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored,</span><a href="http://www.samharris.org/blog/item/the-trouble-with-profiling"> we are all suspects</a><span> and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.</span></p>
<h2><b>Maneuvering our monitoring</b></h2>
<p style="text-align: justify; "><span>Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.</span></p>
<p style="text-align: justify; "><span>Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as</span><a href="http://d2dtl5nnlpfr0r.cloudfront.net/tti.tamu.edu/documents/0-4196-2.pdf"> increasing the duration of the yellow light</a><span> between the green and the red, </span><a href="http://www.motorists.org/red-light-cameras/alternatives">re-timing lights</a><span> so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.</span></p>
<p style="text-align: justify; "><span>Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:</span></p>
<blockquote class="quoted"><i>Should we be monitored at all?</i></blockquote>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes'>https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:26:33ZBlog EntryMicrosoft releases its first report on data requests by law enforcement agencies around the world
https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies
<b>In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">2012 Law Enforcement Requests Report </a>depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.</p>
<p style="text-align: justify; "><span>As of 30 June 2012, </span><a href="http://www.internetworldstats.com/asia.htm#in">137 million</a><span> Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">blog post</a><span>:</span></p>
<blockquote class="italized"><i>“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”</i></blockquote>
<h2><b>Microsoft 2012 Law Enforcement Requests</b></h2>
<p style="text-align: justify; "><span>Democratic countries requested the most data during 2012, according to </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Microsoft´s report</a><span>. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the</span><a href="http://www.itpro.co.uk/data-protection/19488/microsoft-opens-collaboration-law-enforcement-agencies"> top-five league</a><span> which accounted for the most requests, despite the country having </span><a href="https://opennet.net/research/profiles/india">one of the world´s highest number of Internet users</a><span>.</span></p>
<p style="text-align: justify; "><span>Out of the</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 70,665 requests</a><span> to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.</span></p>
<p style="text-align: justify; "><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Content data</a><span> is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. </span><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?_r=1&">Non-content data</a><span>, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">2.2 percent </a><span>of requests from law enforcement agencies around the world resulted in the disclosure of content data, </span><a href="http://www.engadget.com/2013/03/21/microsoft-posts-its-first-law-enforcement-requests-report/">99 percent of which were in response to warrants from courts in the United States</a><span>. Microsoft may have not disclosed any of our content data, but</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 370 requests</a><span> from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.</span></p>
<p style="text-align: justify; "><span>Out of the 418 requests made to Microsoft by Indian law enforcement agencies, </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">only 4 were rejected </a><span>(1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:</span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total number of requests</p>
</td>
<td>
<p>418 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/Users specified in requests</p>
</td>
<td>
<p>594 (0.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of non-content data</p>
</td>
<td>
<p>370 (88.5%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>44 (10.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests rejected</p>
</td>
<td>
<p>4 (1%)</p>
</td>
</tr>
</tbody>
</table>
<h2><span>Skype 2012 Law Enforcement Requests</span></h2>
<p style="text-align: justify; "><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">Microsoft acquired Skype</a> towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the<a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> Microsoft 2012 report</a>, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.</p>
<p style="text-align: justify; "><span>The</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> report </a><span>appears to be extremely reassuring, as it states that Skype did</span><i> not </i><span>disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">disclose </a><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx"><i>non-content data</i></a><span>, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.</span></p>
<p style="text-align: justify; "><span>Microsoft </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">reported </a><span>that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:</span><span> </span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total of requests</p>
</td>
<td>
<p>53 (0.1%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/identifiers specified in requests</p>
</td>
<td>
<p>101 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests resulting in disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>47 (88.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Provided guidance to law enforcement</p>
</td>
<td>
<p>10 (18.8%)</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The Centre for Internet and Society (CIS) supports the publication of </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft´s 2012 Law Enforcement Requests Report</a><span> and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies'>https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies</a>
</p>
No publishermariaInternet GovernanceSAFEGUARDS2013-07-12T12:19:31ZBlog EntryThe Personal Data (Protection) Bill, 2013
https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFileThe India Privacy Monitor Map
https://cis-india.org/internet-governance/blog/india-privacy-monitor-map
<b>The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country. </b>
<p style="text-align: justify; ">In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.</p>
<p style="text-align: justify; ">In particular, the map in its current format includes data on the following:</p>
<p style="text-align: justify; "><b>UID:</b> The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.</p>
<p style="text-align: justify; "><b>NPR:</b> Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.</p>
<p style="text-align: justify; "><b>CCTV:</b> Closed-circuit television cameras which can produce images or recordings for surveillance purposes.</p>
<p style="text-align: justify; "><b>UAV: </b>Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.</p>
<p style="text-align: justify; "><b>CCTNS: </b>The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.</p>
<p style="text-align: justify; "><b>Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor </b></p>
<p style="text-align: justify; ">This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-privacy-monitor-map'>https://cis-india.org/internet-governance/blog/india-privacy-monitor-map</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-09T16:26:14ZBlog EntryBigDog is Watching You! The Sci-fi Future of Animal and Insect Drones
https://cis-india.org/internet-governance/blog/big-dog-is-watching-you
<b>Do you think robotic aeroplanes monitoring us are scary enough? Wait until you read about DARPA´s new innovative and subtle way to keep us all under the microscope! This blog post presents a new reality of drones which is depicted in none other than animal and insect-like robots, equipped with cameras and other surveillance technologies. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Just when we thought we had seen it all, the US Defence Advanced Research Projects Agency (DARPA) funded another controversial surveillance project which makes even the most bizarre sci-fi movie seem like a pleasant fairy-tale in comparison to what we are facing: animal and insect drones.</p>
<p style="text-align: justify; ">Up until recently, unmanned aerial vehicles (UAVs), otherwise called drones, depicted the scary reality of surveillance, as robotic pilot-less planes have been swarming the skies, while monitoring large amounts of data without people´s knowledge or consent. Today, DARPA has come up with more subtle forms of surveillance: animal and insect drones. Clearly animal and insect-like drones have a much better camouflage than aeroplanes, especially since they are able to go to places and obtain data that mainstream UAVs can not.</p>
<p dir="ltr" style="text-align: justify; ">India´s ´DARPA´, the Defence Research and Development Organisation (DRDO), has been creating <a href="http://www.indiastrategic.in/topstories1369_Unmanned_Aerial_Vehicle.htm"><span>UAVs</span></a> over the last ten years, while the Indian Army first acquired UAVs from Israel in the late 1990s. Yet the use of all UAVs in India is still poorly regulated! Drones in the U.S. are regulated by the <a href="http://www.faa.gov/"><span>Federal Aviation Administration (FAA)</span></a>, whilst the <a href="https://www.easa.europa.eu/what-we-do.php"><span>European Aviation Safety Agency (EASA)</span></a> regulates drones in the European Union. In India, the <a href="http://www.civilaviation.gov.in/MocaEx/faces/index.html;jsessionid=BLvyRvDp2NJzl4Q264fTNkXdynJkvJGF6bK1rSJtCrcJzwq1pym2!-750232318?_adf.ctrl-state=buu3l8xph_4"><span>Ministry of Civil Aviation</span></a> regulates drones, whilst the government is moving ahead with plans to<a href="http://indiatoday.intoday.in/story/aviation-ministry-moots-to-replace-dgca-with-a-super-regulator/1/224097.html"><span> replace the Directorate General of Civil Aviation (DGCA)</span></a> with a Civil Aviation Authority. However, current Indian aviation laws are vague in regards to data acquired, shared and retained, thus not only posing a threat to individual´s right to privacy and other human rights, but also enabling the creation of a secret surveillance state.</p>
<p dir="ltr" style="text-align: justify; ">The DRDO appears to be following DARPA´s footsteps in terms of surveillance technologies and the questions which arise are: will animal and insect drones be employed in India in the future? If so, how will they be regulated?</p>
<p><b><span> </span></b></p>
<h2><span>BigDog/LS3</span></h2>
<h2></h2>
<p><iframe frameborder="0" height="250" src="http://www.youtube.com/embed/40gECrmuCaU" width="250"></iframe></p>
<p align="JUSTIFY">Apparently having UAVs flying above us and monitoring territories and populations without our knowledge or consent was not enough. DARPA is currently funding the <a href="http://defensetech.org/2012/02/08/video-the-latest-terrifying-drone-dog/">BigDog project</a>, which is none other than a drone dog, a four-legged robot equipped with a camera and capable of surveillance in disguise. DARPA and Boston Dynamics are working on the latest version of BigDog, called the <a href="http://www.darpa.mil/Our_Work/TTO/Programs/Legged_Squad_Support_System_%28LS3%29.aspx">Legged Squad Support System (LS3)</a>, which can carry 400 pounds of gear for more than 20 miles without refuelling. Not only can the LS3 walk and run on all types of surfaces, including ice and snow, but it also has ´vision sensors´ which enable it to autonomously maneuver around obstacles and follow soldiers in the battle field. The LS3 is expected to respond to soldiers' voice commands, such as 'come', 'stop' and 'sit', as well as serve as a battery charger for electronic devices.</p>
<p align="JUSTIFY">BigDog/LS3 is undoubtedly an impressive technological advancement in terms of aiding squads with surveillance, strategic management and a mobile auxiliary power source, as well as by carrying gear. Over the last century most technological developments have manifested through the military and have later been integrated in societies. Many questions arise around the BigDog/LS3 and its potential future use by governments for non-military purposes. Although UAVs were initially used for strictly military purposes, they are currently also being used by governments on an international level for <a href="http://www.nasa.gov/centers/dryden/pdf/111760main_UAV_Assessment_Report_Overview.pdf">civil purposes</a>, such as to monitor climate change and extinct animals, as well as to surveille populations. Is it a matter of time before BigDog is used by governments for ´civil purposes´ too? Will robotic dogs swarm cities in the future to provide ´security´?</p>
<p align="JUSTIFY"> </p>
<p dir="ltr" style="text-align: justify; ">Like any other surveillance technology, the LS3 should be legally regulated and current lack of regulation could create a potential for abuse. Is authorisation required to use a LS3? If so, who has the legal right to authorise its use? Under what conditions can authorisation be granted and for how long? What kind of data can legally be obtained and under what conditions? Who has the legal authority to access such data? Can data be retained and if so, for how long and under what conditions? Do individuals have the right to be informed about the data withheld about them? Just because it´s a ´dog´ should not imply its non-regulation. This four-legged robot has extremely intrusive surveillance capabilities which may breach the right to privacy and other human rights when left unregulated.</p>
<p><b><span> </span></b></p>
<h2><span>Humming Bird Drone</span></h2>
<table class="invisible">
<tbody>
<tr>
<th>
<p><span><img src="https://cis-india.org/home-images/hummingbirddronepic.png/@@images/f6c4be7f-597d-4909-914e-6470256cb1c9.png" style="text-align: justify; " title="Humming bird drone" class="image-inline" alt="Humming bird drone" /></span></p>
</th>
</tr>
<tr>
<td>Source:<a class="external-link" href="http://www.hightech-edge.com/aerovironment-nano-humming-bird-flapping-wing-uav-video-clip/10309/"> HighTech Edge</a></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">TIME magazine recognised DARPA for its Hummingbird nano air vehicle (NAV) and named the drone bird<a href="http://www.darpa.mil/newsevents/releases/2011/11/24.aspx"><span> one of the 50 best inventions of 2011</span></a>. True, it is rather impressive to create a robot which looks like a bird, behaves like a bird, but serves as a secret spy.</p>
<p dir="ltr" style="text-align: justify; ">During the presentation of the humming bird drone, <a href="http://www.ted.com/talks/regina_dugan_from_mach_20_glider_to_humming_bird_drone.html"><span>Regina Dugan</span></a>, former Director of DARPA, stated:</p>
<p class="callout" dir="ltr" style="text-align: justify; "><i>"</i>Since we took to the sky, we have wanted to fly faster and farther. And to do so, we've had to believe in impossible things and we've had to refuse to fear failure<i>."</i><span> </span></p>
<p dir="ltr" style="text-align: justify; ">Although believing in 'impossible things' is usually a prerequisite to innovation, the potential implications on human rights of every innovation and their probability of occurring should be examined. Given the fact that drones already exist and that they are used for both military and non-military purposes, the probability is that the hummingbird drone will be used for civil purposes in the future. The value of data in contemporary information societies, as well as government's obsession with surveillance for ´national security´ purposes back up the probability that drone birds will not be restricted to battlefields.</p>
<p dir="ltr" style="text-align: justify; ">So should innovation be encouraged for innovation’s sake, regardless of potential infringement of human rights? This question could open up a never-ending debate with supporters arguing that it´s not technology itself which is harmful, but its use or misuse. However the current reality of drones is this: UAVs and NAVs are poorly regulated (if regulated at all in many countries) and their potential for abuse is enormous, given that <a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>´what happens to our data happens to ourselves....who controls our data controls our lives.´</span></a> If UAVs are used to surveille populations, why would drone birds not be used for the same purpose? In fact, they have an awesome camouflage and are potentially capable of acquiring much more data than any UAV! Given the surveillance benefits, governments would appear irrational not to use them.</p>
<p><b><span> </span></b></p>
<h2><span>MeshWorms and Remote-Controlled Insects</span></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/picofmeshworm.png" alt="MeshWorm" class="image-inline" title="MeshWorm" /></th>
</tr>
<tr>
<td>Source: <a class="external-link" href="http://www.nydailynews.com/news/national/scientists-create-resilient-robot-worm-medicine-electronics-spy-missions-roboticists-leading-universities-wroking-pentagon-grant-created-super-durable-synthetic-worm-call-meshworm-robot-article-1.1134361">NY Daily News</a></td>
</tr>
</tbody>
</table>
<table class="invisible">
<tbody>
<tr>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Think insects are creepy? Now we can have a real reason to be afraid of them. Clearly robotic planes, dogs and birds are not enough.</p>
<p dir="ltr" style="text-align: justify; ">DARPA´s <a href="http://www.bbc.co.uk/news/technology-19200285"><span>MeshWorm project</span></a> entails the creation of earthworm-like robots that crawl along surfaces by contracting segments of their bodies. The MeshWorm can squeeze through tight spaces and mold its shape to rough terrain, as well as absorb heavy blows. This robotic worm will be used for military purposes, while future use for ´civil purposes´ remains a probability.</p>
<p dir="ltr" style="text-align: justify; ">Robots, however, are not only the case. Actual insects are being wirelessly controlled, such as <a href="http://www.technologyreview.com/news/411814/the-armys-remote-controlled-beetle/"><span>beetles with implanted electrodes</span></a> and a radio receiver on their back. The giant flower beetle´s size enables it to carry a small camera and a heat sensor, which constitutes it as a reliable mean for surveillance.</p>
<p dir="ltr" style="text-align: justify; "><span>Other</span><a href="http://www.wired.com/dangerroom/2012/06/ff_futuredrones/"> drone insects</a><span> look and fly like ladybugs and dragonflies. Researchers at the Wright State University in Dayton, Ohio, have been working on a butterfly drone since 2008. Former software engineer Alan Lovejoy has argued that the US is developing </span><a href="http://www.businessinsider.com/the-future-of-micro-drones-is-getting-pretty-scary-according-to-alan-lovejoy-2012-6">mosquito drones</a><span>. Such a device could potentially be equipped with a camera and a microphone, it could use its needle to abstract a DNA sample with the pain of a mosquito bite and it could also inject a micro RFID tracking device under peoples´ skin. All such micro-drones could potentially be used for both military and civil purposes and could violate individuals´ right to privacy and other civil liberties.</span></p>
<p><b><span> </span></b></p>
<h2><span>Security vs. Privacy: The wrong debate</span></h2>
<p style="text-align: justify; "><b><span> </span></b>09/11 was not only a pioneering date for the U.S., but also for India and most countries in the world. The War on Terror unleashed a global wave of surveillance to supposedly enable the detection and prevention of crime and terrorism. Governments on an international level have been arguing over the last decade that the use of surveillance technologies is a prerequisite to safety. However, security expert, <a href="http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html"><span>Bruce Schneier</span></a>, argues that the trade-off of privacy for security is a false dichotomy.</p>
<p dir="ltr" style="text-align: justify; ">Everyone can potentially be a suspect within a surveillance state. Analyses of Big Data can not only profile individuals and populations, but also identify ‘branches of communication’ around every individual. In short, if you know someone who may be considered a suspect by intelligence agencies, you may also be a suspect. The mainstream argument <a href="http://www.youtube.com/watch?v=GMN2360LM_U"><span>“I have nothing to hide, I am not a terrorist’</span></a> is none other than a psychological coping mechanism when dealing with surveillance. The reality of security indicates that when an individual’s data is being intercepted, the probability is that those who control that data can also control that individual’s life. Schneier has argued that<a href="http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html"><span> privacy and security are not on the opposite side of a seesaw</span></a>, but on the contrary, the one is a prerequisite of the other. Governments should not expect us to give up our privacy in exchange for security, as loss of privacy indicates loss of individuality and essentially, loss of freedom. We can not be safe when we trade-off our personal data, because privacy is what protects us from abuse from those in power. Thus the entire War on Terror appears to waged through a type of phishing, as the promise of ´security´ may be bait to acquire our personal data.</p>
<p align="JUSTIFY">Since the <a href="http://www.thenational.ae/news/world/south-asia/mumbai-police-to-get-aerial-drones-to-help-fight-crime">2008 Mumbai terrorist attacks</a>, India has had more reasons to produce, buy and use surveillance technologies, including drones. Last New Year´s Eve, the <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2012-12-31/mumbai/36078903_1_surveillance-cameras-terror-outfits-netra">Mumbai police used UAVs</a> to monitor hotspots, supposedly to help track down revellers who sexually harass women. The Chennai police recently procured <a class="external-link" href="http://www.thehindu.com/news/cities/chennai/it-flies-it-swoops-it-records-and-monitors/article4218683.ece">three UAVs from Anna University </a>to assist them in keeping an eye on the city´s vehicle flow. Raj Thackeray´s rally marked<a class="external-link" href="http://articles.economictimes.indiatimes.com/2012-08-22/news/33322409_1_mumbai-police-uav-unmanned-aerial-vehicle"> the biggest surveillance exercise ever launched for a single event</a>, which included UAVs. The Chandigarh police are the first Indian police force to use the <a class="external-link" href="http://www.indianexpress.com/news/UAV--Chandigarh-police-spread-wings-with--Golden-Hawk-/779043/">´Golden Hawk´</a> - a UAV which will keep a ´bird´s eye on criminal activities´. This new type of drone was manufactured by the <span>Aeronautical Development Establishment (one of DRDO's premier laboratories based in Bangalore) and as of 2011 is being used by Indian law enforcement agencies.</span></p>
<p align="JUSTIFY">Although there is no evidence that India currently has any animal or insect drones, it could be a probability in the forthcoming years. Since India is currently using many UAVs either way, why would animal and/or insect drones be excluded? What would prevent India from potentially using such drones in the future for ´civil purposes´? More importantly, how are ´civil purposes´ defined? Who defines ´civil purposes´and under what criteria? Would the term change and if so, under what circumstances? The term ´civil purposes´ varies from country to country and is defined by many political, social, economic and cultural factors, thus potentially enabling extensive surveillance and abuse of human rights.</p>
<p dir="ltr" style="text-align: justify; ">Drones can potentially be as intrusive as other communications surveillance technologies, depending on the type of technology they´re equipped with, their location and the purpose of their use. As they can potentially violate individuals´ right to privacy, freedom of expression, freedom of movement and many other human rights, they should be strictly regulated. In<a href="http://www.uavs.org/regulation"><span> Europe UAVs</span></a> are regulated based upon their weight, as unmanned aircraft with an operating mass of less than 150kg are exempt by the EASA Regulation and its Implementation Rules. This should not be the case in India, as drones lighter than 150kg can potentially be more intrusive than other heavier drones, especially in the case of bird and insect drones.</p>
<p dir="ltr" style="text-align: justify; ">Laws which explicitly regulate the use of all types of drones (UAVs, NAVs and micro-drones) and which legally define the term ´civil purposes´ in regards to human rights should be enacted in India. Some thoughts on the authorisation of drones include the following: A Special Committee on the Use of All Drones (SCUAD) could be established, which would be comprised of members of the jury, as well as by other legal and security experts of India. Such a committee would be the sole legal entity responsible for issuing authorisation for the use of drones, and every authorisation would have to comply with the constitutional and statutory provisions of human rights. Another committee, the Supervisory Committee on the Authorisation of the Use of Drones (lets call this ´SCAUD´), could also be established, which would also be comprised by (other) members of the jury, as well as by (other) legal and security experts of India. This second committee would supervise the first and it would ensure that SCUAD provides authorisations in compliance with the laws, once the necessity and utility of the use of drones has been adequately proven.</p>
<p dir="ltr" style="text-align: justify; "><span>It´s not about ´privacy vs. security´. Nor is it about ´privacy or security´. In every democratic state, it should be about ´privacy and security´, since the one cannot exist without the other. Although the creation of animal and insect drones is undoubtedly technologically impressive, do we really want to live in a world where even animal-like robots can be used to spy on us? Should we be spied on at all? How much privacy do we give up and how much security do we gain in return through drones? If drones provided the ´promised security´, then India and all other countries equipped with these technologies should be extremely safe and crime-free; however, that is not the case.</span></p>
<p dir="ltr" style="text-align: justify; ">In order to ensure that the use of drones does not infringe upon the right to privacy and other human rights, strict regulations are a minimal prerequisite. As long as people do not require that the use of these spying technologies are strictly regulated, very little can be done to prevent a scary sci-fi future. That´s why this blog has been written.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/big-dog-is-watching-you'>https://cis-india.org/internet-governance/blog/big-dog-is-watching-you</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:38:33ZBlog EntryComparative Analysis of DNA Profiling Legislations from Across the World
https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world
<b>With the growing importance of forensic data in law enforcement and research, many countries have recognized the need to regulate the collection and use of forensic data and maintain DNA databases. Across the world around 60 countries maintain DNA databases which are generally regulated by specific legislations. Srinivas Atreya provides a broad overview of the important provisions of four different legislations which can be compared and contrasted with the Indian draft bill.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Efforts to regulate the collection and use of DNA data were started in India in 2007 by the Centre for DNA Fingerprinting and Diagnostics through their draft DNA Profiling Bill. Although the bill has evolved from its original conception, several concerns with regard to human rights and privacy still remain. The draft bill heavily borrows the different aspects related to collection, profiling and use of forensic data from the legislations of the United States, United Kingdom, Canada and Australia.</p>
<hr />
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/comparative-analysis-dna-profiling-bill.xlsx" class="internal-link"><b>Click</b> to find an overview of a comparative analysis of DNA Profiling Legislations</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world'>https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:30:17ZBlog EntryReport on the 4th Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; "><span>In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</span></p>
<p style="text-align: justify; "><span>In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</span></p>
<p style="text-align: justify; "><span>At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</span></p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>
<p align="JUSTIFY"><span>New Delhi Roundtable: 13 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Bangalore Roundtable: 20 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Chennai Roundtable: 18 May 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Mumbai Roundtable: 15 June 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Kolkata Roundtable: 13 July 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>New Delhi Final Roundtable and National Meeting: 17 August 2013</span></p>
</li>
</ol>
<p style="text-align: justify; "><span>Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.</span></p>
<h2><b><span>Discussion of the Draft Privacy (Protection) Bill 2013</span></b></h2>
<h3><b><span>Discussion of definitions: Chapter 1</span></b></h3>
<p style="text-align: justify; "><span>The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised. </span></p>
<p style="text-align: justify; "><span>Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection. </span></p>
<p style="text-align: justify; "><span>The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored. </span></p>
<p style="text-align: justify; "><span>Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards. </span></p>
<p style="text-align: justify; "><span>The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over. </span></p>
<p style="text-align: justify; "><span>The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.</span></p>
<p style="text-align: justify; "><span>In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts. </span></p>
<p style="text-align: justify; "><span>Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data. </span></p>
<p style="text-align: justify; "><span>On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions. </span></p>
<h3><b><span>Right to Privacy: Chapter 2</span></b></h3>
<p style="text-align: justify; "><span>The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill. </span></p>
<p style="text-align: justify; "><span>Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts. </span></p>
<p style="text-align: justify; "><span>The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.</span></p>
<p style="text-align: justify; "><span>Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly. </span></p>
<h3><b><span>Protection of Personal Data: Chapter 3</span></b></h3>
<p style="text-align: justify; "><span>Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data. </span></p>
<p style="text-align: justify; "><b><span>Collection of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention. </span></p>
<p style="text-align: justify; "><span>It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill. </span></p>
<p style="text-align: justify; "><span>Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty. </span></p>
<p style="text-align: justify; "><span>A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes. </span></p>
<p style="text-align: justify; "><span>The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill. </span></p>
<p style="text-align: justify; "><span>In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection. </span></p>
<p style="text-align: justify; "><span>It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well. </span></p>
<p style="text-align: justify; "><b><span>Storage and destruction of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data. </span></p>
<p style="text-align: justify; "><span>In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India. </span></p>
<p style="text-align: justify; "><span>Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases. </span></p>
<p style="text-align: justify; "><b><span>Security of personal data and duty of confidentiality</span></b></p>
<p style="text-align: justify; "><span>Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”. </span></p>
<p style="text-align: justify; "><span>One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India. </span></p>
<p style="text-align: justify; "><b><span>Disclosure of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to. </span></p>
<p style="text-align: justify; "><span>It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill. </span></p>
<p style="text-align: justify; "><span>Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism. </span></p>
<p style="text-align: justify; "><span>This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided. </span></p>
<p style="text-align: justify; "><span>Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill. </span></p>
<p style="text-align: justify; "><span>A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed. </span></p>
<p style="text-align: justify; "><span>However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed. </span></p>
<p style="text-align: justify; "><span>Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security. </span></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill. </span></p>
<h2><b><span>Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner</span></b></h2>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation. </span></p>
<p style="text-align: justify; "><span>There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a </span><i><span>competitive disadvantage </span></i><span>in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security. </span></p>
<p style="text-align: justify; "><span>As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control. </span></p>
<p style="text-align: justify; "><span>On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations. <br /></span></p>
<p style="text-align: justify; "><span>When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported. </span></p>
<p style="text-align: justify; "><span>Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on </span><i><span>accountability</span></i><span>. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached. </span></p>
<p style="text-align: justify; "><span>On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights. </span></p>
<h2><b><span>Meeting conclusion</span></b></h2>
<p style="text-align: justify; "><a name="_GoBack"></a><span>The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed. </span></p>
<p align="JUSTIFY"><span> </span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:04:25ZBlog EntrySEBI and Communication Surveillance: New Rules, New Responsibilities?
https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance
<b>In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify; ">The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.</p>
<h3 style="text-align: justify; ">SEBI’s Authority (Until Now)</h3>
<p style="text-align: justify; ">Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."<a href="#fn1" name="fr1">[1]</a> Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."<a href="#fn2" name="fr2">[2]</a> Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”<a href="#fn3" name="fr3">[3]</a> SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.</p>
<p>But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.</p>
<h3>What is the Importance of CDR Access?</h3>
<p style="text-align: justify; ">Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."<a href="#fn4" name="fr4">[4]</a> Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.</p>
<p style="text-align: justify; ">One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.<a href="#fn5" name="fr5">[5]</a> Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.<a href="#fn6" name="fr6">[6]</a> Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.<a href="#fn7" name="fr7">[7]</a> It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."<a href="#fn7" name="fr7">[7] </a>With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.<a href="#fn8" name="fr8">[8] </a>But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.</p>
<h3 style="text-align: justify; ">Significance and Responsibility in this Decision</h3>
<p style="text-align: justify; ">Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).</p>
<p>[<a href="#fr3" name="fn3">3</a>]. “Sebi Finalising new Anti-money laundering guidelines,” <i>The Times of India, </i>June 16, 2013</p>
<p><a href="http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms">http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms</a></p>
<p style="text-align: left; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance -<a href="http://www.necessaryandproportionate.net/#_edn1">http://www.necessaryandproportionate.net/#_edn1</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. “Sebi to soon to get Powers to Access Call Records,” <i>Business Today</i>, June 13, 2013</p>
<p><a href="http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html">http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. 1973 Criminal Procedure Code, Section 92 <a href="http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf">http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf</a></p>
<p>“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013</p>
<p><a href="http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary">http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. 1992 Securities and Exchange Board of India Act, section 11C, part 8</p>
<p>[<a href="#fr8" name="fn8">8</a>]. 2002 Prevention of Money-Laundering Act, section 12</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance'>https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-12T10:51:46ZBlog EntryIndian surveillance laws & practices far worse than US
https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
<b>Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden. </b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's column was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-06-13/news/39952596_1_nsa-india-us-homeland-security-dialogue-national-security-letters">published in the Economic Times</a> on June 13, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).</p>
<p><b>Nothing Quite Private </b></p>
<p>The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.</p>
<p style="text-align: justify; ">US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.</p>
<p><b>Worse, Indian-Style </b></p>
<p style="text-align: justify; ">That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.</p>
<p style="text-align: justify; ">To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.</p>
<p style="text-align: justify; ">The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.</p>
<p><b>Keeping it Safe </b></p>
<p style="text-align: justify; ">Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.</p>
<p style="text-align: justify; ">While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.</p>
<p style="text-align: justify; ">The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.</p>
<p style="text-align: justify; ">Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.</p>
<div id="_mcePaste"><span><a href="https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us">http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a> </span> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us'>https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a>
</p>
No publisherpraneshSurveillanceInternet GovernanceCensorshipSAFEGUARDS2013-07-12T11:09:39ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntryIndia’s Central Monitoring System: Security can’t come at cost of privacy
https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy
<b>During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).</b>
<hr />
<p>Danish Raza's article was<a class="external-link" href="http://www.firstpost.com/tech/indias-central-monitoring-system-security-cant-come-at-cost-of-privacy-944475.html"> published in FirstPost </a>on July 10, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The surveillance project, described as the Indian version of <a href="http://www.firstpost.com/topic/organization/prism-profile-230137.html" target="_blank" title="PRISM">PRISM</a>, will allow the government to monitor online and telephone data of citizens. <a href="http://www.medianama.com/2013/06/223-%3Ca%20href=" rel="nofollow" target="_blank" title="prism">prism</a>-milind-deora-cms-central-monitoring-system/” target=”_blank”></p>
<p style="text-align: justify; ">The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.</p>
<p style="text-align: justify; ">A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679" target="_blank">merely states</a> that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”</p>
<p style="text-align: justify; ">One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.</p>
<p style="text-align: justify; ">“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.</p>
<p style="text-align: justify; ">There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.</p>
<p style="text-align: justify; ">Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”</p>
<p style="text-align: justify; ">Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”</p>
<p style="text-align: justify; ">Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?</p>
<p style="text-align: justify; ">“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”</p>
<p style="text-align: justify; ">Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy'>https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy</a>
</p>
No publisherpraskrishnaSAFEGUARDSInternet GovernancePrivacy2013-07-15T06:43:21ZNews Item