The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
Open Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="https://cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="https://cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="https://cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="https://cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryNew Document on India's Central Monitoring System (CMS) - 2
https://cis-india.org/internet-governance/blog/new-cms-doc-2
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/new-cms-doc-2'>https://cis-india.org/internet-governance/blog/new-cms-doc-2</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:40:31ZFileMoving Towards a Surveillance State
https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state
<b>The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent. </b>
<hr />
<p>Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems <a href="https://cis-india.org/internet-governance/blog/tenders-eoi-press-release.zip" class="internal-link">is attached as a zip folder</a>.</p>
<hr />
<p style="text-align: justify; ">As highlighted in the <a href="http://necessaryandproportionate.net/#_edn2"><i>International Principles on the Application of Human Rights to Communications Surveillance</i></a><i>, </i>logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.<a href="#fn*" name="fr*">[*]</a> These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.</p>
<p style="text-align: justify; ">While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a> (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.</p>
<p style="text-align: justify; ">Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">press release</a> of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">press release</a> and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT <a href="http://www.cdot.in/media/publications.htm">annual report</a> 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. <a href="http://articles.economictimes.indiatimes.com/2013-05-07/news/39091148_1_single-window-pranesh-prakash-internet">Media reports</a> indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and <a href="https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy">wide gaps in procedure and law</a>. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding <a href="https://www.eff.org/deeplinks/state-surveillance-%26-human-rights">the risks of the mass surveillance</a> on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.</p>
<p style="text-align: justify; ">The architecture and working of a <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">proposed Internet Monitoring System</a> must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.</p>
<p style="text-align: justify; "><b>Internet Monitoring System: Setup and Working</b><br />Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">tender document</a> for the procurement of an Internet Monitoring System.</p>
<p style="text-align: justify; "><b>Setup</b><br />The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.</p>
<p style="text-align: justify; ">The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.<i> </i></p>
<p style="text-align: justify; "><b>Types of data</b><br />The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.</p>
<p style="text-align: justify; ">Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.</p>
<p style="text-align: justify; ">More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.</p>
<p>Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.</p>
<p style="text-align: justify; "><b>Types of Analysis</b><br />The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.</p>
<p style="text-align: justify; ">The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.<br /><br />Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users. <br /><br />Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.<br /><br />Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act. <br /><br />The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.<br /><br />Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.</p>
<hr />
<p>[<a href="#fr*" name="fn*">*</a>]. <a class="external-link" href="http://necessaryandproportionate.net/#_edn2">http://necessaryandproportionate.net/#_edn2</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state'>https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-15T05:57:15ZBlog EntryMicrosoft releases its first report on data requests by law enforcement agencies around the world
https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies
<b>In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">2012 Law Enforcement Requests Report </a>depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.</p>
<p style="text-align: justify; "><span>As of 30 June 2012, </span><a href="http://www.internetworldstats.com/asia.htm#in">137 million</a><span> Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">blog post</a><span>:</span></p>
<blockquote class="italized"><i>“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”</i></blockquote>
<h2><b>Microsoft 2012 Law Enforcement Requests</b></h2>
<p style="text-align: justify; "><span>Democratic countries requested the most data during 2012, according to </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Microsoft´s report</a><span>. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the</span><a href="http://www.itpro.co.uk/data-protection/19488/microsoft-opens-collaboration-law-enforcement-agencies"> top-five league</a><span> which accounted for the most requests, despite the country having </span><a href="https://opennet.net/research/profiles/india">one of the world´s highest number of Internet users</a><span>.</span></p>
<p style="text-align: justify; "><span>Out of the</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 70,665 requests</a><span> to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.</span></p>
<p style="text-align: justify; "><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Content data</a><span> is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. </span><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?_r=1&">Non-content data</a><span>, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">2.2 percent </a><span>of requests from law enforcement agencies around the world resulted in the disclosure of content data, </span><a href="http://www.engadget.com/2013/03/21/microsoft-posts-its-first-law-enforcement-requests-report/">99 percent of which were in response to warrants from courts in the United States</a><span>. Microsoft may have not disclosed any of our content data, but</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 370 requests</a><span> from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.</span></p>
<p style="text-align: justify; "><span>Out of the 418 requests made to Microsoft by Indian law enforcement agencies, </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">only 4 were rejected </a><span>(1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:</span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total number of requests</p>
</td>
<td>
<p>418 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/Users specified in requests</p>
</td>
<td>
<p>594 (0.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of non-content data</p>
</td>
<td>
<p>370 (88.5%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>44 (10.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests rejected</p>
</td>
<td>
<p>4 (1%)</p>
</td>
</tr>
</tbody>
</table>
<h2><span>Skype 2012 Law Enforcement Requests</span></h2>
<p style="text-align: justify; "><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">Microsoft acquired Skype</a> towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the<a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> Microsoft 2012 report</a>, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.</p>
<p style="text-align: justify; "><span>The</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> report </a><span>appears to be extremely reassuring, as it states that Skype did</span><i> not </i><span>disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">disclose </a><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx"><i>non-content data</i></a><span>, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.</span></p>
<p style="text-align: justify; "><span>Microsoft </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">reported </a><span>that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:</span><span> </span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total of requests</p>
</td>
<td>
<p>53 (0.1%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/identifiers specified in requests</p>
</td>
<td>
<p>101 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests resulting in disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>47 (88.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Provided guidance to law enforcement</p>
</td>
<td>
<p>10 (18.8%)</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The Centre for Internet and Society (CIS) supports the publication of </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft´s 2012 Law Enforcement Requests Report</a><span> and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies'>https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies</a>
</p>
No publishermariaInternet GovernanceSAFEGUARDS2013-07-12T12:19:31ZBlog EntryInterview with the Tactical Technology Collective on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective
<b>The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of the <a class="external-link" href="https://tacticaltech.org/about">Tactical Technology Collective</a>, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.</p>
<p style="text-align: justify; ">Tactical Tech's <a class="external-link" href="https://tacticaltech.org/what-we-do">Privacy & Expression programme</a> builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.</p>
<p style="text-align: justify; "><a class="external-link" href="https://tacticaltech.org/team">Anne Roth</a> works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. <span> <span>Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.</span></span></p>
<p style="text-align: justify; "><span><span>The Centre for Internet and Society interviewed Anne Roth on the following questions:</span></span></p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/QZsFf_Qyqyo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective'>https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-18T09:56:16ZBlog EntryInterview with Mr. Billy Hawkes - Irish Data Protection Commissioner
https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner
<b>Maria Xynou recently interviewed Mr. Billy Hawkes, the Irish Data Protection Commissioner, at the CIS´ 4th Privacy Round Table meeting. View this interview and gain an insight on recommendations for data protection in India!</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>The Irish Data Protection Commissioner was asked the following questions:</p>
<p>1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
<p>2. Does your office differ from other EU data protection commissioner offices?</p>
<p>3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?</p>
<p>4. Why should privacy legislation be enacted in India?</p>
<p>5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?</p>
<p>6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?</p>
<p>7. How can India protect its citizens´ data when it is stored in foreign servers?</p>
<p> </p>
<p>video <iframe frameborder="0" height="250" src="http://blip.tv/play/AYOTmT4A.html?p=1" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner'>https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:06:31ZBlog EntryInterview with Mathew Thomas from the Say No to UID campaign - UID Court Cases
https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign
<b>The Centre for Internet and Society (CIS) recently interviewed Mathew Thomas from the Say No to UID campaign about his ongoing efforts to challenge the UID scheme legally in the Bangalore High Court and Supreme Court of India. Read this interview and gain an interesting insight on recent legal developments with regards to the UID!</b>
<h3><b>Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?</b></h3>
<p align="JUSTIFY" class="western">In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.</p>
<p align="JUSTIFY" class="western">In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.</p>
<p style="text-align: justify; ">In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.</p>
<p align="JUSTIFY" class="western">As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did <i>not</i> deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.</p>
<p align="JUSTIFY" class="western">However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I <i>did</i> have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !</p>
<p align="JUSTIFY" class="western">In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.</p>
<h3><b>And how did the case continue thereafter?</b></h3>
<p align="JUSTIFY" class="western">In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.</p>
<p align="JUSTIFY" class="western">Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!</p>
<p align="JUSTIFY" class="western">Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.</p>
<h3><b>Have there been any other recent court cases against the UID?</b></h3>
<p align="JUSTIFY" class="western">Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.</p>
<p align="JUSTIFY" class="western">Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.</p>
<p align="JUSTIFY" class="western">Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.</p>
<h3><b>So what is the status of your pending court cases?</b></h3>
<p align="JUSTIFY" class="western">Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign'>https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2014-01-27T12:47:49ZBlog EntryInterview with Dr. Alexander Dix - Berlin Data Protection and Freedom of Information Commissioner
https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner
<b>Maria Xynou recently interviewed Berlin's Data Protection and Freedom of Information Commissioner: Dr. Alexander Dix. View this interview and gain an insight on recommendations for better data protection in India!</b>
<p style="text-align: justify; "><a class="external-link" href="http://www.ediscovery-exchange.com/SpeakerInfo.aspx?tp_spkid=37916">Dr. Alexander Dix</a> has been Berlin's Data Protection and Freedom of Information Commissioner since June 2005. He has more than 26 years of practical experience in German data protection authorities and previously served as Commissioner for the state of Bradenburg for seven years.</p>
<p style="text-align: justify; ">Dr. Dix is a specialist in telecommunications and media and has dealt with a number of issues regarding the cross-border protection of citizen’s privacy. He chairs the International Working Group on Data Protection in Telecommunications (“Berlin Group”) and is a member of the Article 29 Working Party of European Data Protection Supervisory Authorities. In this Working Party he represents the Data Protection Authorities of the 16 German States (Länder).</p>
<p style="text-align: justify; ">A native of Bad Homburg, Hessen, Dr. Alexander Dix graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from the London School of Economics and Political Science in 1976 and a Doctorate in law from Hamburg University in 1984. He has published extensively on issues of data protection and freedom of information. Inter alia he is a co-editor of the German Yearbook on Freedom of Information and Information Law.</p>
<p style="text-align: justify; ">The Centre for Internet and Society interviewed Dr. Alexander Dix on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">What activities and functions does the Berlin data commissioner's office undertake?</p>
</li>
<li>
<p align="JUSTIFY">What powers does the Berlin data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
</li>
<li>
<p align="JUSTIFY">How is the office of the Berlin Data Protection Commissioner funded?</p>
</li>
<li>
<p align="JUSTIFY">What is the organisational structure at the Office of the Berlin Data Protection Commissioner and the responsibilities of the key executives?</p>
</li>
<li>
<p align="JUSTIFY">If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?</p>
</li>
<li>
<p align="JUSTIFY">What challenges has your office faced?</p>
</li>
<li>
<p align="JUSTIFY">What is the most common type of privacy violation that your office is faced with?</p>
</li>
<li>
<p align="JUSTIFY">Does your office differ from other EU data protection commissioner offices?</p>
</li>
<li>
<p align="JUSTIFY">How do you think data should be regulated in India?</p>
</li>
<li>
<p align="JUSTIFY">Do you support the idea of co-regulation or self-regulation?</p>
</li>
<li>
<p align="JUSTIFY">How can India protect its citizens' data when it is stored in foreign servers?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/agXVs7ZlKdU" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner'>https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T09:29:32ZBlog EntryInterview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft
https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate
<b>Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!</b>
<div dir="ltr" style="text-align: justify; "><a class="external-link" href="http://www.isodarco.it/courses/andalo12/doc/CBowden.pdf">Caspar Bowden</a> is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">The Centre for Internet and Society interviewed Caspar Bowden on the following questions:</div>
<p align="JUSTIFY"> </p>
<h3 align="JUSTIFY">1. Do you think India needs privacy legislation? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state. </span></p>
<h3 align="JUSTIFY">2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?</h3>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"><span>Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about. </span></p>
<h3 align="JUSTIFY">3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.</span></p>
<p align="JUSTIFY">Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.</p>
<h3>4. Should people have the right to give up their right to privacy? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!” </span></p>
<p><span>But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. </span>There's<span> no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.</span></p>
<h3 align="JUSTIFY">5. Do you agree with India's UID scheme? Why / Why not?</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way. </span></p>
<p align="JUSTIFY"><span>Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived. </span></p>
<p align="JUSTIFY"><span>There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds. </span></p>
<p align="JUSTIFY"><span>And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual. </span></p>
<p align="JUSTIFY"><span>Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.</span></p>
<h3><b>6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?</b></h3>
<p><b><br /></b></p>
<h3></h3>
<p align="JUSTIFY"><span>Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy. </span></p>
<p align="JUSTIFY"><span>There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory. </span></p>
<p align="JUSTIFY"><span>We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term. </span></p>
<h3><b>7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?</b></h3>
<p><b><br /></b></p>
<p align="JUSTIFY"><span>Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are </span><i><span>software</span></i><span>. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!</span></p>
<p align="JUSTIFY"><span>In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient. </span></p>
<h3>8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?</h3>
<p> </p>
<p align="JUSTIFY"><span>In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies. </span></p>
<p align="JUSTIFY"><span>After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure. </span></p>
<p align="JUSTIFY"><span>It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today. </span></p>
<h3 align="JUSTIFY">9. How would you advise young people working in the surveillance industry?</h3>
<p> </p>
<ol> </ol>
<p><span>Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career. </span><b> </b></p>
<ol> </ol> <ol></ol><ol> </ol> <ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate'>https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T08:16:05ZBlog EntryInterview with Bruce Schneier - Internationally Renowned Security Technologist
https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier
<b>Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; "><a class="external-link" href="https://www.schneier.com/about.html">Bruce Schneier</a> is an internationally renowned security technologist, called a "security guru" by <cite>The Economist</cite>.</p>
<p style="text-align: justify; ">He is the author of 12 <a href="https://www.schneier.com/books.html">books</a> -- including <a href="https://www.schneier.com/book-lo.html"><cite>Liars and Outliers: Enabling the Trust Society Needs to Survive</cite></a> -- as well as hundreds of articles, <a href="https://www.schneier.com/essays.html">essays</a>, and <a href="https://www.schneier.com/cryptography.html">academic papers</a>. His influential newsletter "<a href="https://www.schneier.com/crypto-gram.html">Crypto-Gram</a>" and his blog "<a href="https://www.schneier.com/about.html">Schneier on Security</a>" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly <a href="https://www.schneier.com/news.html">quoted</a> in the press.</p>
<p style="text-align: justify; ">Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for <a href="http://www.bt.com/">BT</a> -- formerly British Telecom.</p>
<p style="text-align: justify; ">The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">Do you think India needs privacy legislation? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">How can individuals protect their data (and themselves) from spyware, such as FinFisher?</p>
</li>
<li>
<p align="JUSTIFY">How would you advise young people working in the surveillance industry?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/mpKaXW_hwcE" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier'>https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-17T08:54:32ZBlog EntryInterview with Big Brother Watch on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance
<b>Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/about">Big Brother Watch</a> was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/who-we-are/emma-frances-carr-deputy-director">Emma Carr</a> joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol><ol> </ol>
<p align="JUSTIFY"> </p>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/KhmwPYgLfjo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance'>https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-15T14:24:27ZBlog EntryIndian surveillance laws & practices far worse than US
https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
<b>Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden. </b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's column was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-06-13/news/39952596_1_nsa-india-us-homeland-security-dialogue-national-security-letters">published in the Economic Times</a> on June 13, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).</p>
<p><b>Nothing Quite Private </b></p>
<p>The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.</p>
<p style="text-align: justify; ">US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.</p>
<p><b>Worse, Indian-Style </b></p>
<p style="text-align: justify; ">That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.</p>
<p style="text-align: justify; ">To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.</p>
<p style="text-align: justify; ">The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.</p>
<p><b>Keeping it Safe </b></p>
<p style="text-align: justify; ">Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.</p>
<p style="text-align: justify; ">While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.</p>
<p style="text-align: justify; ">The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.</p>
<p style="text-align: justify; ">Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.</p>
<div id="_mcePaste"><span><a href="https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us">http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a> </span> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us'>https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a>
</p>
No publisherpraneshSurveillanceInternet GovernanceCensorshipSAFEGUARDS2013-07-12T11:09:39ZBlog EntryIndia’s Central Monitoring System: Security can’t come at cost of privacy
https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy
<b>During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).</b>
<hr />
<p>Danish Raza's article was<a class="external-link" href="http://www.firstpost.com/tech/indias-central-monitoring-system-security-cant-come-at-cost-of-privacy-944475.html"> published in FirstPost </a>on July 10, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The surveillance project, described as the Indian version of <a href="http://www.firstpost.com/topic/organization/prism-profile-230137.html" target="_blank" title="PRISM">PRISM</a>, will allow the government to monitor online and telephone data of citizens. <a href="http://www.medianama.com/2013/06/223-%3Ca%20href=" rel="nofollow" target="_blank" title="prism">prism</a>-milind-deora-cms-central-monitoring-system/” target=”_blank”></p>
<p style="text-align: justify; ">The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.</p>
<p style="text-align: justify; ">A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679" target="_blank">merely states</a> that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”</p>
<p style="text-align: justify; ">One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.</p>
<p style="text-align: justify; ">“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.</p>
<p style="text-align: justify; ">There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.</p>
<p style="text-align: justify; ">Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”</p>
<p style="text-align: justify; ">Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”</p>
<p style="text-align: justify; ">Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?</p>
<p style="text-align: justify; ">“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”</p>
<p style="text-align: justify; ">Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy'>https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy</a>
</p>
No publisherpraskrishnaSAFEGUARDSInternet GovernancePrivacy2013-07-15T06:43:21ZNews ItemIndia's Central Monitoring System (CMS): Something to Worry About?
https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="https://cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="https://cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryIndia's Biometric Identification Programs and Privacy Concerns
https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns
<b>The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.
</b>
<p> </p>
<hr />
<p style="text-align: justify;">Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. <em>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</em>.</p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify;">Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.</p>
<h3 style="text-align: justify;">‘Big Data’ and Privacy Issues</h3>
<p style="text-align: justify;">Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,<a name="fr1" href="#fn1">[1]</a> the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.<a name="fr2" href="#fn2">[2]</a> The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.</p>
<h3 style="text-align: justify;">Biometric ID and Theft of Private Data</h3>
<p style="text-align: justify;">The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.</p>
<h3 style="text-align: justify;">Biometric data and Potential Misuse</h3>
<p style="text-align: justify;">Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.<a name="fr4" href="#fn4">[4]</a> The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]</p>
<p style="text-align: justify;">A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.<a name="fr5" href="#fn5">[5]</a> Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.<a name="fr6" href="#fn6">[6]</a> With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.<a name="fr7" href="#fn7">[7]</a></p>
<p style="text-align: justify;">With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.<a name="fr8" href="#fn8">[8]</a> Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]</p>
<p style="text-align: justify;">Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.</p>
<hr />
<p>[<a name="fn1" href="#fr1">1</a>]. <a href="http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections">http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections</a>.</p>
<p>[<a name="fn2" href="#fr2">2</a>]. <a href="http://www.wired.com/threatlevel/2008/03/hackers-publish">http://www.wired.com/threatlevel/2008/03/hackers-publish</a>.</p>
<p>[<a name="fn3" href="#fr3">3</a>].<a href="https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions">https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions</a>.</p>
<p>[<a name="fn4" href="#fr4">4</a>]. <a href="http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001">http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001</a>.</p>
<p>[<a name="fn5" href="#fr5">5</a>]. <a href="http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece">http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece</a>.</p>
<p>[<a name="fn6" href="#fr6">6</a>]. <a href="http://news.bbc.co.uk/2/hi/8691753.stm">http://news.bbc.co.uk/2/hi/8691753.stm</a></p>
<p>[<a name="fn7" href="#fr7">7</a>]. Supra note 1.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns'>https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns</a>
</p>
No publisherdivijSAFEGUARDSInternet GovernancePrivacy2016-07-21T10:51:42ZBlog Entry