The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Interview with Big Brother Watch on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance
<b>Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/about">Big Brother Watch</a> was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/who-we-are/emma-frances-carr-deputy-director">Emma Carr</a> joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol><ol> </ol>
<p align="JUSTIFY"> </p>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/KhmwPYgLfjo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance'>https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-15T14:24:27ZBlog EntryIndian surveillance laws & practices far worse than US
https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
<b>Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden. </b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's column was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-06-13/news/39952596_1_nsa-india-us-homeland-security-dialogue-national-security-letters">published in the Economic Times</a> on June 13, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).</p>
<p><b>Nothing Quite Private </b></p>
<p>The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.</p>
<p style="text-align: justify; ">US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.</p>
<p><b>Worse, Indian-Style </b></p>
<p style="text-align: justify; ">That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.</p>
<p style="text-align: justify; ">To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.</p>
<p style="text-align: justify; ">The law we currently have — sections 69 and 69B of the Information Technology Act — is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.</p>
<p><b>Keeping it Safe </b></p>
<p style="text-align: justify; ">Recent reports reveal India's secretive National Technical Research Organisation (NTRO) — created under an executive order and not accountable to Parliament — often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.</p>
<p style="text-align: justify; ">While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.</p>
<p style="text-align: justify; ">The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.</p>
<p style="text-align: justify; ">Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.</p>
<div id="_mcePaste"><span><a href="https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us">http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a> </span> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us'>https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us</a>
</p>
No publisherpraneshSurveillanceInternet GovernanceCensorshipSAFEGUARDS2013-07-12T11:09:39ZBlog EntryIndia’s Central Monitoring System: Security can’t come at cost of privacy
https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy
<b>During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).</b>
<hr />
<p>Danish Raza's article was<a class="external-link" href="http://www.firstpost.com/tech/indias-central-monitoring-system-security-cant-come-at-cost-of-privacy-944475.html"> published in FirstPost </a>on July 10, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The surveillance project, described as the Indian version of <a href="http://www.firstpost.com/topic/organization/prism-profile-230137.html" target="_blank" title="PRISM">PRISM</a>, will allow the government to monitor online and telephone data of citizens. <a href="http://www.medianama.com/2013/06/223-%3Ca%20href=" rel="nofollow" target="_blank" title="prism">prism</a>-milind-deora-cms-central-monitoring-system/” target=”_blank”></p>
<p style="text-align: justify; ">The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.</p>
<p style="text-align: justify; ">A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679" target="_blank">merely states</a> that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”</p>
<p style="text-align: justify; ">One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.</p>
<p style="text-align: justify; ">“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.</p>
<p style="text-align: justify; ">There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.</p>
<p style="text-align: justify; ">Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”</p>
<p style="text-align: justify; ">Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”</p>
<p style="text-align: justify; ">Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?</p>
<p style="text-align: justify; ">“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”</p>
<p style="text-align: justify; ">Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy'>https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy</a>
</p>
No publisherpraskrishnaSAFEGUARDSInternet GovernancePrivacy2013-07-15T06:43:21ZNews ItemIndia's Central Monitoring System (CMS): Something to Worry About?
https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="https://cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="https://cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryIndia's Biometric Identification Programs and Privacy Concerns
https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns
<b>The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.
</b>
<p> </p>
<hr />
<p style="text-align: justify;">Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. <em>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</em>.</p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify;">Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.</p>
<h3 style="text-align: justify;">‘Big Data’ and Privacy Issues</h3>
<p style="text-align: justify;">Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,<a name="fr1" href="#fn1">[1]</a> the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.<a name="fr2" href="#fn2">[2]</a> The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.</p>
<h3 style="text-align: justify;">Biometric ID and Theft of Private Data</h3>
<p style="text-align: justify;">The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.</p>
<h3 style="text-align: justify;">Biometric data and Potential Misuse</h3>
<p style="text-align: justify;">Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.<a name="fr4" href="#fn4">[4]</a> The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]</p>
<p style="text-align: justify;">A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.<a name="fr5" href="#fn5">[5]</a> Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.<a name="fr6" href="#fn6">[6]</a> With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.<a name="fr7" href="#fn7">[7]</a></p>
<p style="text-align: justify;">With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.<a name="fr8" href="#fn8">[8]</a> Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]</p>
<p style="text-align: justify;">Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.</p>
<hr />
<p>[<a name="fn1" href="#fr1">1</a>]. <a href="http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections">http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections</a>.</p>
<p>[<a name="fn2" href="#fr2">2</a>]. <a href="http://www.wired.com/threatlevel/2008/03/hackers-publish">http://www.wired.com/threatlevel/2008/03/hackers-publish</a>.</p>
<p>[<a name="fn3" href="#fr3">3</a>].<a href="https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions">https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions</a>.</p>
<p>[<a name="fn4" href="#fr4">4</a>]. <a href="http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001">http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001</a>.</p>
<p>[<a name="fn5" href="#fr5">5</a>]. <a href="http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece">http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece</a>.</p>
<p>[<a name="fn6" href="#fr6">6</a>]. <a href="http://news.bbc.co.uk/2/hi/8691753.stm">http://news.bbc.co.uk/2/hi/8691753.stm</a></p>
<p>[<a name="fn7" href="#fr7">7</a>]. Supra note 1.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns'>https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns</a>
</p>
No publisherdivijSAFEGUARDSInternet GovernancePrivacy2016-07-21T10:51:42ZBlog EntryIndia Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed
https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance
<b>As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most! </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was <a class="external-link" href="http://www.medianama.com/2013/06/223-what-does-nsa-prism-program-mean-to-india-cis-india/">cross-posted in Medianama</a> on 24th June 2013. <br /></i></p>
<hr />
<p><span id="docs-internal-guid-5905db2c-6115-80fb-3332-1eaa5155c762"> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">Ron Wyden, asked James Clapper</a><span>, the director of national intelligence a few months ago. “No sir”, replied Clapper.</span></blockquote>
<p dir="ltr" style="text-align: justify; "> </p>
<p dir="ltr" style="text-align: justify; "><span>True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Americans, Indians, Egyptians, Iranians, Pakistanis and others</span></a><span> all around the world.</span></p>
<p><span> </span></p>
<h2>Leaked NSA surveillance</h2>
<p><span> </span></p>
<h3><span>Verizon Court Order</span></h3>
<p style="text-align: justify; ">Recently, the <a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order">Guardian released</a> a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm"><span>USA Today reported in 2006</span></a><span> that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the </span><a href="http://www.guardian.co.uk/world/interactive/2013/jun/06/verizon-telephone-data-court-order"><span>April 25 top secret order</span></a><span> is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes </span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span>metadata </span></a><span>such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. </span><a href="https://www.privacyinternational.org/blog/top-secret-nsa-program-spying-on-millions-of-us-citizens"><span>Privacy and human rights concerns</span></a><span> rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives.</span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span> Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically</span></a><span>, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.</span></p>
<p><span> </span></p>
<h3><span>PRISM</span></h3>
<p align="JUSTIFY">Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by <a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html">The Washington Post</a>. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to <a href="http://www.bbc.co.uk/news/business-22867185">disclose the security requests</a> they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Yet it appears that the </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>PRISM online surveillance programme</span></a><span> enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The </span><a href="http://www.guardian.co.uk/world/2013/jun/09/prism-gchq-william-hague-statement"><span>Guardian reported</span></a><span> that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>James R. Clapper, the US Director of National Intelligence, </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>stated</span></a><span>:</span></p>
<p><span> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>“</span><span>Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”</span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world. </span></p>
<h3><span>Boundless Informant</span></h3>
<p dir="ltr" style="text-align: justify; "><span>And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data? </span></p>
<p dir="ltr" style="text-align: justify; "><span>The Guardian released top secret documents about the NSA data mining tool, called </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span>; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide. </span></p>
<p dir="ltr" style="text-align: justify; "><span>The following </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>“global heat map”</span></a><span> reveals how much data is being collected by the NSA from around the world:</span></p>
<p dir="ltr" style="text-align: justify; "><span><img src="https://cis-india.org/BoundlessInformantmap.jpg" alt="Boundless Informant: "Global Heat Map"" class="image-inline" title="Boundless Informant: "Global Heat Map"" /></span></p>
<p><span style="text-align: justify; ">The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.</span></p>
<p dir="ltr" style="text-align: justify; "><span>During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with </span><a href="http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Archive&Source=Page&Skin=ETNEW&BaseHref=ETBG/2013/06/12&PageLabel=20&ForceGif=true&EntityId=Ar02002&ViewMode=HTML"><span>15% of all information</span></a><span> being tapped by the NSA coming from India during February-March 2013. </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance"><span>Edward Snowden</span></a><span> is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.</span></p>
<p dir="ltr" style="text-align: justify; "><span>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="350" width="425">
<param name="src" value="http://www.youtube.com/v/5yB3n9fu-rM"><embed height="350" width="425" src="http://www.youtube.com/v/5yB3n9fu-rM" type="application/x-shockwave-flash"> </embed>
</object>
</span></p>
<p><br /><span> </span></p>
<h2><span>So what does this all mean for India?</span></h2>
<p dir="ltr" style="text-align: justify; "><span>In his </span><a href="http://www.youtube.com/watch?v=Wl5OQz0Ko8c"><span>keynote speech at the 29th Chaos Communications Congress</span></a><span>, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have </span><a href="http://space.jpl.nasa.gov/msl/Programs/corona.html"><span>a history in spying on civilians</span></a><span>, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?</span></p>
<p dir="ltr" style="text-align: justify; "><span>By </span><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=1&"><span>tapping into the servers of some of the biggest Internet companies in the world,</span></a><span> such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span> data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?</span></p>
<p dir="ltr" style="text-align: justify; "><span>India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, </span><a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>Bruce Schneier</span></a><span>:</span></p>
<blockquote class="italized"><span> “Our data reflects our lives...and those who control our data, control our lives”. </span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in </span><a href="http://www.bbc.co.uk/news/business-22867185"><span>corporations seeking data request transparency</span></a><span>, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since </span><a href="http://www.statsoft.com/textbook/data-mining-techniques/"><span>the larger the database, the larger the probability for error</span></a><span>. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since </span><a href="http://dspace.flinders.edu.au/xmlui/bitstream/handle/2328/26269/wahlstrom%20on%20the%20impact.pdf;jsessionid=D948EDED21805D871C18E6E4B07DAE14?sequence=1"><span>technology is not infallible </span></a><span>and data trails are not always accurate.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even </span><a href="http://www.time.com/time/world/article/0,8599,2097899,00.html"><span>murdered - remember the drones</span></a><span>?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?</span></p>
<p><span> </span></p>
<h2><span>What can we do now?</span></h2>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>What type of data is collected from India and which parties have access to it?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>How long is such data retained for? Can the retention period be renewed and if so, for how long?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?</span></p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>On an individual level, Indians can protect their data by using encryption, such as </span><a href="http://www.gnupg.org/"><span>GPG encryption</span></a><span> for their emails and </span><a href="https://www.encrypteverything.ca/index.php/Setting_up_OTR_and_Pidgin"><span>OTR encryption</span></a><span> for instant messaging. </span><a href="https://www.torproject.org/"><span>Tor</span></a><span> is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>To avoid surveillance, the use of </span><a href="https://www.eff.org/https-everywhere"><span>HTTPS-Everywhere</span></a><span> in the </span><a href="https://www.torproject.org/download/download-easy.html"><span>Tor Browser</span></a><span> is recommended, as well as the use of combinations of additional software, such as </span><a href="https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/"><span>TorBirdy</span></a><span> and </span><a href="http://www.enigmail.net/home/index.php"><span>Enigmail</span></a><span>, OTR and </span><a href="https://joindiaspora.com/"><span>Diaspora</span></a><span>. </span><a href="https://blog.torproject.org/blog/prism-vs-tor"><span>Tor hidden services are communication endpoints </span></a><span>that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>The </span><a href="http://necessaryandproportionate.net/"><span>principles</span></a><span> formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these </span><a href="https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights"><span>principles</span></a><span> are:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legality</b>: Limitations to the right to privacy must be prescribed by law</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legitimate purpose</b>: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Necessity</b>: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Adequacy</b>: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Competent authority</b>: Authorities must be competent when making determinations relating to communications or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Due process</b>: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>User notification</b>: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Integrity of communications and systems</b>: Service providers are responsible for the secure transmission and retention of communications data or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards for international cooperation</b>: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation</p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for </span><span>everyone </span><span>to fight for their right to be free.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span><i>Is a world without freedom worth living in?</i></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance'>https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T10:20:46ZBlog EntryHow Surveillance Works in India
https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india
<b>When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention. </b>
<hr />
<p style="text-align: justify; ">This article by Pranesh Prakash was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">published in the New York Times</a> on July 10, 2013.</p>
<hr />
<p style="text-align: justify; ">After a colleague at the Centre for Internet and Society wrote about the program and it was <a href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">lambasted</a> by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.</p>
<p style="text-align: justify; ">In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.</p>
<p style="text-align: justify; ">This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies.<span id="more-66746"> </span> No intelligence agency in India has been created under an act of Parliament with <a href="http://articles.timesofindia.indiatimes.com/2013-02-02/india/36703357_1_intelligence-agencies-ntro-intelligence-bureau">clearly established roles and limitations on powers</a>, and hence <a href="http://articles.timesofindia.indiatimes.com/2012-03-26/chennai/31239894_1_ib-intelligence-bureau-officer-r-n-kulkarni">there is no public accountability whatsoever</a>.</p>
<p style="text-align: justify; ">The absence of accountability has meant that the government has <a href="http://articles.economictimes.indiatimes.com/2006-02-04/news/27434344_1_illegal-phone-indian-telegraph-act-security-agencies">since 2006</a> <a href="http://articles.timesofindia.indiatimes.com/2011-05-12/india/29535755_1_security-agencies-cms-intercept">been working on the C.M.S.</a>, which will integrate with the <a href="http://mha.nic.in/writereaddata/13040930061_Tr-ITJ-290411.pdf">Telephone</a> <a href="http://www.coraltele.com/support/GetPresentations.ashx?id=33">Call</a> <a href="http://indiatoday.intoday.in/story/government-plans-to-tighten-phone-tapping-norms/1/137251.html">Interception System</a> that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to <a href="http://www.outlookindia.com/article.aspx?265192">vast quantities of raw data traversing the Internet across multiple cities</a>, including the data going through the undersea cables that land in Mumbai.</p>
<p style="text-align: justify; ">With the C.M.S., the government will get <a href="http://www.thehindu.com/news/national/indias-surveillance-project-may-be-as-lethal-as-prism/article4834619.ece">centralized access to all communications metadata and content</a> traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.</p>
<table class="listing">
<tbody>
<tr>
<th>
<p style="text-align: center; "><img src="https://cis-india.org/home-images/Surveillance.png" alt="Internet Surfing" class="image-inline" title="Internet Surfing" /></p>
</th>
</tr>
<tr>
<td><span class="caption">A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. <br />Image Credit: </span><span class="credit">Anupam Nath/Associated Press</span></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.</p>
<p style="text-align: justify; ">There are no laws that allow for <i>mass</i> surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.</p>
<p style="text-align: justify; ">Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.</p>
<p style="text-align: justify; ">Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.</p>
<p style="text-align: justify; ">Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to <a href="http://articles.timesofindia.indiatimes.com/2013-04-17/india/38615115_1_anurag-singh-arvind-dabas-naushad-ahmad-khan">the cellphone records of Arun Jaitley</a>, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).</p>
<p style="text-align: justify; ">To put the ridiculousness of the penalty in <a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009/">Sections 69</a> and <a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">69</a><a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">B</a> of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets <a href="http://www.vakilno1.com/bareacts/laws/the-intelligence-organisations-restriction-of-rights-act-1985.html">may be imprisoned up to three years. </a>And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be <a href="http://indiankanoon.org/doc/54229/">up to one month’s imprisonment</a>. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her <a href="http://lawcommissionofindia.nic.in/reports/180rpt.pdf">constitutional right against self-incrimination</a>. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.</p>
<p style="text-align: justify; ">As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)</p>
<p style="text-align: justify; ">Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”</p>
<p style="text-align: justify; ">Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)</p>
<p style="text-align: justify; ">In a landmark 1996 judgment, the Indian Supreme Court held that <a href="http://indiankanoon.org/doc/87862/">telephone tapping is a serious invasion of an individual’s privacy</a> and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india'>https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india</a>
</p>
No publisherpraneshSAFEGUARDSInternet GovernancePrivacy2013-07-15T10:20:45ZBlog EntryHacking without borders: The future of artificial intelligence and surveillance
https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance
<b>In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="Normal1">Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.</p>
<h2><b>Combat Zones That See (CTS)</b></h2>
<p><b><img src="http://farm5.staticflickr.com/4137/4749564682_9ab88cb4d1.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/swanksalot/">swanksalot</a> on flickr</p>
<p class="Normal1">Ten years ago DARPA started funding the<a href="http://www.freerepublic.com/focus/f-news/939608/posts"> Combat Zones That See (CTS)</a> project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.</p>
<p class="Normal1">Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that<span> <a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">40 million surveillance cameras were already in use around the </a></span><a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">world </a>by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. <a href="http://www.wired.com/politics/law/news/2003/07/59471">Police</a> in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.</p>
<p class="Normal1">However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.</p>
<h2><b>Mind´s Eye</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8425/7775805386_8260b7836c.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/58687716@N05/">watchingfrogsboil</a> on flickr</p>
<p class="Normal1">A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">thinking camera</a>. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">´visual intelligence´</a>. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to <a href="http://phys.org/news/2012-10-surveillance-tech-carnegie-mellon.html">predict future human activities and situations</a>.</p>
<p class="Normal1">Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">General</a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/"> </a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">James Cartwright</a>, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">operationally significant activity</a> and predicting outcomes.</p>
<p class="Normal1">Mounting these <a href="http://www.dailygalaxy.com/my_weblog/2011/01/minds-eye-darpas-new-thinking-camera-will-transform-the-world-of-surveillance.html">smart cameras on drones</a> is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?</p>
<h2><b>SyNAPSE</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8230/8384110298_da510e0347.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/healthblog/">A Health Blog</a> on flickr</p>
<p class="Normal1">The <i>Terminator </i>could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the <a href="http://www.artificialbrains.com/darpa-synapse-program">Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE)</a> programme. Is DARPA funding the creation of the <i>Terminator</i>? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.</p>
<p class="Normal1">SyNAPSE is a programme which aims to develop <a href="http://celest.bu.edu/outreach-and-impacts/the-synapse-project">electronic neuromorphic machine technology</a> which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received<a href="http://www.artificialbrains.com/darpa-synapse-program"> $102.6 million</a> in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create <a href="http://www.darpa.mil/Our_Work/DSO/Programs/Systems_of_Neuromorphic_Adaptive_Plastic_Scalable_Electronics_(SYNAPSE).aspx">biological neural systems </a>which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">cognitive computers</a> would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.</p>
<p class="Normal1">Although this original type of computational device could be beneficial to <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">predict natural disasters</a> and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.</p>
<p class="Normal1">Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.</p>
<h2><b>Brain-Computer Interface (BCI)</b></h2>
<p><b><br /></b></p>
<p><iframe frameborder="0" height="360" src="http://www.youtube.com/embed/qCSSBEXBCbY?feature=player_embedded" width="640"></iframe></p>
<p class="Normal1">Remember Orwell's ´<i>Thought Police</i>´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in <i>1984</i>. Unlike the ´<i>Thought Police</i>´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can <i>literally </i>read our thoughts.</p>
<p class="Normal1">Once again, DARPA appears to be funding one of the world´s most innovative projects: the <a href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/">Brain-Computer Interface (BCI)</a>. The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph -<a href="http://www.extremetech.com/wp-content/uploads/2012/08/brain-hacking-accuracy-chart.jpg"> an EEG</a>) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely <i>thinking </i>of the action.</p>
<p class="Normal1">Ten years ago it was reported that the brains of <a href="http://www.newscientist.com/article/dn2237">rats</a> and <a href="http://news.bbc.co.uk/2/hi/health/3186850.stm">monkeys</a> could control robot arms through the use of such technologies. A few years later<a href="http://www.newscientist.com/article/dn4540"> brainstem implants</a> were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as<a href="http://www.cyborgdb.org/mckeever.htm"> to control robotic limbs with their thoughts</a>. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally <i>thinking </i>about them, while using a BCI.</p>
<p class="Normal1">Brain-controlled robotic limbs could change the lives of disabled persons, but<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> ethical concerns</a> have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out <a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data">sensitive data</a>, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the <i>P300 response</i>, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to <a href="http://www.digitaltrends.com/cool-tech/this-is-your-brain-on-silicon/">DARPA</a>:</p>
<blockquote class="italized"><i>´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´</i></blockquote>
<p class="Normal1">This constitutes the human brain as<a class="external-link" href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/"> a <span>new warfighting </span>domain</a> of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.</p>
<p class="Normal1">Security expert, Barnaby Jack, of IOActive demonstrated the <a href="http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt">vulnerability of biotechnological systems</a>, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.</p>
<p class="Normal1">Will BCI be used in the future to<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> interrogate terrorists and suspects</a>? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our <i>thoughts</i> - can potentially be hacked? Human rights are essential because they protect us from those in power; but the <i>privacy of our thoughts</i> is even more important, because without it, we can have no human rights, no individuality.</p>
<p class="Normal1">Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.</p>
<p class="Normal1">Apparently, anyone can<a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data"> buy Emotiv or Neurosky BCI online</a> to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance'>https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:30:27ZBlog EntryDriving in the Surveillance Society: Cameras, RFID tags and Black Boxes...
https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes
<b>In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have <a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">already adopted measures</a> to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, <a href="http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers/2/">privacy concerns</a> have arisen as it remains unclear how data collected will be used.<span> </span></p>
<h2><b>Red light cameras</b></h2>
<p style="text-align: justify; "><span>Last week, the Chennai police announced that it plans</span><a href="http://articles.timesofindia.indiatimes.com/2011-05-12/chennai/29535601_1_red-light-camera-system-red-light-cameras-traffic-signals"> to install traffic enforcement cameras</a><span>, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since </span><a href="http://www.traffictechnologytoday.com/news.php?NewsID=2767">early 2008</a><span> and a</span><a href="http://ibnlive.in.com/news/study-finds-red-light-cameras-cuts-crashes/142065-57-132.html"> study</a><span> indicates that they have reduced the traffic violation rates. A </span><a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">2003 report by the National Cooperative Highway Research Programme (NCHRP)</a><span> examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.</span></p>
<p style="text-align: justify; "><span></span><span>However, how are traffic violation rates even measured? According to </span><a href="http://blogs.wsj.com/numbersguy/seeing-red-1208/">Barbara Langland Orban</a><span>, an associate professor of health policy and management at the University of South Florida:</span></p>
<blockquote class="italized"><i>“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”</i></blockquote>
<p style="text-align: justify; "><span>Last year, the Bombay state government informed the High Court that the </span><a href="http://www.indianexpress.com/news/cctvs-not-fit-to-detect-traffic-violations-state-to-hc/910392">100 CCTV cameras</a><span> installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s </span><a href="http://www.thehindu.com/opinion/op-ed/of-constitutional-due-process/article436586.ece">due-process rights</a><span>?</span></p>
<h2 style="text-align: justify; "><b>RFID tags and Black Boxes</b></h2>
<p style="text-align: justify; "><span>A communication revolution is upon us, as Maharashtra state transport department is currently including radio </span><a href="http://www.dnaindia.com/mumbai/report_maharashtra-rto-spy-to-breathe-down-drivers-neck_1625521">frequency identification (RFID) tags on each and every number plate of vehicles</a><span>. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the </span><a href="http://www.hsrpdelhi.com/Rule50.pdf">2001 amendment of Rule 50 of the Central Motor Vehicles Rules</a><span>, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.</span></p>
<p style="text-align: justify; "><span>RFID technology has also been launched at Maharashtra´s </span><a href="http://articles.timesofindia.indiatimes.com/2012-08-18/mumbai/33261046_1_rfid-stickers-border-check-posts">state border check-posts</a><span>. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.</span></p>
<p style="text-align: justify; "><span>By </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">31 March 2014</a><span>, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to </span><a href="http://netindian.in/news/2013/03/05/00023379/electronic-toll-collection-all-national-highways-march-2014-joshi">Dr. Joshi</a><span>, the Union Minister for Road Transport and Highways:</span></p>
<blockquote class="italized" style="text-align: justify; "><i>“</i><i>The RFID technology</i><i> shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”</i></blockquote>
<p style="text-align: justify; "><span>Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">uniquely identifies each vehicle</a><span>, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.</span></p>
<p style="text-align: justify; "><span>The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an </span><a href="http://www.thehindu.com/news/national/article3636417.ece">Event Data Recorder (EDR)</a><span>, otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.</span></p>
<p style="text-align: justify; "><span>Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it </span><a href="http://www.thehindu.com/news/national/article3636417.ece">mandatory for cars</a><span> to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.</span></p>
<h2><b>Are monitored cars safer?</b></h2>
<p style="text-align: justify; "><span>The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a </span><a href="http://www.fhwa.dot.gov/publications/research/safety/05049/05049.pdf">2005 Federal Highway Administration study</a><span>, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other</span><a href="http://www.techdirt.com/articles/20091218/1100537428.shtml"> studies</a><span> of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.</span></p>
<p style="text-align: justify; "><span>Furthermore, there have been </span><a href="http://www.usatoday.com/story/news/nation/2013/03/08/speed-camera-ruling/1974369/">claims</a><span> that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.</span></p>
<p style="text-align: justify; "><span>Companies which manufacture </span><a href="http://dir.indiamart.com/impcat/vehicle-tracking-systems.html">vehicle tracking systems</a><span> are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?</span></p>
<p style="text-align: justify; "><span>And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope,</span><a href="http://www.farnish.plus.com/amatterofscale/mirrors/omni/surveillance.htm"> but us</a><span>. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored,</span><a href="http://www.samharris.org/blog/item/the-trouble-with-profiling"> we are all suspects</a><span> and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.</span></p>
<h2><b>Maneuvering our monitoring</b></h2>
<p style="text-align: justify; "><span>Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.</span></p>
<p style="text-align: justify; "><span>Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as</span><a href="http://d2dtl5nnlpfr0r.cloudfront.net/tti.tamu.edu/documents/0-4196-2.pdf"> increasing the duration of the yellow light</a><span> between the green and the red, </span><a href="http://www.motorists.org/red-light-cameras/alternatives">re-timing lights</a><span> so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.</span></p>
<p style="text-align: justify; "><span>Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:</span></p>
<blockquote class="quoted"><i>Should we be monitored at all?</i></blockquote>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes'>https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:26:33ZBlog EntryDraft International Principles on Communications Surveillance and Human Rights
https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights
<b>These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles. </b>
<hr />
<p>The principles are still in draft form. The most recent version can be accessed <a class="external-link" href="http://necessaryandproportionate.net">here</a>. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.</p>
<p style="text-align: justify; ">These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.</p>
<p style="text-align: justify; "><b>Preamble</b><br />Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.<a href="#fn2" name="fr2">[2]</a> Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. <a href="#fn5" name="fr5">[5]</a> When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. <a href="#fn6" name="fr6">[6]</a> Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.</p>
<p style="text-align: justify; ">It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:</p>
<ol>
<li style="text-align: justify; ">Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.</li>
<li style="text-align: justify; ">Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media. </li>
</ol>
<p style="text-align: justify; ">We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.</p>
<p style="text-align: justify; ">These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.<a href="#fn7" name="fr7">[7]</a> Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,<a href="#fn8" name="fr8">[8]</a> we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.</p>
<p><b>The Principles</b></p>
<p style="text-align: justify; "><b>Legality</b>: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process</p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.</p>
<p style="text-align: justify; "><b>Competent Authority</b>: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</p>
<p style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.</p>
<p style="text-align: justify; "><b>Due process</b>: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.<a href="#fn9" name="fr9">[9]</a>While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. <a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; "><b>User notification</b>: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</p>
<p style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. <a href="#fn11" name="fr11">[11]</a></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, <i>a priori</i> data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.</p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.</p>
<p style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</p>
<p><b>Signatories</b></p>
<p><b>Organisations</b></p>
<ul>
<li>Article 19 (International)</li>
<li>Bits of Freedom (Netherlands)</li>
<li>Center for Internet & Society India (CIS India)</li>
<li>Derechos Digitales (Chile)</li>
<li>Electronic Frontier Foundation (International)</li>
<li>Privacy International (International)</li>
<li>Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)</li>
<li>Statewatch (UK)</li>
</ul>
<p><b>Individuals</b></p>
<ul>
<li>Renata Avila, human rights lawyer (Guatemala)</li>
</ul>
<hr />
<p><b>Footnotes</b></p>
<ol>
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance<br />[<a href="#fr2" name="fn2">2</a>]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.<br />[<a href="#fr3" name="fn3">3</a>]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at <a href="http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf">http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf</a>. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at <a href="http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument">http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument</a>.<br />[<a href="#fr4" name="fn4">4</a>]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.<br />[<a href="#fr5" name="fn5">5</a>]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.<br />[<a href="#fr6" name="fn6">6</a>]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at <a href="http://www2.technologyreview.com/article/409598/tr10-reality-mining/">http://www2.technologyreview.com/article/409598/tr10-reality-mining/</a> and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.<br />[<a href="#fr7" name="fn7">7</a>]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at <a href="http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf">http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf</a><br />[<a href="#fr8" name="fn8">8</a>]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See <a href="http://www.globalnetworkinitiative.org/">http://www.globalnetworkinitiative.org/</a><br />[<a href="#fr9" name="fn9">9</a>]As defined by international and regional conventions mentioned above.<br />[<a href="#fr10" name="fn10">10</a>]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.<br />[<a href="#fr11" name="fn11">11</a>]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See <a href="http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx">http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx</a>. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See <a href="http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top">http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top</a>.</p>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights'>https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:55:45ZBlog EntryDraft Human DNA Profiling Bill (April 2012): High Level Concerns
https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012
<b>In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Broad offences and instances of when DNA can be collected</h3>
<p style="text-align: justify; ">The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.</p>
<p style="text-align: justify; ">In the schedule under section C <b>Civil disputes and other civil matters </b>the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:</p>
<ul style="text-align: justify; ">
<li><i>(v) Issues relating to immigration or emigration </i></li>
<li><i>(vi) Issues relating to establishment of individual identity </i></li>
<li><i>(vii) Any other civil matter as may be specified by the regulations of the Board </i></li>
</ul>
<p style="text-align: justify; ">In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes</p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.</p>
<h3 style="text-align: justify; ">Inadequate level of authorization for sharing of information</h3>
<p style="text-align: justify; ">The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.</p>
<ul style="text-align: justify; ">
<li>Section 35 (1): “…<i>shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.</i>”</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.</p>
<h3 style="text-align: justify; ">Inaccurate understanding of infallibility of DNA</h3>
<p>The preamble to the Bill inaccurately states:</p>
<p style="text-align: justify; "><i>The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.</i></p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.</p>
<p style="text-align: justify; "><i>The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.</i></p>
<h3 style="text-align: justify; ">Inadequate access controls</h3>
<p style="text-align: justify; ">The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.</p>
<p style="text-align: justify; "><i>Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.</i></p>
<p style="text-align: justify; "><b>Recommendation:</b> Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.</p>
<h3 style="text-align: justify; ">Lack of standards and process for collection of DNA samples</h3>
<p style="text-align: justify; ">In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.</p>
<ul>
<li style="text-align: justify; "><i>Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
</ul>
<ul>
<li style="text-align: justify; "><i>Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12. </i></li>
<li style="text-align: justify; "><i>Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling</i>.</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.</p>
<h3 style="text-align: justify; ">Inadequate appeal process</h3>
<p style="text-align: justify; ">The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.</p>
<p style="text-align: justify; "><i>Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.</i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.</p>
<h3 style="text-align: justify; ">Inclusion of population testing</h3>
<p style="text-align: justify; ">Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.</p>
<p style="text-align: justify; "><i>Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member. </i></p>
<p style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms. </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.</p>
<h3 style="text-align: justify; ">Provisions delegated to regulation that need to be incorporated into text of Bill</h3>
<p style="text-align: justify; ">The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:</p>
<p style="text-align: justify; "><i>Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely </i></p>
<ul>
<li style="text-align: justify; "><i>Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.</i></li>
<li style="text-align: justify; "><i>Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
<li style="text-align: justify; "><i>Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction. </i></li>
</ul>
<p style="text-align: justify; "><i>Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act</i></p>
<ul>
<li style="text-align: justify; "><i>Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35</i></li>
<li style="text-align: justify; "><i>Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37</i></li>
<li style="text-align: justify; "><i> Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37 </i></li>
<li style="text-align: justify; "><i>Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43 </i></li>
<li style="text-align: justify; "><i>Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule. </i></li>
</ul>
<h3>Broad Language that needs to be specified or deleted</h3>
<p style="text-align: justify; ">There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:</p>
<p>Preamble: <i>There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.</i></p>
<ul>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time. </i></li>
<li style="text-align: justify; "><i>Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.</i></li>
<li style="text-align: justify; "><i>Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.</i></li>
<li style="text-align: justify; "><i>Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board. </i></li>
<li style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed. </i></li>
<li style="text-align: justify; "><i>Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board. </i></li>
</ul>
<p><b>Recommendation</b>: All broad and vague language should be deleted and replaced with specific language.</p>
<h3>Jurisdiction</h3>
<ul>
<li>Section 1(2) It extends to the whole of India.</li>
</ul>
<ul>
<li style="text-align: justify; ">Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed. </li>
</ul>
<p style="text-align: justify; ">The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.</p>
<h3>Inconsistent provisions</h3>
<p style="text-align: justify; ">The Bill contains provisions that are inconsistent including:</p>
<ul>
<li style="text-align: justify; "><i>Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto. </i></li>
<li style="text-align: justify; "><i>Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…</i></li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.</p>
<h3 style="text-align: justify; ">Inadequate qualifications of DNA Data Bank Manager</h3>
<p style="text-align: justify; ">Section 33: “<i>The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.</i>”</p>
<p style="text-align: justify; "><b>Recommendation</b>: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.</p>
<h3 style="text-align: justify; ">Lack of restrictions on labs seeking certification</h3>
<p style="text-align: justify; ">According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.” <br /><b>Recommendation</b>: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.</p>
<h3 style="text-align: justify; ">Incomplete terms for use of DNA in courts</h3>
<p style="text-align: justify; ">Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court. <br /><b>Recommendation</b>: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.</p>
<h3 style="text-align: justify; ">Inadequate privacy protections</h3>
<p style="text-align: justify; ">Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.</p>
<p style="text-align: justify; "><i>Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.” </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.</p>
<h2 style="text-align: justify; ">Missing Provisions</h2>
<ol> </ol><ol>
<li style="text-align: justify; "><b>Notification to the individual:</b> There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.</li>
<li style="text-align: justify; "><b>Consent: </b>There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.</li>
<li style="text-align: justify; "><b>Right to request deletion of DNA profile from database: </b>There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts. </li>
<li style="text-align: justify; "><b>Right of individuals to bring a private cause of action: </b>There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Right to review one's personal data: </b>There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Independence of DNA laboratories and DNA banks from the police: </b>There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence. </li>
<li style="text-align: justify; "><b>Established profiling standard: </b>The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling. </li>
<li style="text-align: justify; "><b>Destruction of DNA samples: </b>There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.</li>
</ol>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012'>https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:36:59ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog EntryComparative Analysis of DNA Profiling Legislations from Across the World
https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world
<b>With the growing importance of forensic data in law enforcement and research, many countries have recognized the need to regulate the collection and use of forensic data and maintain DNA databases. Across the world around 60 countries maintain DNA databases which are generally regulated by specific legislations. Srinivas Atreya provides a broad overview of the important provisions of four different legislations which can be compared and contrasted with the Indian draft bill.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Efforts to regulate the collection and use of DNA data were started in India in 2007 by the Centre for DNA Fingerprinting and Diagnostics through their draft DNA Profiling Bill. Although the bill has evolved from its original conception, several concerns with regard to human rights and privacy still remain. The draft bill heavily borrows the different aspects related to collection, profiling and use of forensic data from the legislations of the United States, United Kingdom, Canada and Australia.</p>
<hr />
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/comparative-analysis-dna-profiling-bill.xlsx" class="internal-link"><b>Click</b> to find an overview of a comparative analysis of DNA Profiling Legislations</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world'>https://cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:30:17ZBlog EntryComments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 The Centre for Internet and Society (<b>“CIS”</b>) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (<b>“Sensitive Personal Data Rules” or “Rules”</b>) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.</p>
<p style="text-align: justify; ">1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy<a href="#fn1" name="fr1">[1]</a>, there have never been codified provisions protecting the privacy of individuals and their personal information.</p>
<p style="text-align: justify; ">The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.<a href="#fn2" name="fr2">[2]</a> Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:</p>
<p style="text-align: justify; "><b>II <span>Principles to Facilitate Appraisal</span></b><br />2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.</p>
<p>2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:</p>
<p>(a) <span>Principle of Notice / Prior Knowledge</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.</p>
<p>(b) <span>Principle of Consent</span></p>
<p style="text-align: justify; ">Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.</p>
<p>(c) <span>Principle of Necessity / Collection Limitation</span></p>
<p style="text-align: justify; ">Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.</p>
<p>(d) <span>Right to be Forgotten / Principle of Purpose Limitation</span></p>
<p style="text-align: justify; ">Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.</p>
<p>(e) <span>Right of Access</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.</p>
<p>(f) <span>Principle regarding Disclosure</span></p>
<p style="text-align: justify; ">Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.</p>
<p>(g) <span>Principle of Security</span></p>
<p style="text-align: justify; ">All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.</p>
<p>(h) <span>Principle of Transparency / ‘Open-ness’</span></p>
<p>All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.</p>
<p>(i) <span>Principle of Accountability</span></p>
<p style="text-align: justify; ">Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.</p>
<p style="text-align: justify; ">2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. <b>CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards.</b> Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:</p>
<p style="text-align: justify; "><b>III <span><span>Clause-by-Clause Analysis and Comments</span></span></b></p>
<p style="text-align: justify; "><b><span>Rule 2 - Definitions</span></b></p>
<p>3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:</p>
<p style="text-align: justify; "><i>"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.</i></p>
<p style="text-align: justify; ">3.1.2 <span>Firstly</span>, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. <span>Secondly</span>, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.</p>
<p><b>3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”</p>
<p style="text-align: justify; ">3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (<b>“IT Act”</b>) as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.</i></p>
<p style="text-align: justify; ">3.2.2 <span>Firstly</span>, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, <span><span>will exclude public and private trusts</span></span><a href="#fn5" name="fr5">[5]</a> <span>and unincorporated public authorities</span>. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a <i>prima facie</i> violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.</p>
<p style="text-align: justify; ">3.2.3 <span>Secondly</span>, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.</p>
<p><b>3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”</p>
<p style="text-align: justify; "><b>Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate</b>.</p>
<p style="text-align: justify; "><b>Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India</b>.</p>
<p>3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.</i></p>
<p style="text-align: justify; ">3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “<i>cyber incidents</i>” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. <span>Firstly</span>, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. <span>Secondly</span>, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.</p>
<p style="text-align: justify; "><b>3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.</p>
<p style="text-align: justify; "><b>3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 3 - Sensitive Personal Data</span><b> </b></p>
<p>3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:</p>
<p style="text-align: justify; "><i>Sensitive personal data or information of a person means such personal information which consists of information relating to – </i></p>
<p><i>(i) password; </i></p>
<p style="text-align: justify; "><i>(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; </i></p>
<p style="text-align: justify; "><i>(iii) physical, physiological and mental health condition; </i></p>
<p><i>(iv) sexual orientation; </i></p>
<p><i>(v) medical records and history; </i></p>
<p><i>(vi) Biometric information; </i></p>
<p style="text-align: justify; "><i>(vii) any detail relating to the above clauses as provided to body corporate for providing service; and </i></p>
<p style="text-align: justify; "><i>(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.</i></p>
<p style="text-align: justify; ">3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.</p>
<p><b>3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p>“Sensitive personal data or information of a person means personal information as to that person’s –</p>
<p>(i) passwords and encryption keys;</p>
<p>(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;</p>
<p>(iii) physical, physiological and mental condition;</p>
<p>(iv) sexual activity and sexual orientation;</p>
<p>(v) medical records and history;</p>
<p>(vi) biometric information; and</p>
<p>(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;</p>
<p>and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.</p>
<p style="text-align: justify; ">Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”</p>
<p style="text-align: justify; "><span>Rule 4 - Privacy and Disclosure Policy</span></p>
<p>3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:</p>
<p style="text-align: justify; "><b><i>Body corporate to provide policy for privacy and disclosure of information. – </i></b><i>(1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –</i></p>
<p><i>(i) Clear and easily accessible statements of its practices and policies; </i></p>
<p><i>(ii) type of personal or sensitive personal data or information collected under rule 3; </i></p>
<p><i>(iii) purpose of collection and usage of such information; </i></p>
<p><i>(iv) disclosure of information including sensitive personal data or information as provided in rule 6; </i></p>
<p><i>(v) reasonable security practices and procedures as provided under rule 8. </i></p>
<p style="text-align: justify; ">3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. <span>Firstly</span>, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. <span>Secondly</span>, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. <span>Thirdly</span>, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. <span>Fourthly</span>, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “<i>personal or sensitive personal data or information</i>” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.</p>
<p><b>3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; ">“<b>Duty to publish certain policies. – </b>(1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.</p>
<p>(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –</p>
<p style="text-align: justify; ">(i) the meanings of personal information and sensitive personal data in accordance with these rules;</p>
<p style="text-align: justify; ">(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;</p>
<p style="text-align: justify; ">(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and</p>
<p style="text-align: justify; ">(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”</p>
<p style="text-align: justify; "><span>Rule 5 - Collection of Information</span></p>
<p>3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.</i></p>
<p style="text-align: justify; ">3.7.2 <span>Firstly</span>, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. <span>Secondly</span>, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. <span>Thirdly</span>, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.</p>
<p><b>3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”</p>
<p>3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:</p>
<p><i>Body corporate or any person on its behalf shall not collect sensitive personal data or information unless — </i></p>
<p style="text-align: justify; "><i>(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and </i></p>
<p style="text-align: justify; "><i>(b) the collection of the sensitive personal data or information is considered necessary for that purpose.</i></p>
<p style="text-align: justify; ">3.8.2 <span>Firstly</span>, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. <span>Secondly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.</p>
<p style="text-align: justify; ">3.8.3 <b>Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –</p>
<p style="padding-left: 30px; text-align: justify; ">(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and</p>
<p style="padding-left: 30px; text-align: justify; ">(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”</p>
<p style="text-align: justify; ">3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:</p>
<p style="text-align: justify; "><i>While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of — </i></p>
<p><i>(a) the fact that the information is being collected; </i></p>
<p><i>(b) the purpose for which the information is being collected; </i></p>
<p><i>(c) the intended recipients of the information; and </i></p>
<p><i>(d) the name and address of — </i></p>
<p><i>(i) the agency that is collecting the information; and </i></p>
<p><i>(ii) the agency that will retain the information.</i></p>
<p style="text-align: justify; ">3.9.2 <span>Firstly</span>, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. <span>Secondly</span>, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. <span>Thirdly</span>, the use of the phrase “<i>take such steps as are, in the circumstances, reasonable</i>” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.</p>
<p><b>3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:</b></p>
<p>“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –</p>
<p>(a) the fact that it is being collected;</p>
<p>(b) the purpose for which it is being collected;</p>
<p>(c) the manner in which it will be used;</p>
<p>(d) the intended recipients to whom it will be sent or made available;</p>
<p>(e) the duration for which it will be stored;</p>
<p>(f) the conditions upon which it may be disclosed;</p>
<p>(g) the conditions upon which it may be destroyed; and</p>
<p>(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”</p>
<p style="text-align: justify; ">3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.</i></p>
<p style="text-align: justify; ">3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.</p>
<p><b>3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”</p>
<p style="text-align: justify; "><span>Rule 6 - Disclosure of Information</span></p>
<p style="text-align: justify; ">3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:</p>
<p style="text-align: justify; "><i>Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.</i></p>
<p style="text-align: justify; ">3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: <span>Firstly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. <span>Secondly</span>, the use of the phrase “<i>any third party</i>” lends vagueness to this provision since the term “third party” has not been defined. <span>Thirdly</span>, the repeated use of the undefined phrase “<i>provider of information</i>” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.</p>
<p style="text-align: justify; ">3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. <span>Firstly</span>, the disclosure of personal information and sensitive personal data when it is “<i>necessary for compliance of a legal obligation</i>” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. <span>Secondly</span>, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. <span>Thirdly</span>, the definition and use of the term “<i>cyber incidents</i>” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. <span>In sum</span>, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.</p>
<p><b>3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”</p>
<p>3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.</i></p>
<p style="text-align: justify; ">3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “<i>an order under the law</i>”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.</p>
<p style="text-align: justify; "><b>3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.</b></p>
<p>3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.</i></p>
<p style="text-align: justify; ">3.13.2 <span>Firstly</span>, as mentioned elsewhere in this submission, the phrase “<i>third party</i>” has not been defined. This is a drafting discrepancy that must be rectified. <span>Secondly</span>, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. <span>Thirdly</span>, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.</p>
<p><b>3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”</p>
<p style="text-align: justify; "><span>Rule 7 - Transfer of Information</span></p>
<p style="text-align: justify; ">3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:</p>
<p style="padding-left: 30px; text-align: justify; "><i>A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</i></p>
<p style="text-align: justify; ">3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: <span>firstly</span>, the simultaneous use of the phrases “<i>provider of information</i>” and “<i>such person</i>” is imprecise and misleading; <span>secondly</span>, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.</p>
<p><b>3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”</p>
<p style="text-align: justify; "><span>Rule 8 - Reasonable Security Practices</span></p>
<p style="text-align: justify; ">3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):</p>
<p style="padding-left: 30px; "><i>The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).</i></p>
<p style="text-align: justify; ">3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.</p>
<p style="text-align: justify; "><b>3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001. </b></p>
<p style="text-align: justify; "><b>IV <span>The Press Release of 24 August 2011</span></b></p>
<p style="text-align: justify; ">4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.</i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Press Note</i></p>
<p style="padding-left: 30px; text-align: justify; "><i>The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Ministry of Communications & Information Technology (Dept. of Information Technology) </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; "><i>SP/ska <br /> (Release ID :74990)</i></p>
<p style="text-align: justify; ">4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.</p>
<p style="text-align: justify; ">4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,</p>
<p style="padding-left: 30px; text-align: justify; ">...<i>law</i> <i>includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.</i></p>
<p style="text-align: justify; ">Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.</p>
<p style="padding-left: 30px; text-align: justify; ">[See, <i>Edward Mills</i> AIR 1955 SC 25 at pr. 12, <i>Babaji Kondaji Garad</i> 1984 (1) SCR 767 at pp. 779-780 and <i>Indramani Pyarelal Gupta</i> 1963 (1) SCR 721 at pp. 73-744]</p>
<p>Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.</p>
<p></p>
<p style="padding-left: 30px; "> <span>[See, <i>Raj Narain Singh</i> AIR 1954 SC 569 and <i>Re Delhi Laws Act</i> AIR 1951 SC 332]</span></p>
<p style="text-align: justify; "></p>
<p style="text-align: justify; "> <span>Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.</span></p>
<p style="text-align: justify; "><span><b>V <span>Summary</span></b></span></p>
<p style="text-align: justify; "> </p>
<p class="MsoNormal"><span>5.1<span> </span>CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled</span></p>
<ul>
<li><span> </span><span>Rule 2(1)(b);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(c);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(d);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(g);</span><span><span> </span></span></li>
<li><span>Rule 3;</span><span><span> </span></span></li>
<li><span>Rule 4(1);</span><span> </span></li>
<li><span>Rule 5(1);</span><span><span> </span></span></li>
<li><span>Rule 5(2);</span><span><span> </span></span></li>
<li><span>Rule 5(3);</span><span><span> </span></span></li>
<li><span>Rule 5(4);</span><span><span> </span></span></li>
<li><span>Rule 6(1);</span><span><span> </span></span></li>
<li><span>Rule 6(1) Proviso;</span><span><span> </span></span></li>
<li><span>Rule 6(2);</span><span><span> </span></span></li>
<li><span>Rule 6(4);</span><span><span> </span></span></li>
<li><span>Rule 7; and</span><span><span> </span></span></li>
<li><span>Rule 8.</span></li>
</ul>
<p style="text-align: justify; ">5.2 CIS submits that the Committee on Subordinate Legislation <span>should take a serious view of the press release issued by the </span><span>Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.</span></p>
<p style="text-align: justify; "><span>5.3 CIS submits </span><span>that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.</span></p>
<p style="text-align: justify; "><span>5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.</span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, <i>Kharak Singh</i> AIR 1963 SC 1295, <i>Gobind</i> (1975) 2 SCC 148, <i>R. Rajagopal</i> (1994) 6 SCC 632, <i>People’s Union for Civil Liberties</i> (1997) 1 SCC 301 and <i>Canara Bank</i> (2005) 1 SCC 496.</p>
<p>[<a href="#fr2" name="fn2">2</a>]. See <i>infra</i> pr. 4.3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).</p>
<p class="MsoFootnoteText">[<a href="#fr4" name="fn4">4</a>].<span>See generally, <i>Board of Trustees of Ayurvedic College</i> AIR 1962 SC 458 and <i>S. P. Mittal</i> AIR 1983 SC 1.</span></p>
<p style="text-align: justify; "> </p>
<p>[<a href="#fr5" name="fn5">5</a>]. <span>See </span><span>generally, <i>W. O. Holdsworth</i> AIR 1957 SC 887 and <i>Duli Chand</i> AIR 1984 Del 145.</span></p>
<div id="_mcePaste"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:13:53ZBlog EntryComments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span>Preliminary</span></b></p>
<p style="text-align: justify; ">1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“<b>CIS</b>”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“<b>Cyber Café Rules</b>”).</p>
<p style="text-align: justify; ">1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21<sup>st</sup> Report, the Committee on Subordinate Legislation presciently noted that:</p>
<p style="text-align: justify; padding-left: 30px; ">“…<i>statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.</i>” [See the 21<sup>st</sup> Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]</p>
<p style="text-align: justify; ">Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:</p>
<p><b>II <span>Validity of the Cyber Cafe Rules</span></b></p>
<p style="text-align: justify; ">2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:</p>
<p>“<i>the guidelines to be observed by the intermediaries under sub-section (2) of section 79</i>”</p>
<p>Sections 79 (1) and (2) state:</p>
<p>“<b><i>79. Exemption from liability of intermediary in certain cases. –</i></b><i> (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for <span>any third party information, data, or communication link made available or hosted by him</span>. </i></p>
<p><i>(2) The provisions of sub-section (1) shall apply if— </i></p>
<p><i>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or</i></p>
<p><i>(b) the intermediary does not— </i></p>
<p><i>(i) initiate the transmission, </i></p>
<p><i>(ii) select the receiver of the transmission, and </i></p>
<p><i>(iii) select or modify the information contained in the transmission; </i></p>
<p><i>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes <span>such other guidelines as the Central Government may prescribe in this behalf</span>.</i>”</p>
<p style="text-align: justify; ">2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “<i>any third party information, data, or communication link made available or hosted</i>” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. <b>To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are <i>ultra vires</i> the IT Act.</b></p>
<p style="text-align: justify; "><b>III Clause-by-Clause Analysis and Comments</b><span> </span></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span><b> </b></p>
<p style="text-align: justify; ">3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:</p>
<p style="text-align: justify; ">“<i>“cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public</i>”</p>
<p style="text-align: justify; ">This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”</p>
<p style="text-align: justify; ">3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.</p>
<p><b>Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.</p>
<p><b>Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p><span>Rule 3 - Agency for Registration of Cyber Cafes</span></p>
<p>4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:</p>
<p style="text-align: justify; ">“<b><i>3. Agency for registration of cyber cafe. –</i></b><i> (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include: </i></p>
<p><i>(i) name of establishment; </i></p>
<p><i>(ii) address with contact details including email address; </i></p>
<p><i>(iii) whether individual or partnership or sole properitership or society or company; </i></p>
<p><i>(iv) date of incorporation; </i></p>
<p><i>(v) name of owner/partner/proprietor/director; </i></p>
<p><i>(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and </i></p>
<p><i>(vii) type of service to be provided from cyber cafe </i></p>
<p style="text-align: justify; "><i>Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency. </i></p>
<p style="text-align: justify; "><i>(2) The details of registration of cyber cafe shall be published on the website of the registration agency. </i></p>
<p style="text-align: justify; "><i>(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line. </i></p>
<p style="text-align: justify; "><i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">CIS raises two unrelated and substantial objections to this provision: <span>firstly</span>, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, <span>secondly</span>, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.</p>
<p style="text-align: justify; ">4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.</p>
<p style="text-align: justify; ">Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:</p>
<p style="text-align: justify; ">“<b><i>5. Registration of establishment. –</i></b><i> (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing </i></p>
<p><i>(a) the name of the employer and the manager, if any; </i></p>
<p><i>(b) the postal address of the establishment; </i></p>
<p><i>(c) the name, if any, of the establishment, </i></p>
<p style="text-align: justify; "><i>(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment; </i></p>
<p><i>(e) the number of employees working about the business of the establishment; and </i></p>
<p><i>(f) such other particulars as may be prescribed. </i></p>
<p style="text-align: justify; "><i>(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier. </i></p>
<p style="text-align: justify; "><i>(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect. </i></p>
<p style="text-align: justify; "><i>(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act. </i></p>
<p style="text-align: justify; "><i>(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).</i>”</p>
<p style="text-align: justify; ">Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.</p>
<p style="text-align: justify; ">4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, <span>all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts</span> as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.</p>
<p style="text-align: justify; ">In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.</p>
<p style="text-align: justify; ">4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.</p>
<p style="text-align: justify; ">4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:</p>
<p style="text-align: justify; ">“<i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, <i>prima facie</i> violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 4 - Identification of User</span><b> </b></p>
<p style="text-align: justify; ">5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:</p>
<p>“<i>(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:</i></p>
<p><i>(i) Identity card issued by any School or College; or </i></p>
<p><i>(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or </i></p>
<p><i>(iii) Passport; or </i></p>
<p><i>(iv) Voter Identity Card; or </i></p>
<p><i>(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or </i></p>
<p><i>(vi) Photo Identity Card issued by the employer or any Government Agency; or </i></p>
<p><i>(vi) Driving License issued by the Appropriate Government; or </i></p>
<p><i>(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).</i>”</p>
<p style="text-align: justify; ">The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.</b></p>
<p class="DefaultCxSpFirst">5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:</p>
<p>“<i>The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.</i>”</p>
<p style="text-align: justify; ">While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
<p><b>Therefore, it is proposed that rule 4(2) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”</p>
<p>5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:</p>
<p style="text-align: justify; ">“<i>(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.</i>”</p>
<p style="text-align: justify; ">Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.4 Sub-rue (4) of rule 4 reads as follows:</p>
<p>“<i>(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).</i>”</p>
<p style="text-align: justify; ">Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.</p>
<p><b>Therefore, it is proposed that rule 4(4) be amended to read as follows:</b></p>
<p style="text-align: justify; ">“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”</p>
<p style="text-align: justify; ">5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “<i>shall be allowed to enter the cyber cafe after he has established his identity</i>.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “<i>allow[ing] any user to use its computer resource without the identity of the user of the user being established</i>,” this rule 4(5) is redundant.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.6 Rule 4(6) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.</i>”</p>
<p style="text-align: justify; ">This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.</p>
<p><b>Therefore, it is proposed that rule 4(6) be deleted.</b></p>
<p><span>Rule 5 - Log Register</span></p>
<p>6.1 Rule 5(3) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.</i>”</p>
<p style="text-align: justify; ">This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 7<b> - </b>Inspection of Cyber Cafe</span></p>
<p>7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:</p>
<p style="text-align: justify; ">“<i>An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.</i>”</p>
<p style="text-align: justify; ">The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.</p>
<p><b>Therefore, it is proposed that rule 7 be deleted.</b></p>
<p><b>IV <span>Summary</span></b></p>
<p>8.1 In sum:</p>
<p style="text-align: justify; ">(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are <i>ultra vires</i> the parent statute;</p>
<p style="text-align: justify; ">(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:</p>
<ul>
<li>Rule 2(1)(c);</li>
<li>Rule 2(1)(e);</li>
<li>Rule 2(1)(g);</li>
<li>Rule 3(1);</li>
<li>Rule 3(4);</li>
<li>Rule 4(1);</li>
<li>Rule 4(2);</li>
<li>Rule 4(3);</li>
<li>Rule 4(4);</li>
<li>Rule 4(5);</li>
<li>Rule 4(6);</li>
<li>Rule 5(3); and</li>
<li>Rule 7.</li>
</ul>
<p style="text-align: justify; ">(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.</p>
<p style="text-align: justify; ">8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011</a>
</p>
No publisherbhairavInternet GovernanceSAFEGUARDS2013-07-12T12:15:30ZBlog Entry