The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 15.
India's Central Monitoring System (CMS): Something to Worry About?
https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="https://cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="https://cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="https://cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryUAS License Agreement Amendment regarding the Central Monitoring System (CMS)
https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment'>https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:43:56ZFileNew Document on India's Central Monitoring System (CMS) - 2
https://cis-india.org/internet-governance/blog/new-cms-doc-2
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/new-cms-doc-2'>https://cis-india.org/internet-governance/blog/new-cms-doc-2</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:40:31ZFileInterview with Mathew Thomas from the Say No to UID campaign - UID Court Cases
https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign
<b>The Centre for Internet and Society (CIS) recently interviewed Mathew Thomas from the Say No to UID campaign about his ongoing efforts to challenge the UID scheme legally in the Bangalore High Court and Supreme Court of India. Read this interview and gain an interesting insight on recent legal developments with regards to the UID!</b>
<h3><b>Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?</b></h3>
<p align="JUSTIFY" class="western">In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.</p>
<p align="JUSTIFY" class="western">In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.</p>
<p style="text-align: justify; ">In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.</p>
<p align="JUSTIFY" class="western">As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did <i>not</i> deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.</p>
<p align="JUSTIFY" class="western">However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I <i>did</i> have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !</p>
<p align="JUSTIFY" class="western">In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.</p>
<h3><b>And how did the case continue thereafter?</b></h3>
<p align="JUSTIFY" class="western">In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.</p>
<p align="JUSTIFY" class="western">Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!</p>
<p align="JUSTIFY" class="western">Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.</p>
<h3><b>Have there been any other recent court cases against the UID?</b></h3>
<p align="JUSTIFY" class="western">Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.</p>
<p align="JUSTIFY" class="western">Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.</p>
<p align="JUSTIFY" class="western">Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.</p>
<h3><b>So what is the status of your pending court cases?</b></h3>
<p align="JUSTIFY" class="western">Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign'>https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2014-01-27T12:47:49ZBlog EntryWhy 'Facebook' is More Dangerous than the Government Spying on You
https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you
<b>In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook. </b>
<p align="JUSTIFY"><i>Do you have a profile on Facebook?</i> Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:</p>
<p align="JUSTIFY">“<i>Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”</i></p>
<h2><span><b>The Indian Surveillance State</b></span></h2>
<p align="JUSTIFY">Following <span style="text-decoration: underline;"><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">Snowden</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">’</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">s</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html"> </a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">revelations</a></span>, there’s finally been more talk about surveillance. But what is surveillance?</p>
<p align="JUSTIFY">David Lyon - who directs the <span style="text-decoration: underline;"><a href="http://www.sscqueens.org/">Surveillance</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Studies</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Centre</a></span> - <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">defines</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”</i>. <a href="http://www.polity.co.uk/book.asp?ref=9780745635910"><span style="text-decoration: underline;">Surveillance</span></a> can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.</p>
<h3><b>State Surveillance</b></h3>
<p align="JUSTIFY">The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a <i>real </i>issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!</p>
<p align="JUSTIFY">The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:</p>
<p align="JUSTIFY">1. They create surveillance schemes, such as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a></span>, which carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">2. They create laws, guidelines and license agreements, such as the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply</p>
<p align="JUSTIFY">3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.</p>
<p align="JUSTIFY">In particular, surveillance in India is regulated under five laws: the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> 1885</a></span>, the <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> 1898</a></span>, the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> 1933</a></span>, <span style="text-decoration: underline;"><a href="http://indiankanoon.org/doc/911085/">section</a><a href="http://indiankanoon.org/doc/911085/"> 91 </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">the</a><a href="http://indiankanoon.org/doc/911085/"> 1973 </a><a href="http://indiankanoon.org/doc/911085/">Code</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Criminal</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Procedure</a><a href="http://indiankanoon.org/doc/911085/"> (</a><a href="http://indiankanoon.org/doc/911085/">CrPc</a><a href="http://indiankanoon.org/doc/911085/">)</a></span> and the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.</p>
<p align="JUSTIFY">While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the<span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span> allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.</p>
<p align="JUSTIFY">Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in <a href="http://www.ministryoflies.com/1984.pdf"><span style="text-decoration: underline;">“1984”</span></a>. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The <span style="text-decoration: underline;"><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">arrest</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">of</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">two</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Indian</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">women</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">last</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">November</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">over</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">a</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Facebook</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">post</a></span> reminds us of this.</p>
<p align="JUSTIFY">Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Central</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Monitoring</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">System</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a></span>not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/data-services/internet-services">numerous</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">guidelines</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">license</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">agreements</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">for</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">ISPs</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">telecom</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">operators</a></span>, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">National</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Cyber</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Security</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Policy</a></span>, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.</p>
<p align="JUSTIFY">As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">India</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">’</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">s</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Computer</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Emergency</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Response</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Team</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> (</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">CERT</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">)</a></span> is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://ncrb.gov.in/cctns.htm">Crime</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Criminal</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Tracking</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Network</a><a href="http://ncrb.gov.in/cctns.htm"> & </a><a href="http://ncrb.gov.in/cctns.htm">Systems</a><a href="http://ncrb.gov.in/cctns.htm"> (</a><a href="http://ncrb.gov.in/cctns.htm">CCTNS</a><a href="http://ncrb.gov.in/cctns.htm">)</a></span> is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.</p>
<p align="JUSTIFY">Similarly, the <span style="text-decoration: underline;"><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Intelligence</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Grid</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> (</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">)</a></span> is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.</p>
<p align="JUSTIFY">However, the most controversial surveillance scheme being implemented in India is probably the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a></span> (CMS). While several states, such as Assam, already have <span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a></span> in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.</p>
<p align="JUSTIFY">And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">surveillance</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">industry</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">in</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">India</a></span> is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CIS</a><a href="https://cis-india.org/cisprivacymonitor">’ </a><a href="https://cis-india.org/cisprivacymonitor">India</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Privacy</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Monitor</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Map</a></span> - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the <span style="text-decoration: underline;"><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">DRDO</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">’</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">s</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/"> “</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">Netra</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">”</a></span> - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.</p>
<p align="JUSTIFY">But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, <span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">software</a></span> which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span>, otherwise known as “the wiretappers’ ball”.</p>
<h3><b>Corporate Surveillance</b></h3>
<p align="JUSTIFY">When I ask people about corporate surveillance, the answer I usually get is: <i>“Corporations only care about their profit - they don’t do surveillance per se”</i>. And while that may be true, <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">David</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">Lyon</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">’</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">s</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">definition</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> - as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” </i>- may indicate otherwise.</p>
<p align="JUSTIFY">Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span>. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.</p>
<p align="JUSTIFY">So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">involves</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">the</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">collection</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">personal</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">data</a></span> - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, <i>is</i> surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">“</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">if</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">is</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">free</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">, </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">you</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">are</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">”</a></span>.</p>
<p align="JUSTIFY">Now if we look at online corporations more closely, we can probably identify three categories:</p>
<p align="JUSTIFY">1. Websites through which we <i>buy products </i>and hand over our personal details - e.g. Amazon</p>
<p align="JUSTIFY">2. Websites through which we <i>use services</i> and hand over our personal details - e.g. flight ticket</p>
<p align="JUSTIFY">3. Websites through which we <i>communicate</i> and hand over our personal details - e.g. Facebook</p>
<p align="JUSTIFY">And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:</p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">Disclose</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">such</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">data</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">to</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">law</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">enforcement</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">agencies</a></span></p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">Allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">agencies</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span></p>
<p align="JUSTIFY">- Sell such data to “third parties”</p>
<p align="JUSTIFY">What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we <i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">consent</a><a href="https://www.eff.org/wp/know-your-rights"> </a></span></i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">to</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">the</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">handing</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">over</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">of</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">our</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">personal</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">information</a></span>. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of <i>“choice”</i>. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.</p>
<h2 align="JUSTIFY"><span><b>State Surveillance </b></span><i><b>vs.</b></i><span><b> Corporate Surveillance</b></span></h2>
<p align="JUSTIFY">Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, <span style="text-decoration: underline;"><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">collects</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> 20 </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">times</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">more</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">data</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">per</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">day</a></span> than the NSA in total. In addition, Facebook has <a href="http://www.ft.com/cms/s/0/7536d216-0f36-11e3-ae66-00144feabdc0.html#axzz2jDSrZPHv"><span style="text-decoration: underline;">claimed</span></a> that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.</p>
<p align="JUSTIFY">Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the <a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"><i><span style="text-decoration: underline;">analysis</span></i></a><span style="text-decoration: underline;"><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">of</a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">data</a></span>, which in turn involves <span style="text-decoration: underline;"><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">pattern</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">matching</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">and</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">profiling</a></span>, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because <i>we “choose”</i> to hand over our data!</p>
<p align="JUSTIFY">Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: <a href="http://edition.cnn.com/2010/TECH/04/14/oppmann.off.the.grid/"><i><span style="text-decoration: underline;">convenience</span></i></a>. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.</p>
<p align="JUSTIFY">The irony in all of this is that, while many people reacted to <span style="text-decoration: underline;"><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">Snowden</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">’</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">s</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html"> </a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">revelations</a></span> on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.</p>
<p align="JUSTIFY">In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a <i>direct</i> threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas <span style="text-decoration: underline;"><a href="https://www.schneier.com/essay-155.html">they</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">rarely</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">react</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">to</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">what</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">does</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">not</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">directly</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">affect</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">them</a></span>. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">University</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">students</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">have</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">protested</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">on</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">streets</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">against</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">installation</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">of</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">CCTV</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">cameras</a></span>, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:</p>
<p align="JUSTIFY">- Personal photos</p>
<p align="JUSTIFY">- Biometrics (possibly through photos)</p>
<p align="JUSTIFY">- Family members</p>
<p align="JUSTIFY">- Friends and acquaintances</p>
<p align="JUSTIFY">- Habits, hobbies and interests</p>
<p align="JUSTIFY">- Location (through IP address)</p>
<p align="JUSTIFY">- Places visited</p>
<p align="JUSTIFY">- Economic standing (based on pictures, comments, etc.)</p>
<p align="JUSTIFY">- Educational background</p>
<p align="JUSTIFY">- Ideas and opinions (which may be political, religious, etc.)</p>
<p align="JUSTIFY">- Activities</p>
<p align="JUSTIFY">- Affiliations</p>
<p align="JUSTIFY">The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">can</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">never</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">really</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">know</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">how</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">much</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">data</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">are</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">disclosing</a></span>, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. <i>It all really comes down to who is looking at our data, when and why.</i></p>
<p align="JUSTIFY">For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is <span style="text-decoration: underline;"><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">“</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Anarchism</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">and</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">other</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Essays</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">”</a></span> by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.</p>
<p align="JUSTIFY">In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.</p>
<p align="JUSTIFY">Today, governments don’t judge us and take decisions based on our version of our data, but<span style="text-decoration: underline;"><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">based</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">on</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">what</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">our</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">data</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">says</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">about</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">us</a></span>. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.</p>
<p align="JUSTIFY">Most companies <span style="text-decoration: underline;"><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">retain</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">data</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">indefinitely</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">or</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">for</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">a</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">long</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">period</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">of</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">time</a></span>, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/spy-files-three">every</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bit</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">may</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">potentially</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">entails</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">various</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">other</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bits</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">that</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">we</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">are</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">not</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">even</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">aware</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a></span>. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an <i><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">illusionary</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">sense</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">of</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">control</a></span></i><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"><span style="text-decoration: underline;"> </span></a>over their personal data.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">Social</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">network</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">analysis</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">software</a></span> is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to <span style="text-decoration: underline;"><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">match</a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf"> </a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">patterns</a></span>. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.</p>
<p align="JUSTIFY">In data mining, <span style="text-decoration: underline;"><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">behavioural</a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf"> </a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">statistics</a></span> are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we<span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">voluntarily</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">disclose</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">massive</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">amounts</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">of</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">data</a></span> about ourselves - is that it appears to come down to <i>public control</i>.</p>
<p align="JUSTIFY">According to security expert Bruce Schneier, <span style="text-decoration: underline;"><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">data</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">today</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">is</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">a</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">byproduct</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">of</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">the</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Information</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Society</a></span>. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an <i>indirect </i>threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.</p>
<p align="JUSTIFY">Hannah Arendt argued that a main prerequisite and component of totalitarian power is <span style="text-decoration: underline;"><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">support</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">by</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">the</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">masses</a></span>. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CCTV</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">cameras</a></span> are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as <span style="text-decoration: underline;"><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Spy</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Coca</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Cola</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cans</a></span> - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the <span style="text-decoration: underline;"><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Central</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Monitoring</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">System</a></span> in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access <i>choose </i>to share their personal data through the use of social networking sites.</p>
<p align="JUSTIFY">Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just <span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">convenient</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">to</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">be</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">on</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">Facebook</a></span>. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.</p>
<p align="JUSTIFY">In the long term, what does this mean? Well, it seems like we will probably be <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">acceptive</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">towards</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">authoritarian</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">power</a></span>, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.</p>
<p align="JUSTIFY">What’s particularly interesting though about surveillance today is that it is fueled and <span style="text-decoration: underline;"><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">enabled</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">through</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">our</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">of</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">speech</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">and</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">general</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">Internet</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a></span>. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the <span style="text-decoration: underline;"><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Chinese</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">versions</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">of</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Facebook</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">and</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Twitter</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a></span>- it’s probably no coincidence.</p>
<p align="JUSTIFY">While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t <i>choose </i>to hand over our personal data to begin with, none of the above would have been possible.</p>
<p align="JUSTIFY">The real danger in the Digital Age is not necessarily surveillance per se, but our <i>choice</i> to voluntarily disclose our personal data.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you'>https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-23T08:38:30ZBlog EntryInterview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft
https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate
<b>Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!</b>
<div dir="ltr" style="text-align: justify; "><a class="external-link" href="http://www.isodarco.it/courses/andalo12/doc/CBowden.pdf">Caspar Bowden</a> is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">The Centre for Internet and Society interviewed Caspar Bowden on the following questions:</div>
<p align="JUSTIFY"> </p>
<h3 align="JUSTIFY">1. Do you think India needs privacy legislation? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state. </span></p>
<h3 align="JUSTIFY">2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?</h3>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"><span>Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about. </span></p>
<h3 align="JUSTIFY">3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.</span></p>
<p align="JUSTIFY">Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.</p>
<h3>4. Should people have the right to give up their right to privacy? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!” </span></p>
<p><span>But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. </span>There's<span> no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.</span></p>
<h3 align="JUSTIFY">5. Do you agree with India's UID scheme? Why / Why not?</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way. </span></p>
<p align="JUSTIFY"><span>Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived. </span></p>
<p align="JUSTIFY"><span>There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds. </span></p>
<p align="JUSTIFY"><span>And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual. </span></p>
<p align="JUSTIFY"><span>Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.</span></p>
<h3><b>6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?</b></h3>
<p><b><br /></b></p>
<h3></h3>
<p align="JUSTIFY"><span>Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy. </span></p>
<p align="JUSTIFY"><span>There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory. </span></p>
<p align="JUSTIFY"><span>We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term. </span></p>
<h3><b>7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?</b></h3>
<p><b><br /></b></p>
<p align="JUSTIFY"><span>Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are </span><i><span>software</span></i><span>. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!</span></p>
<p align="JUSTIFY"><span>In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient. </span></p>
<h3>8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?</h3>
<p> </p>
<p align="JUSTIFY"><span>In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies. </span></p>
<p align="JUSTIFY"><span>After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure. </span></p>
<p align="JUSTIFY"><span>It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today. </span></p>
<h3 align="JUSTIFY">9. How would you advise young people working in the surveillance industry?</h3>
<p> </p>
<ol> </ol>
<p><span>Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career. </span><b> </b></p>
<ol> </ol> <ol></ol><ol> </ol> <ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate'>https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T08:16:05ZBlog EntrySpy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry
https://cis-india.org/internet-governance/blog/spy-files-three
<b>In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights. </b>
<p align="JUSTIFY">Last month, WikiLeaks released <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html">“</a><a href="http://wikileaks.org/spyfiles3.html">Spy</a><a href="http://wikileaks.org/spyfiles3.html"> </a><a href="http://wikileaks.org/spyfiles3.html">Files</a><a href="http://wikileaks.org/spyfiles3.html"> 3”</a></span>, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.</p>
<h2><b>So what do the latest Spy Files reveal about India?</b></h2>
<p align="JUSTIFY">When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">India</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">is</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">once</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">again</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">on</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">the</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">list</a></span> with some of the most controversial spyware.</p>
<h3><b>ISS World Surveillance Trade Shows</b></h3>
<p align="JUSTIFY">The latest Spy Files include a <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">the</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013</a></span> -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_ap/">This</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">years</a><a href="http://www.issworldtraining.com/iss_ap/">’ </a><a href="http://www.issworldtraining.com/iss_ap/">ISS</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">World</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">Asia</a></span> will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The<span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span> entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.</p>
<p align="JUSTIFY">The following table lists the <a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"><i><span style="text-decoration: underline;">Indian</span></i></a><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">attendees</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">at</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a></span>:</p>
<table class="plain">
<tbody>
<tr>
<th>
<p align="JUSTIFY"><span><span><b>Law Enforcement, Defense and Interior Security Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>Telecom Operators and Private Enterprises Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>ISS Vendors and Technology Integrators Attendees</b></span></span></p>
</th>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Andhra Pradesh India Police</span></span></span></p>
</td>
<td>
<p align="JUSTIFY">BT</p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>AGC Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>CBI Academy</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Cogence Investment Bank</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Aqsacom India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Government of India, Telecom Department</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>India Reliance Communications</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>ClearTrail Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Cabinet Secretariat</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Span Telecom Pvt. Ldt. </span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Foundation Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Centre for Development of Telematics (C-DOT)</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY">Kommlabs</p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Chandigarh Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Paladion Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Defence Agency</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polaris Wireless</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India General Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polixel Security Systems</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Intelligence Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Pyramid Cyber Security</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India National Institute of Criminology</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Schleicher Group</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India office LOKAYUKTA NCT DELHI</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Span Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Police Department, A.P.</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>TATA India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Tamil Nadu Police Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Tata Consultancy Services</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Police Service, Vigilance</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Telecommunications India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Telecommunications Authority</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Vehere Interactive</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>NTRO India</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>SAIC Indian Tamil Nadu Police</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th> 17 4 15<br /></th>
</tr>
</tbody>
</table>
<p align="JUSTIFY">According to the above table - which is based on data from the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">WikiLeaks</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span>- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.</p>
<p align="JUSTIFY">In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.</p>
<h3><b>ClearTrail Technologies</b></h3>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company based in Indore. The document titled <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Internet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Suite</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:</p>
<p align="JUSTIFY"><b>1. ComTrail: Mass Monitoring of IP and Voice Networks</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.</p>
<p align="JUSTIFY">ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.</p>
<p align="JUSTIFY">Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.</p>
<p align="JUSTIFY">In short, ComTrail’s key features include the following:</p>
<p align="JUSTIFY">- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links</p>
<p align="JUSTIFY">- Doubles up as Targeted Monitoring System</p>
<p align="JUSTIFY">- On demand data retention, capacity exceeding several years</p>
<p align="JUSTIFY">- Instant Analysis across thousands of Terabytes</p>
<p align="JUSTIFY">- Correlates Identities across multiple networks</p>
<p align="JUSTIFY">- Speaker Recognition and Target Location</p>
<p align="JUSTIFY"><b>2. xTrail: Targeted IP Monitoring</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">xTrail</span></a> is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.</p>
<p align="JUSTIFY">Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.</p>
<p align="JUSTIFY">In short, xTrail’s key features include the following:</p>
<p align="JUSTIFY">- Pure passive probe</p>
<p align="JUSTIFY">- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways</p>
<p align="JUSTIFY">- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic</p>
<p align="JUSTIFY">- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location</p>
<p align="JUSTIFY">- Huge data retention, rich analysis interface and tamper proof court evidence</p>
<p align="JUSTIFY">- Easily integrates with any existing centralized monitoring system for extended coverage</p>
<p align="JUSTIFY"><b>3. QuickTrail: Tactical Wi-Fi Monitoring</b></p>
<p align="JUSTIFY">Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.</p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.</p>
<p align="JUSTIFY">According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.</p>
<p align="JUSTIFY">In short, QuickTrail’s key features include the following:</p>
<p align="JUSTIFY">- Conveniently housed in a laptop computer</p>
<p align="JUSTIFY">- Intercepts Wi-Fi and wired LANs in five different ways</p>
<p align="JUSTIFY">- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks</p>
<p align="JUSTIFY">- Deploys spyware into a target’s machine</p>
<p align="JUSTIFY">- Monitor’s Gmail, Yahoo and all other HTTPS-based communications</p>
<p align="JUSTIFY">- Reconstructs webmails, chats, VoIP calls, news groups and social networks</p>
<p align="JUSTIFY"><b>4. mTrail: Off-The-Air Interception</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.</p>
<p align="JUSTIFY">The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.</p>
<p align="JUSTIFY">Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.</p>
<p align="JUSTIFY">In short, mTrail’s key features include the following:</p>
<p align="JUSTIFY">- Designed for passive interception of GSM communications</p>
<p align="JUSTIFY">- Intercepts Voice and SMS “off-the-air”</p>
<p align="JUSTIFY">- Detects the location of the target</p>
<p align="JUSTIFY">- Can be deployed as a fixed unit or mounted in a surveillance van</p>
<p align="JUSTIFY">- No support required from GSM operator</p>
<p align="JUSTIFY"><b>5. Astra: Remote Monitoring and Infection framework</b></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.</p>
<p align="JUSTIFY">The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment <i>without</i> requiring any physical access to the target device.</p>
<p align="JUSTIFY">In particular, Astra can push bot to <i>any</i> targeted machine sharing the <i>same</i> LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.</p>
<p align="JUSTIFY">Astra’s key features include the following:</p>
<p align="JUSTIFY">- Proactive intelligence gathering</p>
<p align="JUSTIFY">- End-to-end remote infection and monitoring framework</p>
<p align="JUSTIFY">- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots</p>
<p align="JUSTIFY">- Designed for centralized management of thousands of targets</p>
<p align="JUSTIFY">- A wide range of deployment mechanisms to optimize success ration</p>
<p align="JUSTIFY">- Non-traceable, non-detectable delivery mechanism</p>
<p align="JUSTIFY">- Intrusive yet stealthy</p>
<p align="JUSTIFY">- Easy interface for handling most complex tasks</p>
<p align="JUSTIFY">- Successfully tested over the current top 10 anti-virus available in the market</p>
<p align="JUSTIFY">- No third party dependencies</p>
<p align="JUSTIFY">- Free from any back-door intervention</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Technologies</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">argue</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">that</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">they</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">meet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">lawful</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">interception</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">regulatory</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">requirements</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>across the globe. In particular, they claim that their products are compliant with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span> and that they are efficient to cater to region specific requirements as well.</p>
<p align="JUSTIFY">The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Telesoft</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Technologies</a></span>, <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">AGT</a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">International</a></span> and <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Verint</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Systems</a></span>. In particular, <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:</p>
<p align="JUSTIFY">- Impact 360 Speech Analytics</p>
<p align="JUSTIFY">- Impact 360 Text Analytics</p>
<p align="JUSTIFY">- Nextiva Video Management Software (VMS)</p>
<p align="JUSTIFY">- Nextiva Physical Security Information Management (PSIM)</p>
<p align="JUSTIFY">- Nextiva Network Video Recorders (NVRs)</p>
<p align="JUSTIFY">- Nextiva Video Business Intelligence (VBI)</p>
<p align="JUSTIFY">- Nextiva Surveillance Analytics</p>
<p align="JUSTIFY">- Nextiva IP cameras</p>
<p align="JUSTIFY">- CYBERVISION Network Security</p>
<p align="JUSTIFY">- ENGAGE suite</p>
<p align="JUSTIFY">- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)</p>
<p align="JUSTIFY">- RELIANT</p>
<p align="JUSTIFY">- STAR-GATE</p>
<p>- VANTAGE</p>
<p align="JUSTIFY">While <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_europe/">Verint</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Systems</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">has</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">participated</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">in</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">ISS</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">World</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Trade</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">shows</a></span> which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.</p>
<h2><b>And what do the latest Spy Files mean for India?</b></h2>
<p align="JUSTIFY">Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:</p>
<p align="JUSTIFY">1. The Central Monitoring System (CMS)</p>
<p align="JUSTIFY">2. Is any of this surveillance even legal in India?</p>
<p align="JUSTIFY">3. Can such surveillance result in the violation of human rights?</p>
<h3><b>Spy Files 3...and the Central Monitoring System (CMS)</b></h3>
<p align="JUSTIFY">Following the <a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">Mumbai</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> 2008 </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">terrorist</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">attacks</a>, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a>. As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to<b> </b><span>install the gear which enables law enforcement agencies to carry</span> out the Central Monitoring System under the <a href="http://www.dot.gov.in/licensing/access-services">Unified</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Access</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Services</a><a href="http://www.dot.gov.in/licensing/access-services"> (</a><a href="http://www.dot.gov.in/licensing/access-services">UAS</a><a href="http://www.dot.gov.in/licensing/access-services">) </a><a href="http://www.dot.gov.in/licensing/access-services">License</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Agreement</a>.</p>
<p align="JUSTIFY">The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is <span style="text-decoration: underline;"><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">Rs</a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">. 4 </a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">billion</a></span>. In addition to <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">equipping</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">government</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a></span>with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements<span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">regional</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">, </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">such</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">as</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">that</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">of</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Assam</a></span>, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.</p>
<p align="JUSTIFY">However, data monitored and collected through the CMS will be stored in a<span style="text-decoration: underline;"><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">centralised</a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">database</a></span>, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">amount</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">data</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">, </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">probability</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">an</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">error</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">in</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">matching</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">profiles</a></span>, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a></span> mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.</p>
<p align="JUSTIFY">Interestingly enough, Indian law enforcement agencies which attended <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span> are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">which</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">will</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">have</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">access</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">to</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a></span>: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.</p>
<p align="JUSTIFY">Furthermore, Spy Files 3 entail a <a href="http://wikileaks.org/spyfiles3.html#an1">list</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">of</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">last</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">years</a><a href="http://wikileaks.org/spyfiles3.html#an1">’ </a><a href="http://wikileaks.org/spyfiles3.html#an1">ISS</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">World</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">security</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">company</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">attendees</a>, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">solutions</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">for</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">targeted</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">mass</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">IP</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">voice</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">networks</a>, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.</p>
<p align="JUSTIFY">In fact, ClearTrail states in its brochure that its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ComTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> is equipped to handle millions of communications per day, while its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">” </a>is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is <i>not </i>equipping the CMS? <span>And what are the odds that such technology is </span><i><span>not</span></i><span> being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?</span></p>
<h3><b>Spy Files 3...and the legality of India’s surveillance technologies</b></h3>
<p align="JUSTIFY">ClearTrail Technologies’ <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">brochure</span></a> -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span>. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply <i>within</i> India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.</p>
<p align="JUSTIFY">India has five laws which regulate surveillance:</p>
<p align="JUSTIFY">1. The <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span>, 1885</p>
<p align="JUSTIFY">2. The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span>, 1898</p>
<p align="JUSTIFY">3. The <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a></span>, 1933</p>
<p align="JUSTIFY">4. The <span style="text-decoration: underline;"><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Code</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">of</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Criminal</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Procedure</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> (</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">CrPc</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">)</a></span>, 1973: Section 91</p>
<p align="JUSTIFY">5. The <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span>, 2008</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Offices</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span> does not cover electronic communications and the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a></span>lacks procedures which would determine if surveillance should be targeted or not. Neither the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span> nor the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span> cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.</p>
<p align="JUSTIFY">The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">emergency</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">or</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">for</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">safety</a>. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.</p>
<p align="JUSTIFY">The interception of Internet communications is mainly covered by the <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">2009 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Rules</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">under</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">the</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Information</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Technology</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Act</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 2008 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Sections</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">B</a> are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.</p>
<p align="JUSTIFY">While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the <i>mass</i> surveillance of communications. In other words, ClearTrail’s products, such as <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a>, which enable the mass interception of IP networks, lack legal backing. However, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Unified</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Access</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Services</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a></span> regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.</p>
<p align="JUSTIFY">Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">even</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">without</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">warrant</a>, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> product.</p>
<p align="JUSTIFY"><span>More importantly, following <a class="external-link" href="http://www.financialexpress.com/news/states-begin-to-surrender-offair-phone-snooping-equipment/957859">allegations</a> that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a <a class="external-link" href="http://m.indianexpress.com/news/state-govts-hand-over-few-offair-phonetapping-sets-to-centre/1185166/">compete ban on use of such equipment</a> and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it. </span></p>
<p align="JUSTIFY">ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a> product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such <a href="http://www.dot.gov.in/licensing/access-services"><span style="text-decoration: underline;">licenses</span></a> mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is technically legal or not. The <a class="external-link" href="http://www.auspi.in/policies/UASL.pdf">UAS License agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a>mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.</p>
<p align="JUSTIFY">The issue of data retention arises from <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">brochure</a>. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.</p>
<p align="JUSTIFY"><a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 7 of the Information Technology (Amendment) Act, 2008</a>, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.</p>
<p align="JUSTIFY">Data retention requirements for service providers are included in the <a href="https://cis-india.org/internet-governance/blog/data-retention-in-india" class="external-link">ISP and UASL licenses</a> and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.</p>
<p align="JUSTIFY">India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">spy</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">agreement</a></span> regarding the Central Monitoring System.</p>
<p align="JUSTIFY">In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the <a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a> mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while <a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">India</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">’</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">s</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a>, <a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a>and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.</p>
<p align="JUSTIFY">One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to <span style="text-decoration: underline;"><a href="http://www.outlookindia.com/article.aspx?265192">Saikat</a><a href="http://www.outlookindia.com/article.aspx?265192"> </a><a href="http://www.outlookindia.com/article.aspx?265192">Datta</a></span>, an investigative journalist, a senior privacy telecom official stated:</p>
<blockquote class="italized">“<i>Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?” </i></blockquote>
<p style="text-align: justify; "></p>
<h3><b>Spy Files 3...and human rights in India</b></h3>
<p align="JUSTIFY">The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.</p>
<p align="JUSTIFY">In particular, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.</p>
<p align="JUSTIFY">And indeed, carrying a mobile phone is like carrying a GPS device, especially since <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">are</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">suspicious</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">until</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">proven</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">innocent</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">. </a></span></p>
<p align="JUSTIFY">And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">Astra</span></a>. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can <i>remotely</i> push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">should</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">! </a></span></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">Privacy</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">us</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">abuse</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">those</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">in</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">power</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a></span>and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.</p>
<p align="JUSTIFY">And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, <span style="text-decoration: underline;"><a href="http://www.timeshighereducation.co.uk/402844.article">a</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">UK</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">student</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">studying</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Islamic</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">terrorism</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">his</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Masters</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">dissertation</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">was</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">detained</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">six</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">days</a><a href="http://www.timeshighereducation.co.uk/402844.article">.</a></span> The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.</p>
<p align="JUSTIFY">This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.</p>
<p align="JUSTIFY">This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">“</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">”</a></span>, as that is the only way to protect us from abuse by those in power.</p>
<p align="JUSTIFY">In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the <a class="external-link" href="https://en.necessaryandproportionate.org/text">International Principles on Communications Surveillance and Human Rights.</a></p>
<p align="JUSTIFY">Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">This article was <a class="external-link" href="http://www.medianama.com/2013/11/223-spy-files-3-wikileaks-sheds-more-light-on-the-global-surveillance-industry-cis-india/">cross-posted in Medianama </a>on 6th November 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/spy-files-three'>https://cis-india.org/internet-governance/blog/spy-files-three</a>
</p>
No publishermariaPrivacyInternet GovernanceSAFEGUARDSFeaturedHomepage2013-11-14T16:21:00ZBlog EntryInterview with Dr. Alexander Dix - Berlin Data Protection and Freedom of Information Commissioner
https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner
<b>Maria Xynou recently interviewed Berlin's Data Protection and Freedom of Information Commissioner: Dr. Alexander Dix. View this interview and gain an insight on recommendations for better data protection in India!</b>
<p style="text-align: justify; "><a class="external-link" href="http://www.ediscovery-exchange.com/SpeakerInfo.aspx?tp_spkid=37916">Dr. Alexander Dix</a> has been Berlin's Data Protection and Freedom of Information Commissioner since June 2005. He has more than 26 years of practical experience in German data protection authorities and previously served as Commissioner for the state of Bradenburg for seven years.</p>
<p style="text-align: justify; ">Dr. Dix is a specialist in telecommunications and media and has dealt with a number of issues regarding the cross-border protection of citizen’s privacy. He chairs the International Working Group on Data Protection in Telecommunications (“Berlin Group”) and is a member of the Article 29 Working Party of European Data Protection Supervisory Authorities. In this Working Party he represents the Data Protection Authorities of the 16 German States (Länder).</p>
<p style="text-align: justify; ">A native of Bad Homburg, Hessen, Dr. Alexander Dix graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from the London School of Economics and Political Science in 1976 and a Doctorate in law from Hamburg University in 1984. He has published extensively on issues of data protection and freedom of information. Inter alia he is a co-editor of the German Yearbook on Freedom of Information and Information Law.</p>
<p style="text-align: justify; ">The Centre for Internet and Society interviewed Dr. Alexander Dix on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">What activities and functions does the Berlin data commissioner's office undertake?</p>
</li>
<li>
<p align="JUSTIFY">What powers does the Berlin data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
</li>
<li>
<p align="JUSTIFY">How is the office of the Berlin Data Protection Commissioner funded?</p>
</li>
<li>
<p align="JUSTIFY">What is the organisational structure at the Office of the Berlin Data Protection Commissioner and the responsibilities of the key executives?</p>
</li>
<li>
<p align="JUSTIFY">If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?</p>
</li>
<li>
<p align="JUSTIFY">What challenges has your office faced?</p>
</li>
<li>
<p align="JUSTIFY">What is the most common type of privacy violation that your office is faced with?</p>
</li>
<li>
<p align="JUSTIFY">Does your office differ from other EU data protection commissioner offices?</p>
</li>
<li>
<p align="JUSTIFY">How do you think data should be regulated in India?</p>
</li>
<li>
<p align="JUSTIFY">Do you support the idea of co-regulation or self-regulation?</p>
</li>
<li>
<p align="JUSTIFY">How can India protect its citizens' data when it is stored in foreign servers?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/agXVs7ZlKdU" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner'>https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T09:29:32ZBlog EntryInterview with the Tactical Technology Collective on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective
<b>The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of the <a class="external-link" href="https://tacticaltech.org/about">Tactical Technology Collective</a>, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.</p>
<p style="text-align: justify; ">Tactical Tech's <a class="external-link" href="https://tacticaltech.org/what-we-do">Privacy & Expression programme</a> builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.</p>
<p style="text-align: justify; "><a class="external-link" href="https://tacticaltech.org/team">Anne Roth</a> works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. <span> <span>Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.</span></span></p>
<p style="text-align: justify; "><span><span>The Centre for Internet and Society interviewed Anne Roth on the following questions:</span></span></p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/QZsFf_Qyqyo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective'>https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-18T09:56:16ZBlog EntryInterview with Bruce Schneier - Internationally Renowned Security Technologist
https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier
<b>Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; "><a class="external-link" href="https://www.schneier.com/about.html">Bruce Schneier</a> is an internationally renowned security technologist, called a "security guru" by <cite>The Economist</cite>.</p>
<p style="text-align: justify; ">He is the author of 12 <a href="https://www.schneier.com/books.html">books</a> -- including <a href="https://www.schneier.com/book-lo.html"><cite>Liars and Outliers: Enabling the Trust Society Needs to Survive</cite></a> -- as well as hundreds of articles, <a href="https://www.schneier.com/essays.html">essays</a>, and <a href="https://www.schneier.com/cryptography.html">academic papers</a>. His influential newsletter "<a href="https://www.schneier.com/crypto-gram.html">Crypto-Gram</a>" and his blog "<a href="https://www.schneier.com/about.html">Schneier on Security</a>" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly <a href="https://www.schneier.com/news.html">quoted</a> in the press.</p>
<p style="text-align: justify; ">Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for <a href="http://www.bt.com/">BT</a> -- formerly British Telecom.</p>
<p style="text-align: justify; ">The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">Do you think India needs privacy legislation? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">How can individuals protect their data (and themselves) from spyware, such as FinFisher?</p>
</li>
<li>
<p align="JUSTIFY">How would you advise young people working in the surveillance industry?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/mpKaXW_hwcE" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier'>https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-17T08:54:32ZBlog EntryInterview with Big Brother Watch on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance
<b>Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/about">Big Brother Watch</a> was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/who-we-are/emma-frances-carr-deputy-director">Emma Carr</a> joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol><ol> </ol>
<p align="JUSTIFY"> </p>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/KhmwPYgLfjo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance'>https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-15T14:24:27ZBlog EntryThe India Privacy Monitor Map
https://cis-india.org/internet-governance/blog/india-privacy-monitor-map
<b>The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country. </b>
<p style="text-align: justify; ">In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.</p>
<p style="text-align: justify; ">In particular, the map in its current format includes data on the following:</p>
<p style="text-align: justify; "><b>UID:</b> The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.</p>
<p style="text-align: justify; "><b>NPR:</b> Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.</p>
<p style="text-align: justify; "><b>CCTV:</b> Closed-circuit television cameras which can produce images or recordings for surveillance purposes.</p>
<p style="text-align: justify; "><b>UAV: </b>Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.</p>
<p style="text-align: justify; "><b>CCTNS: </b>The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.</p>
<p style="text-align: justify; "><b>Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor </b></p>
<p style="text-align: justify; ">This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-privacy-monitor-map'>https://cis-india.org/internet-governance/blog/india-privacy-monitor-map</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-09T16:26:14ZBlog EntryThe National Privacy Roundtable Meetings
https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings
<b>The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<h3>Background: The Roundtable Meetings and Organisers</h3>
<p style="text-align: justify; "><a href="https://cis-india.org/">CIS</a> is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. <a href="http://www.ficci.com/">FICCI</a> is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. <a href="http://www.dsci.in/">DSCI</a> is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. <a href="https://www.privacyinternational.org/">Privacy International</a> is a London-based non-profit organisation that defends and promotes the right to privacy across the world.</p>
<h3 style="text-align: justify; ">Privacy in the Common Law and in India</h3>
<p style="text-align: justify; ">Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons <i>inter se</i> demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.</p>
<p style="text-align: justify; ">Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.<a href="#fn2" name="fr2">[2]</a> In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of <i>Kharak Singh</i> (1964)<a href="#fn4" name="fr4">[4]</a> and <i>Gobind</i> (1975)<a href="#fn5" name="fr5">[5]</a> considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the <i>Rajagopal</i> case (1994),<a href="#fn6" name="fr6">[6]</a> the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, <i>Rajagopal</i> dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the <i>PUCL</i> case (1996)<a href="#fn7" name="fr7">[7]</a> and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.<a href="#fn8" name="fr8">[8] </a>A more robust statement of the right to privacy was made recently by the Delhi High Court in the <i>Naz </i><i>Foundation</i> case (2011)<a href="#fn9" name="fr9">[9] </a>that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.</p>
<h3 style="text-align: justify; ">Attempts to Create a Statutory Regime</h3>
<p style="text-align: justify; ">The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.<a href="#fn10" name="fr10">[10]</a></p>
<p>Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.</p>
<p style="text-align: justify; ">Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")<a href="#fn11" name="fr11">[11]</a> — were subsequently reviewed by the Committee on Subordinate Legislation of the 15<sup>th</sup> Lok Sabha.<a href="#fn12" name="fr12">[12]</a> The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.<a href="#fn13" name="fr13">[13]</a></p>
<p style="text-align: justify; ">In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.</p>
<p style="text-align: justify; ">Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the <i>Naz Foundation</i> case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.<a href="#fn14" name="fr14">[14]</a> These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.</p>
<h3 style="text-align: justify; ">Criminal Procedure and Special Laws Relating to Privacy</h3>
<p style="text-align: justify; ">While the <i>Kharak Singh</i> and <i>Gobind</i> cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.</p>
<p style="text-align: justify; ">The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007<a href="#fn15" name="fr15">[15]</a> to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the <i>PUCL</i> case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.<a href="#fn16" name="fr16">[16]</a> Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.</p>
<p style="text-align: justify; ">In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.<a href="#fn17" name="fr17">[17]</a></p>
<h3 style="text-align: justify; ">The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings</h3>
<p style="text-align: justify; ">In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.</p>
<p style="text-align: justify; ">Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:</p>
<ul>
<li style="text-align: justify; ">New Delhi: April 13, 2013 (<a class="external-link" href="http://bit.ly/17REl0W">http://bit.ly/17REl0W</a>) with 45 participants;</li>
<li style="text-align: justify; ">Bangalore: April 20, 2013 (<a class="external-link" href="http://bit.ly/162t8rU">http://bit.ly/162t8rU</a>) with 45 participants;</li>
<li style="text-align: justify; ">Chennai: May 18, 2013 (<a class="external-link" href="http://bit.ly/12ICGYD">http://bit.ly/12ICGYD</a>) with 25 participants.</li>
<li style="text-align: justify; ">Mumbai, June 15, 2013 (<a class="external-link" href="http://bit.ly/12fJSvZ">http://bit.ly/12fJSvZ</a>) with 20 participants;</li>
<li style="text-align: justify; ">Kolkata: July 13, 2013 (<a class="external-link" href="http://bit.ly/11dgINZ">http://bit.ly/11dgINZ</a>) with 25 participants; and</li>
<li style="text-align: justify; ">New Delhi: August 24, 2013 (<a class="external-link" href="http://bit.ly/195cWIf">http://bit.ly/195cWIf</a>) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.</p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, Dan Solove, “A Taxonomy of Privacy” <i>University of Pennsylvania Law Review</i> (Vol. 154, No. 3, January 2006).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. <i>Wainwright</i> v. <i>Home Office</i> [2003] UKHL 53.</p>
<p>[<a href="#fr3" name="fn3">3</a>]. See <i>A</i> v. <i>B plc</i> [2003] QB 195; <i>Wainwright</i> v. <i>Home Office </i>[2001] EWCA Civ 2081; <i>R (Ellis)</i> v. <i>Chief Constable of Essex Police</i> [2003] EWHC 1321 (Admin).</p>
<p>[<a href="#fr4" name="fn4">4</a>]. <i>Kharak Singh</i> v. <i>State of Uttar Pradesh</i> AIR 1963 SC 1295.</p>
<p>[<a href="#fr5" name="fn5">5</a>]. <i>Gobind</i> v. <i>State of Madhya Pradesh</i> AIR 1975 SC 1378.</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <i>R. Rajagopal</i> v. <i>State of Tamil Nadu</i> AIR 1995 SC 264.</p>
<p>[<a href="#fr7" name="fn7">7</a>]. <i>People’s Union for Civil Liberties</i> v. <i>Union of India</i> (1997) 1 SCC 30.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in <i>Maneka Gandhi</i> v. <i>Union of India</i> AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.</p>
<p>[<a href="#fr9" name="fn9">9</a>]. <i>Naz Foundation</i> v. <i>Government of NCT Delhi</i> (2009) 160 DLT 277.</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law"<i> International Data Privacy Law</i> (47-69, Vol. 1, No. 1, March 2011).</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – <a href="https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011">http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14<sup>th</sup> edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.</p>
<p>[<a href="#fr13" name="fn13">13</a>]. See the 31<sup>st</sup> Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect <i>vide</i> Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. See, <i>inter alia</i>, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings'>https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2014-03-21T10:03:44ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryThe Personal Data (Protection) Bill, 2013
https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFile