Centre for Internet and Society

Indian Intermediary Liability Regime: Compliance with the Manila Principles on Intermediary Liability

divij — 2018-05-20T15:14:21Z

This report assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles.

The report was edited by Elonnai Hickok and Swaraj Barooah

The report is an examination of Indian laws based upon the background paper to the Manila Principles as the explanatory text on which these recommendations have been based, and not an assessment of the principles themselves. To do this, the report considers the Indian regime in the context of each of the principles defined in the Manila Principles. As such, the explanatory text to the Manila Principles recognizes that diverse national and political scenario may require different intermediary liability legal regimes, however, this paper relies only on the best practices prescribed under the Manila Principles.

The report is divided into the following sections

Principle I: Intermediaries should be shielded by law from liability for third-party content
Principle II: Content must not be required to be restricted without an order by a judicial authority
Principle III: Requests for restrictions of content must be clear, be unambiguous, and follow due process
Principle IV: Laws and content restriction orders and practices must comply with the tests of necessity and proportionality
Principle V: Laws and content restriction policies and practices must respect due process
Principle VI: Transparency and accountability must be built into laws and content restriction policies and practices
Conclusion

Download the Full report here

For more details visit https://cis-india.org/internet-governance/blog/indian-intermediary-liability-regime

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

divij — 2015-03-14T02:56:35Z

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-security-industry-in-india.pdf

The Surveillance Industry in India – An Analysis of Indian Security Expos

divij — 2015-03-08T12:25:15Z

The author talks about the surveillance industry in India and analyses Indian security expos.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).

[1] Wikileaks, The Spy Files, available at https://www.wikileaks.org/the-spyfiles.html.

[2] Lawrence Lessig, Code V 2.0.

[3] For more information on the licensing regime, see 'Data Retention in India', available at http://cis-india.org/internet-governance/blog/data-retention-in-india.

[4] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[5] Section 5, Indian Telegraph Act, 1885.

[6] See, for example, the Bangalore Traffic Police CCTV Scheme, http://www.bangaloretrafficpolice.gov.in/index.php?option=com_content&view=article&id=66&btp=66 ; the surveillance scheme supported by the MPLAD Scheme, http://mplads.nic.in/circular08112012.pdf; Mumbai's proposed video surveillance scheme, http://www.business-standard.com/article/companies/wipro-tata-ibm-reliance-among-31-bids-for-cctv-scheme-in-mumbai-112112600160_1.html.

[7] Information on the Forum is available at http://gdsf-india.com/Global-Digital-Surveillance-Forum1/images/GDSF-Bengaluru-Conference-program.pdf.

[8] http://www-01.ibm.com/support/knowledgecenter/SS88XH_1.6.0/iva/int_i2frs_intro.dita

[9] http://www.intelli-vision.com/products/recognition-suite

[10] http://www.hgh-infrared.com/Products/Optronics-for-security

[11] http://www.ifsecglobal.com/cbc-high-end-surveillance-tech-on-display-at-ifsec-india/

[12] http://surveillance.rsf.org/en/category/corporate-enemies/

[13] http://www.cyberoam.com/firewall.html

[14] http://www.esri.com/products/arcgis-capabilities/big-data

[15] http://www.fastech-india.com/packetBrokers.html

[16] http://www.kommlabs.com/products-verbaprobe.asp

[17] http://www.acsgcorporate.com/osint-software.html

[18] http://timesofindia.indiatimes.com/india/UAV-proves-ineffective-in-anti-Maoist-operations/articleshow/20400544.cms

[19] http://dronecenter.bard.edu/drones-in-india/

[20] https://www.digitalglobe.com/products/analytic-services

[21] http://www.aurora-is.com/

[22] http://www.ideaforge.co.in/home/

For more details visit https://cis-india.org/internet-governance/blog/surveillance-industry-in-india-analysis-of-indian-security-expos

Learning to Forget the ECJ's Decision on the Right to be Forgotten and its Implications

divij — 2014-08-19T05:24:00Z

“The internet never forgets” is a proposition which is equally threatening and promising.

The phrase reflects the dichotomy presented by the extension on the lease of public memory granted by the internet – as information is more accessible and more permanent, letting go of the past is becoming increasingly difficult. The question of how to govern information on the internet – a space which is growing increasingly important in society and also one that presents a unique social environment - is one that persistently challenges courts and policy makers. A recent decision by the European Court of Justice, the highest judicial authority of the European Union, perfectly encapsulates the way the evolution of the internet is constantly changing our conceptions of individual privacy and the realm of information. On the 13^th of May, 2014, the ECJ in its ruling in Google v Costeja,[1] effectively read a “right to be forgotten” into existing EU data protection law. The right, broadly, provides that an individual may be allowed to control the information available about them on the web by removing such information in certain situations - known as the right to erasure. In certain situations such a right is non-controversial, for example, the deletion of a social media profile by its user. However, the right to erasure has serious implications for the freedom of information on the internet when it extends to the removal of information not created by the person to whom it pertains.

Privacy and Perfect Memory

The internet has, in a short span, become the biggest and arguably the most important tool for communication on the planet. However, a peculiar and essential feature of the internet is that it acts as a repository and a reflection of public memory – usually, whatever is once made public and shared on the internet remains available for access across the world without an expiry date. From public information on social networks to comments on blog posts, home addresses, telephone numbers and candid photos, personal information is disseminated all across the internet, perpetually ready for access - and often without the possibility of correcting or deleting what was divulged. This aspect of the internet means that the internet is a now an ever-growing repository of personal data, indexed and permanently filed. This unlimited capacity for information has a profound impact on society and in shaping social relations.

The core of the internet lies in its openness and accessibility and the ability to share information with ease – most any information to any person is now a Google search away. The openness of information on the internet prevents history from being corrupted, facts from being manipulated and encourages unprecedented freedom of information. However, these virtues often become a peril when considering the vast amount of personal data that the internet now holds. This “perfect memory” of the internet means that people are perpetually under the risk of being constantly scrutinized and being tied to their pasts, specifically a generation of users that from their childhood have been active on the internet.[2] Consider the example of online criminal databases in the United States, which regularly and permanently upload criminal records of convicted offenders even after their release, which is accessible to all future employers;[3] or the example of the Canadian psychotherapist who was permanently banned from the United States after an internet search revealed that he had experimented with LSD in his past; [4] or the cases of “revenge porn” websites, which (in most cases legally) publically host deeply private photos or videos of persons, often with their personal information, for the specific purpose of causing them deep embarrassment. [5]

These examples show that, due to the radically unrestricted spread of personal data across the web, people are no longer able to control how and by whom and in what context their personal data is being viewed. This creates the vulnerability of the data collectively being “mined” for purposes of surveillance and also of individuals being unable to control the way personal data is revealed online and therefore lose autonomy over that information.

The Right to be Forgotten and the ECJ judgement in Costeja

The problems highlighted above were the considerations for the European Union data protection regulation, drafted in 2012, which specifically provides for a right to be forgotten, as well as the judgement of the European Court of Justice in Google Spain v Mario Costeja Gonzalves.

The petitioner in this case, sought for the removal of links related to attachment proceedings for his property, which showed up upon entering his name on Google’s search engine. After refusing to remove the links, he approached the Spanish Data Protection Agency (the AEPD) to order their removal. The AEPD accepted the complaints against Google Inc. and ordered the removal of the links. On appeal to the Spanish High Court, three questions were referred to the European Court of Justice. The first related to the applicability of the data protection directive (Directive 95/46/EC) to search engines, i.e. whether they could be said to be “processing personal data” under Article 2(a) and (b) of the directive,[6] and whether they can be considered data controllers as per Section 2(d) of the directive. The court found that, because the search engines retrieve, record and organize data, and make it available for viewing (as a list of results), they can be said to process data. Further, interpreting the definition of “data controller” broadly, the court found that ‘ It is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ ’[7] and that ‘ it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.’[8] The latter reasoning highlights the particular role of search engines, as indexers of data, in increasing the accessibility and visibility of data from multiple sources, lending to the “database” effect, which could allow the structured profiling of an individual, and therefore justifies imposing the same (and even higher) obligations on search engines as on other data controllers, notwithstanding that the search engine operator has no knowledge of the personal data which it is processing.

The second question relates to the territorial scope of the directions, i.e. whether Google Inc., being the parent company based out of the US, came within the court’s jurisdiction – which only applies to member states of the EU. The court held that even though it did not carry on the specific activity of processing personal data, Google Spain, being a subsidiary of Google Inc. which promotes and sells advertisement for the parent company, was an “establishment” in the EU and Google Inc., and, because it processed data “in the context of the activities” of the establishment specifically directed towards the inhabitants of a member state (here Spain), came under the scope of the EU law. The court also reaffirmed a broad interpretation of the data protection law in the interests of the fundamental right to privacy and therefore imputed policy considerations in interpreting the directive. [9]

The third question was whether Google Spain was in breach of the data protection directive, specifically Articles 12(b) and 14(1)(a), which state that a data subject may object to the processing of data by a data controller, and may enforce such a right against the data controller, as long as the conditions for their removal are met. The reasoning for enforcing such a claim against search engines in particular can be found in paragraphs 80 and 84 of the judgement, where the court holds that “(a search engine) enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.” and that “ Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.” In fact, the court seems to apply a higher threshold for search engines due to their peculiar nature as indexes and databases. [10]

Under the court’s conception of the right of erasure, search engines are mandated to remove content upon request by individuals, when the information is deemed to be personal data that is “ inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes,” [11] notwithstanding that the publication itself is lawful and causes no prejudice to the data subject. The court reasoned that when the data being projected qualified on any of the above grounds, it would violate Article 6 of the directive, on grounds of the data not being processed “ fairly and lawfully’, that they are ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’, that they are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, that they are ‘accurate and, where necessary, kept up to date’ and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’.” [12] Therefore, the court held that, due to the nature of the information, the data subject has a right to no longer have such information linked to his or her name on a list of results following a search made on their name. The grounds laid down by the court, i.e. relevancy, inadequacy, etc. are very broad, yet such a broad conception is necessary in order to effectively deal with the problems of the nature described above.

The judgement of the ECJ concludes by applying a balancing test between the rights of the data subject and both the economic rights of the data controller as well as the general right of the public to information. It states that generally, as long as the information meets the criteria laid down by the directive, the right of the data subject trumps both these rights. However, it adds an important caveat – such a right is inapplicable “ the in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.” This crucial point on the balancing of two rights directly hit by the judgement was only summarily dealt with by the ECJ, without effectively giving any clarity as to what standards to apply or laying down any specific guidelines for the application of the new rule. [13] Doing so, it effectively left the decision to determine what was in the public interest and how the rights are to be balanced to the search engines themselves. Delegating such a task to a private party takes away from the idea of the internet as a common resource which should be developed for the benefit of the larger internet community as a whole, by allowing it to be governed and controlled by private stakeholders, and therefore paves an uncertain path for this crucial aspect of internet governance.

Implications of the ECJ ruling

The decision has far reaching consequences on both privacy and on freedom of information on the internet. Google began implementing the decision through a form submission process, which requires the individual to specify which links to remove and why, and verifies that the request comes from the individual themselves via photo identification, and has also constituted an expert panel to oversee its implementation (similar to the process for removing links which infringe copyright law).[14] Google has since received more than 91,000 requests for removal, pertaining to 328,000 links of which it has approved more than half.[15] In light of such large volumes of data to process, the practical implementation of the ruling has been necessarily problematic. The implementation has been criticized both for implicating free speech on the internet as well as disregarding the spirit of the right to be forgotten. On the first count, Google has been criticized for taking down several links which are clearly are in public interest to be public, including several opinion pieces on politicians and corporate leaders, which amounts to censorship of a free press.[16] On the second count, EU privacy watchdogs have been critical of Google’s decision to notify sources of the removed content, which prompts further speculation on the issue, and secondly, privacy regulators have challenged Google’s claim that the decision is restricted to the localised versions of the websites, since the same content can be accessed through any other version of the search engine, for example, by switching over to “Google.com”.[17]

This second question also raises complicated questions about the standards for free speech and privacy which should apply on the internet. If the EU wishes for Google Inc. to remove all links from all versions of its search engine, it is, in essence, applying the balancing test of privacy and free speech which are peculiar to the EU (which evolved from a specific historical and social context, and from laws emerging out of the EU) across the entire world, and is radically different from the standard applicable in the USA or India, for example. In spirit, therefore, although the judgement seeks to protect individual privacy, the vagueness of the ruling and the lack of guidelines has had enormous negative implications for the freedom of information. In light of these problems, the uproar that has been caused in the two months since the decision is expected, especially amongst news media sites which are most affected by this ruling. However, the faulty application of the ruling does not necessarily mean that a right to be forgotten is a concept which should be buried. Proposed solutions such as archiving of data or limited restrictions, instead of erasure may be of some help in maintaining a balance between the two rights.[18] EU regulators hope to end the confusion through drafting comprehensive guidelines for the search engines, pursuant to meetings with various stakeholders, which should come out by the end of the year. [19] Until then, the confusion will most likely continue.

Is there a Right to be Forgotten in India?

Indian law is notorious for its lackadaisical approach towards both freedom of information and privacy on the internet. The law, mostly governed by the Information Technology Act, is vague and broad, and the essence of most laws is controlled by the rules enacted by non-legislative bodies pursuant to various sections of the Act. The “right to be forgotten” in India can probably be found within this framework, specifically under Rule 3(2) of the Intermediary Guideline Rules, 2011, under Section 79 of the IT Act. Under this rule, intermediaries are liable for content which is “invasive of another’s privacy”. Read with the broad definition of intermediaries under the same rules (which includes search engines specifically) and of “affected person”, the applicable law for takedown of online content is much more broad and vague than the standard laid down in Costeja. It remains to be seen whether the EU’s interpretation of privacy and the “right to be forgotten” would further the chilling effect caused by these rules.

[1] Google Spain v Mario Costeja Gonzalves, C‑131/12, Available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=264438.

[2] See Victor Mayer-Schonberger, Delete: The Virtue of Forgetting in the Digital Age, (Princeton, 2009).

[3] For example, See http://mugshots.com/; and http://www.peoplesearchpro.com/resources/background-check/criminal-records/

[4] LSD as Therapy? Write about It, Get Barred from US, (April, 2007) available at

http://thetyee.ca/News/2007/04/23/Feldmar/

[5] It’s nearly impossible to get revenge porn of the internet, (June, 2014), available t http://www.vox.com/2014/6/25/5841510/its-nearly-impossible-to-get-revenge-porn-off-the-internet

[6] Article 2(a) - “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Article 2(b) - “ processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

[7] ¶36, judgment.

[8] The court also recognizes the implications on data profiling through the actions of search engines organizing results in ¶37.

[9] ¶74 judgment.

[10] In ¶83, the court notes that the processing by a search engine affect the data subject additionally to publication on a webpage; ¶87 - Indeed, since the inclusion in the list of results, displayed following a search made on the basis of a person’s name, of a web page and of the information contained on it relating to that person makes access to that information appreciably easier for any internet user making a search in respect of the person concerned and may play a decisive role in the dissemination of that information, it is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page.

[11] ¶92, judgment.

[12] ¶72, judgment.

[13] ¶81, judgment.

[14] The form is available at https://support.google.com/legal/contact/lr_eudpa?product=websearch

[15] Is Google intentionally overreacting on the right to be forgotten? (June, 2014), available at http://www.pcpro.co.uk/news/389602/is-google-intentionally-overreacting-on-right-to-be-forgotten.

[16] Will the right to be forgotten extend to Google.com?, (July, 2014), available at http://www.pcpro.co.uk/news/389983/will-right-to-be-forgotten-extend-to-google-com.

[17] The right to be forgotten is a nightmare to enforce, (July, 2014), available at http://www.forbes.com/sites/kashmirhill/2014/07/24/the-right-to-be-forgotten-is-a-nightmare-to-enforce.

[18] Michael Hoven, Balancing privacy and speech in the right to be forgotten, available ati http://jolt.law.harvard.edu/digest/privacy/balancing-privacy-and-speech-in-the-right-to-be-forgotten#_edn15

[19] EU poses 26 questions on the right to be forgotten, (July, 2014), available at http://www.cio-today.com/article/index.php?story_id=1310024135B0

For more details visit https://cis-india.org/internet-governance/blog/learning-to-forget-ecj-decision-on-the-right-to-be-forgotten-and-its-implications

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act

divij — 2014-07-03T05:43:23Z

Tribunals and quasi-judicial bodies are a regular feature of the Indian judicial system, as they provide for easier and less onerous methods for dispute resolution, especially disputes which relate to technical areas and often require technical knowledge and familiarity with specialised factual scenarios.

Further, quasi-judicial bodies do not have the same procedural restrictions as proper courts, which makes the adjudication of disputes easier. The Information Technology Act of India, which regulates several important aspects of electronic information, including the regulation of private electronic transactions as well as detailing civil and criminal offences relating to computers and electronic information, contemplates a specialised dispute resolution mechanism for disputes relating to the offences detailed under the Act. The Act provides for the establishment of quasi-judicial bodies, namely adjudicating officers under S.46, to hear disputes arising out of Chapter IX of the Act, namely, offences of a civil nature under S.43, 43A, 44 and 45 of the Act, as well as criminal offences described under Chapter XI of the Act. The adjudicating officer has the power to both award compensation as damages in a civil remedy, as well as impose penalties for the contravention of the Act,[1] and therefore has powers of both civil and criminal courts. The first appellate body provided in the Act, i.e. the authority that any party not satisfied by the decision of the adjudicating officer can appeal to, is the Cyber Appellate Tribunal, consisting of a Chairperson and any other members so prescribed by the Central Government.[2] The second appeal, if a party is aggrieved by the decision of the Cyber Appellate Tribunal, may be filed before the High Court having jurisdiction, within 60 days from the date of communication of the order.[3]

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal

The office of the adjudicating officer is established under S.46 of the IT Act, which provides that the person appointed to such a post must be a government officer of a rank not below that of a Director or an equivalent rank, and must have experience both in the field of Information Technology as well as legal or judicial experience.[4] In most cases, the appointed adjudicating officer is the Principle Secretary to the Department of Information Technology in the state.[5] The decisions of these adjudicating officers determine the scope and meaning of several provisions of the IT Act, and are instrumental in the development of the law in this field and filling a lacuna regarding the interpretation of these important provisions, particularly in areas such as data protection and privacy.[6] However, despite the large number of cyber-crime cases being registered across the country,[7] there is a lack of available judgements on the adjudication of disputes under Sections 43, 43A, 44 and 45 of the Act. Of all the states, only the websites of the Departments of Information Technology in Maharashtra,[8], Tamil Nadu[9], New Delhi[10], and Haryana[11] have reported judgements or orders of the Adjudicating Officers. The adjudicating officer in Maharasthra, Rajesh Aggarwal, has done a particularly commendable job, having disposed of 51 cases under the IT Act, with 20 cases still pending.

The first Cyber Appellate Tribunal set up by the Central Government is located at New Delhi. Although a second branch of the Tribunal was to be set up in Bangalore, no efforts seem to have been made in this regard.[12] Further, the position of the Chairperson of the Appellate Tribunal, has been left vacant since 2011, after the appointed Chairperson attained the age of superannuation and retired. Although judicial and technical members have been appointed at various points, the tribunal cannot hold hearings without a chairperson. A total of 17 judgements have been passed by the Cyber Appellate Tribunal prior to the retirement of the chairperson, while the backlog of cases is continuously growing.[13] Despite a writ petition being filed before the Karnataka High Court and the secretary of the Department of IT coming on record to state that the Chairperson would be appointed within 6 months (of September 2013), no action seems to have been taken in this regard, and the lacunae in the judicial mechanism under the IT Act continues. The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61) which bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the adjudicating officer or the CAT is empowered.[14]

Analysis of Cases Filed under Section 43A

Section 43A of the Information Technology Act was inserted by the 2008 Amendment, and is the principle provision governing protection of information held by intermediaries under the Act. Section 43A provides that “body corporates” handling “sensitive personal data” must implement reasonable security practices for the protection of this information. If it is negligent in providing or maintaining such reasonable security practices, the body corporate is to be held liable and must pay compensation for the loss occurred.[15] Rule 3 of the Draft Reasonable Security Practices Rules, defines sensitive personal data as including – passwords, user details as provided at the time of registration or thereafter, information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users, physiological and mental health conditions, medical records and history, biometric information, information received by body corporate for processing, stored or processed under lawful contract or otherwise and call data records.[16]

All the decisions of appointed adjudicators are available for an analysis of Section 43A are from the adjudicating officer in Maharashtra, Mr. Rajesh Tandon, who despite having no judicial experience, has very cogent analysis and knowledge of legal issues involved in the cases, which is commendable for a quasi-judicial officer.

One class of cases, constituting a major chunk of the claims, is where the complainant is claiming against a bank for the fraudulent transfer of funds from the claimants account to another account. In most of these cases, the adjudicating officer examined the compliance of the bank with “Know Your Customer” norms and guidelines framed by the Reserve Bank of India for prevention of banking fraud and, where such compliance was found to be lacking and information which allowed the bank accounts of the complainant was allowed to be accessed by fraudsters, the presumption is that the bank was negligent in the handling of “sensitive personal information”,[17] by failing to provide for reasonable security practices and consequently was liable for compensation under S.43A, notwithstanding that the complainant also contributed to compromising certain personal information by responding to phishing mails,[18] or divulging information to other third parties.[19] These instances clearly fall within the scope of Section 43A, which protects “information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users” as sensitive personal data from negligent handling by body corporates. The decisions of the adjudicating officer must be applauded for placing a higher duty of care on banks to protect informational privacy of its customers, given that they are in a position where they ought to be well equipped to deal with intimate financial information and holding them accountable for lack of proper mechanisms to counter bank fraud using stolen information, which reflects in the compensation which the banks have been liable to pay, not only as indemnification for losses, but also punitive damages.[20]

In Nirmalkumar Bhagerwal v IDBI Bank and Meenal Bhagerwal, the sensitive financial information of the complainant, namely, the bank statement, had been accessed by the complainants wife. In holding the bank to be liable for divulging the same, and that access to personal information by a spouse is also covered under S.43A, the officer seems to have imputed the loss of privacy on account of such negligence as ‘wrongful loss’ which deserves compensation. One anomalous decision of the officer was where the operator of an ATM was held liable for fraudulent credit card transactions in that Machine, due to “reasonable security practices” such as security personnel or CCTV footage, and therefore causing the loss of “sensitive personal data”. However, it is difficult to see how ATM operators can be held liable for failing to protect sensitive information from being divulged, when the case is simply of a person fraudulently using a credit card.

Another class of cases, generally linked with the above cases, is complaints against cell phone providers for divulging information through falsely procured Sim Cards. In such instances, the officer has held that by negligently allowing the issuance of duplicate sim cards, the phone company has led to the access of sensitive personal data and thus caused wrongful loss to the complainant. This interpretation of Section 43A is somewhat confusing. The officer seems to have interpreted the provisions of Section 43A to include carriers of the information which was originally sent through the computer resource of the banking companies. In this way, they are imputed the status of “handlers” of sensitive personal information, and their communications infrastructure through which the information is sent is the “computer resource” which it operates for the purpose of the Act. Therefore, through their negligence, they are abetting the offence under 43A.[21]

For example, in the case of Sanjay Govind Dhandhe v ICICI and Vodafone, the officer remarked that –“A SIM card is a veritable key to person’s sensitive financial and personal information. Realizing this, there are clear guidelines issued by the DOT regarding the issuance of SIM cards. The IT Act also intends to ensure that electronic personal and sensitive data is kept secured and reasonable measures are used to maintain its confidentiality and integrity. It is extremely crucial that Telecom companies actively follow strict security procedures while issuing SIM cards, especially in wake of the fact that mobiles are being increasingly used to undertake financial transactions. In many a case brought before me, financial frauds have been committed by fraudsters using the registered mobile numbers of the banks’ account holders.” Therefore, intermediaries such as telecom companies, which peripherally handle the data, are also liable under the same standards for ensuring its privacy. The adjudicating officer has also held telephone companies liable for itemized phone bills as Call Data Records negligently divulged by them, which again clearly falls under the scope of the Reasonable Security Practices Rules.[22]

Note:

"Credentek v Insolutions (http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_Credentek_Vs_Insolutions-28012014.pdf) . This case holds that banks and the National Payments Corporation of India were liable under S. 43A for divulging information relating to transactions by their customers to a software company which provides services to these banks using the data, without first making them sign non-disclosure agreements. The NCPI was fined a nominal amount of Rs. 10,000."

[1]. Section 46, Information Technology Act, 2000.

[2]. Section 48 and 49 of the Information Technology Act, 2000 (Amended as of 2008).

[3]. Section 62, IT Act. However, The High Court may extend this period if there was sufficient cause for the delay.

[4]. S. 46(3), Information Technology Act, “No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and Legal or Judicial experience as may be prescribed by the Central Government.”

[5]. From whatever data is available, the adjudicating officers in the states of Maharashtra, New Delhi, Haryana, Tamil Nadu and Karnataka are all secretaries to the respective state departments relating to IT.

[6]. See http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra; Also see the decision of the Karnataka adjudicating officer which held that body corporates are not persons under S.43 of the IT Act, and thus cannot be liable for compensation or even criminal action for offences under that Section, available at http://www.naavi.org/cl_editorial_13/adjudication_gpl_mnv.pdf.

[7]. Maharashtra Leads in War Against Cyber Crime, The Times of India, available at http://timesofindia.indiatimes.com/city/mumbai/Maharashtra-leads-in-war-against-cyber-crime/articleshow/30579310.cms. (18^th February, 2014).

[8]. https://it.maharashtra.gov.in/1089/IT-Act-Judgements

[9]. http://www.tn.gov.in/documents/atoz/J

[10]. http://www.delhi.gov.in/wps/wcm/connect/DoIT_IT/doit_it/it+home/orders+of+adjudicating+officer

[11]. http://haryanait.gov.in/cyber.htm

[12]. Bangalore Likely to host southern chapter of Cyber Appellate Tribunal, The Hinduk http://www.thehindu.com/news/national/karnataka/bangalore-is-likely-to-host-southern-chapter-of-cyber-appellate-tribunal/article3381091.ece (2^nd May, 2013).

[13]. http://catindia.gov.in/Judgement.aspx

[14]. Section 61 of the IT Act – ‘No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. Provided that the court may exercise jurisdiction in cases where the claim for injury or damage suffered by any person exceeds the maximum amount which can be awarded under this Chapter.’

[15]. Section 43A, Information Technology Act, 2000 – ‘Compensation for failure to protect data (Inserted vide ITAA 2006) Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. (Change vide ITAA 2008)

Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[16]. Draft Reasonable Security Practices Rules under Section 43A of the IT Act, available at http://www.huntonfiles.com/files/webupload/PrivacyLaw_Reasonable_Security_Practices_Sensitive_Personal_Information.pdf.

[17]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013.PDF. Ram Techno Pack v State Bank of India, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf.

Srinivas Signs v IDBI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF.

Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf

Pravin Parkhi v SBI Cards, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PravinParkhi_Vs_SBICardsPayment-30122013.PDF.

[18]. Sourabh Jain v ICICI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF.

[19]. Poona Automobiles v Punjab National Bank, https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PoonaAuto_Vs_PNB-22022013.PDF

[20]. Amit Patwardhan v Bank of Baroda, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudicaton_AmitPatwardhan_Vs_BankOfBaroda-30122013.PDF.

[21]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013; Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf.

[22]. Rohit Maheshwari v Vodafone, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RohitMaheshwari_Vs_Vodafone&ors-04022014.PDF.

For more details visit https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

Search and Seizure and the Right to Privacy in the Digital Age: A Comparison of US and India

divij — 2014-06-02T06:45:14Z

The development of information technology has transformed the way in which individuals make everyday transactions and communicate with the world around us. These interactions and transactions are recorded and stored – constantly available for access by the individual and the company through which the service was used.

For example, the ubiquitous smartphone, above and beyond a communication device, is a device which can maintain a complete record of the communications data, photos, videos and documents, and a multitude of other deeply personal information, like application data which includes location tracking, or financial data of the user. As computers and phones increasingly allow us to keep massive amounts of personal information accessible at the touch of a button or screen (a standard smartphone can hold anything between 500 MB to 64 GB of data), the increasing reliance on computers as information-silos also exponentially increases the harms associated with the loss of control over such devices and the information they contain. This vulnerability is especially visceral in the backdrop of law enforcement and the use of coercive state power to maintain security, juxtaposed with the individual’s right to secure their privacy.

American Law - The Fourth Amendment Protection against Unreasonable Search and Seizure

The right to conduct a search and seizure of persons or places is an essential part of investigation and the criminal justice system. The societal interest in maintaining security is an overwhelming consideration which gives the state a restricted mandate to do all things necessary to keep law and order, which includes acquiring all possible information for investigation of criminal activities, a restriction which is based on recognizing the perils of state-endorsed coercion and its implication on individual liberty. Digitally stored information, which is increasingly becoming a major site of investigative information, is thus essential in modern day investigation techniques. Further, specific crimes which have emerged out of the changing scenario, namely, crimes related to the internet, require investigation almost exclusively at the level of digital evidence. The role of courts and policy makers, then, is to balance the state’s mandate to procure information with the citizens’ right to protect it.

The scope of this mandate is what is currently being considered before the Supreme Court of the United States, which begun hearing arguments in the cases Riley v. California,[1] and United States v Wurie,[2]on the 29^th of April, 2014. At issue is the question of whether the police should be allowed to search the cell phones of individuals upon arrest, without obtaining a specific warrant for such search. The cases concern instances where the accused was arrested on account of a minor infraction and a warrantless search was conducted, which included the search of cell phones in their possession. The information revealed in the phones ultimately led to the evidence of further crimes and the conviction of the accused of graver crimes. The appeal is for a suppression of the evidence so obtained, on grounds that the search violates the Fourth Amendment of the American Constitution. Although there have been a plethora of conflicting decisions by various lower courts (including the judgements in Wurie and Riley),[3] the Federal Supreme Court will be for the first time deciding upon the issue of whether cell phone searches should require a higher burden under the Fourth Amendment.

At the core of the issue are considerations of individual privacy and the right to limit the state’s interference in private matters. The fourth amendment in the Constitution of the United States expressly grants protection against unreasonable searches and seizure,[4]however, without a clear definition of what is unreasonable, it has been left to the courts to interpret situations in which the right to non-interference would trump the interests of obtaining information in every case, leading to vast and varied jurisprudence on the issue. The jurisprudence stems from the wide fourth amendment protection against unreasonable government interference, where the rule is generally that any warrantless search is unreasonable, unless covered by certain exceptions. The standard for the protection under the Fourth Amendment is a subjective standard, which is determined as per the state of the bind of the individual, rather than any objective qualifiers such as physical location; and extends to all situations where individuals have a reasonable expectation of privacy, i.e., situations where individuals can legitimately expect privacy, which is a subjective test, not purely dependent upon the physical space being searched.[5]

Therefore, the requirement of reasonableness is generally only fulfilled when a search is conducted subsequent to obtaining a warrant from a neutral magistrate, by demonstrating probable cause to believe that evidence of any unlawful activity would be found upon such search. A warrant is, therefore, an important limitation on the search powers of the police. Further, the protection excludes roving or general searches and requires particularity of the items to be searched. The restriction derives its power from the exclusionary rule, which bars evidence obtained through unreasonable search or seizure, obtained directly or through additional warrants based upon such evidence, from being used in subsequent prosecutions. However, there have evolved several exceptions to the general rule, which includes cases where the search takes place upon the lawful arrest of an accused, a practice which is justified by the possibility of hidden weapons upon the accused or of destruction of important evidence.[6]

The appeal, if successful, would provide an exception to the rule that any search upon lawful arrest is always reasonable, by creating a caveat for the search of computer devices like smartphones. If the court does so, it would be an important recognition of the fact that evolving technologies have transmuted the concept of privacy to beyond physical space, and legal rules and standards that applied to privacy even twenty years ago, are now anachronistic in an age where individuals can record their entire lives on an iPhone. Searching a person nowadays would not only lead to the recovery of calling cards or cigarettes, but phones and computers which can be the digital record of a person’s life, something which could not have been contemplated when the laws were drafted. Cell phone and computer searches are the equivalent of searches of thousands of documents, photos and personal records, and the expectation of privacy in such cases is much higher than in regular searches. Courts have already recognized that cell phones and laptop computers are objects in which the user may have a reasonable expectation of privacy by making them analogous to a “closed container” which the police cannot search and hence coming under the protection of the Fourth Amendment.[7]

On the other hand, cell phones and computers also hold data which could be instrumental in investigating criminal activity, and with technologies like remote wipes of computer data available, such data is always at the risk of destruction if delay is occurred upon the investigation. As per the oral arguments, being heard now, the Court seems to be carving out a specific principle applicable to new technologies. The Court is likely to introduce subtleties specific to the technology involved – for example, it may seek to develop different principles for smartphones (at issue in Riley) and the more basic kind of cell-phones (at issue in Wurie), or it may recognize that only certain kinds of information may be accessed,[8]or may even evolve a rule that would allow seizure, but not a search, of the cell phone before a search warrant can be obtained.[9] Recognizing that transformational technology needs to be reflected in technology-specific legal principles is an important step in maintaining a synchronisation between law and technology and the additional recognition of a higher threshold adopted for digital evidence and privacy would go a long way in securing digital privacy in the future.

Search and Seizure in India

Indian jurisprudence on privacy is a wide departure from that in the USA. Though it is difficult to strictly compartmentalize the many facets of the right to privacy, there is no express or implicit mention of such a right in the Indian Constitution. Although courts have also recognized the importance of procedural safeguards in protecting against unreasonable governmental interference, the recognition of the intrinsic right to privacy as non-interference, which may be different from the instrumental rights that criminal procedure seeks to protect (such as misuse of police power), is sorely lacking. The general law providing for the state’s power of search and seizure of evidence is found in the Code of Criminal Procedure, 1973.

Section 93 provides for the general procedure of search. Section 93 allows for a magistrate to issue a warrant for the search of any “document or thing”, including a warrant for general search of an area, where it believes it is required for the purpose of investigation. The particularity of the search warrant is not a requirement under S. 93(2), and hence a warrant may be for general or roving search of a place. Section 100, which further provides for the search of a closed place, includes certain safeguards such as the presence of witnesses and the requirement of a warrant before a police officer may be allowed ingress into the closed place. However, under S. 165 and S. 51 of the code, the requirements of a search warrant are exempted. S. 165 dispenses with the warrant requirement and provides for an officer in charge of a police station, or any other officer duly authorized by him, to conduct the search of any place as long as he has reasonable grounds to believe that such search would be for the purpose of an investigation and a belief that a search warrant cannot be obtained without undue delay. Further, the officer conducting such search must as far as possible note down the reasons for such belief in writing prior to conducting the search. Section 51 provides another express exception to the requirement of search warrants, by allowing the search of a person arrested lawfully provided that the arrested person may not or cannot be admitted to bail, and requires any such seized items to be written in a search memo. As long as these conditions are fulfilled, the police has an unqualified authority to search a person upon arrest. Therefore, where the arrestee can be admitted to bail as per the warrant, or, in cases of warrantless arrest, as per the law, the search and seizure of such person may not be regular, and the evidence so collected would be subject to greater scrutiny by the court. However, besides these minimal protections, there is no additional procedural protection of individual privacy, and the search powers of the police are extremely wide and discretionary. In fact, there is a specific absence of the exclusionary rule as a protection as well, which means that, unlike under the Fourth Amendment, the non-compliance with the procedural requirements of search would not by itself vitiate the proceedings or suppress the evidence so found, but would only amount to an irregularity which must be simply another factor considered in evaluating the evidence.[10]

The extent of the imputation of the Fourth Amendment protection against unreasonable governmental interference in the Indian constitution is also uncertain. A direct imputation of the Fourth Amendment into the Indian Constitution has been disregarded by the Supreme Court.[11]Though the allusions to the Fourth Amendment have mostly been invoked on facts where unreasonable intrusions into the homes of persons were challenged, the indirect imputation of the right to privacy into the right under Article 21 of the Constitution, invoking the right to privacy as a right to non-interference and a right to live with dignity, would suggest that the considerations for privacy under the Constitution are not merely objective, or physical, but depend on the subjective facts of the situation, i.e. its effect on the right to live with dignity (analogous to the reasonable expectation of privacy test laid down in Katz).[12] Further, the court has specifically struck down provisions for search and seizure which confer particularly wide and discretionary powers on the executive without judicial scrutiny, holding that searches must be subject to the doctrine of proportionality, and that a provision probable cause to effect any search.[13] The Fourth Amendment protection against unreasonable interference in private matters by the state is a useful standard to assess privacy, since it imputes a concept of privacy as an intrinsic right as well as an instrumental one, i.e. privacy as non-interference is a good in itself, notwithstanding the rights it helps achieve, like the freedom of movement or speech.

Regarding digital privacy in particular, Indian law and policy has failed to stand up to the challenges that new technologies pose to privacy and has in fact been regressive, by engaging in surveillance of communications and by allowing governmental access to digital records of online communications (including emails, website logs, etc.) without judicial scrutiny and accountability.[14] In an age of transformative technology and of privacy being placed at a much greater risk, laws which were once deemed reasonable are now completely inadequate in guaranteeing freedom and liberty as encapsulated by the right to privacy. The disparity is even more pronounced in cases of investigation of cyber-crimes which rely almost exclusively on digital evidence, such as those substantively enumerated under the Information Technology Act, but investigated under the general procedure laid down in the Code of Criminal Procedure, which is already mentioned. The procedures for investigation of cyber-crimes and the search and seizure of digital evidence require special consideration and must be brought in line with changing norms. Although S.69 and 69B lay down provisions for investigation of certain crimes,[15] which requires search upon an order by competent authority, i.e. the Secretary to the Department of IT in the Government of India, the powers of search and seizure are also present in several other rules, such as rule 3(9) of the Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 which allows access to information from intermediaries by a simple written order by any agency or person who are lawfully authorised for investigative, protective, cyber security or intelligence activity; or under rule 6 of the draft Reasonable Security Practices Rules, 2011 framed under Section 43A of the Information Technology Act, where any government agency may, for the prevention, detection, investigation, prosecution, and punishment of offences, obtain any personal data from an intermediate “body corporate” which stores such data. The rules framed for investigation of digital evidence, therefore, do not inspire much confidence where safeguarding privacy is concerned. In the absence of specific guidelines or amendments to the procedures of search and seizure of digital evidence, the inadequacies of applying archaic standards leads to unreasonable intrusions of individual privacy and liberties – an incongruity which requires remedy by the courts and legislature of the country.

[1]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-132_h315.pdf

[2]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-212_86qd.pdf

[3]. In Wurie, the motion to supress was allowed, while in Riley it was denied. Also see US v Jacob Finley, US v Abel Flores-Lopez where the motion to suppress was denied.

[4]. The Fourth Amendment to the Constitution of the United States of America: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

[5]. Katz v United States, 389 U.S. 347, 352 (1967).

[6]. Stephen Saltzer, American Criminal Procedure

[7]. United States v Chan, 830 F. Supp. 531,534 (N.D. Cal. 1993).

[8]. A factor considered in US v Abel Flores-Lopez, where the court held that the search of call history in a cell phone did not constitute a sufficient infringement of privacy to require the burden of a warrant.

[9]. The decision in Smallwood v. Florida, No. SC11-1130, before the Florida Supreme Court, made such a distinction.

[10]. State Of Maharashtra v. Natwarlal Damodardas Soni, AIR 1980 SC 593; Radhakrishnan v State of UP, 1963 Supp. 1 S.C.R. 408

[11]. M.P. Sharma v Satish Chandra, AIR 1954 SC 300

[12]. Kharak Singh v State of UP, (1964) 1 SCR 332; Gobind v State of Madhya Pradesh, 1975 AIR 1378

[13]. District Registrar and Collector v. Canara Bank, AIR 2005 SC 186, which related to S.73 of the Andhra Pradesh Stamps Act which allowed ‘any person’ to enter into ‘any premises’ for the purpose of conducting a search.

[14]. S. 69 and 69B of the Information Technology (Amendment) Act, 2008.

[15]. Procedures and Safeguards for Monitoring and collecting traffic data or information rules 2009, available at http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009

For more details visit https://cis-india.org/internet-governance/blog/search-and-seizure-and-right-to-privacy-in-digital-age

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013

European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws

divij — 2014-09-30T08:52:45Z

Ever since the release of the “Snowden files”, the secret documents evidencing the massive scale of surveillance undertaken by America’s National Security Agency and publically released by whistle-blower Edward Snowden, surveillance in the digital age has come to the fore of the global debate on internet governance and privacy.

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in its draft report on global surveillance has issued a scathing indictment of the activities of the NSA and its counterparts in other member nations and is a welcome stance taken by an international body that is crucial to the fight against surveillance.

The "European Parliament Draft Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs" released on the 8^th of January, 2014, comprehensively details and critiques the mass surveillance being undertaken by government agencies in the USA as well as within the EU, from a human rights and privacy perspective. The report examines the extent to which surveillance systems are employed by the USA and EU member-states, and declares these systems in their current avatars to be unlawful and in breach of international obligations and fundamental constitutional rights including "the freedom of expression, of the press, of thought, of conscience, of religion and of association, private life, data protection, as well as the right to an effective remedy, the presumption of innocence and the right to a fair trial and non-discrimination".

Furthermore, the report points to the erosion of trust between the EU and the US as well as amongst member states as an outcome of such secret surveillance, and criticises and calls for a suspension of the data-sharing and transfer agreements like the Terrorist Finance Tracking Program (TFTP), which share personal information about EU citizens with the United States, after examining the inadequacy of the US Safe Harbour Privacy principles in ensuring the security of such information.

After considering the secret and unregulated nature of these programmes, the report points to the need of restricting surveillance systems and criticizes the lack of adequate data protection laws and privacy laws which adhere to basic principles such as necessity, proportionality and legality.. It also questions the underlying motives of these programmes as mere security-tools and points to the possible existence of political and economic motives behind their deployment. Recognizing the pitfalls of surveillance and the terrible potential for misuse, the report "condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries."

Amongst the recommendations in the 51-page report are calls for a prohibition of mass surveillance and bulk data collection, and an overhaul of the existing systems of data-protection across the European Union and in the US to recognize and strengthen the right to privacy of their citizens, as well as the implementation of democratic oversight mechanisms to check security and intelligence agencies. It also calls for a review of data-transfer programmes and ensuring that standards of privacy and other fundamental rights under the European constitution are met. The committee sets out a 7-point plan of action, termed the European Digital Habeus Corpus for Protecting Privacy, including adopting the Data Protection Package, suspending data transfers to the US until a more comprehensive data protection regime is through an Umbrella Agreement, enhancing fundamental freedoms of expression and speech, particularly for whistleblowers, developing a European Strategy for IT independence and developing the EU as a reference player for democratic and neutral governance of the internet.

Though this draft report has no binding legal value as yet, the scathing criticism has assisted in calling to the attention of the global community the complex issues of internet governance and privacy and surveillance, and generated debate and discourse around the need for an overhaul of the current system. The recent decision of the US government to ‘democratize’ the internet by handing control of the DNS root zone to an international body, and thereby relinquishing a large part of its means of controlling the internet, is just one example of the systemic change that this debate is generating.

For more details visit https://cis-india.org/internet-governance/blog/european-union-draft-report-admonishes-mass-surveillance

Net Neutrality and Privacy

divij — 2014-03-20T05:01:58Z

The highly contentious and polarising debate on net-neutrality will have a large impact on shaping the future of the internet and ultimately on the users of the internet. One important issue which needs to be prioritized while debating the necessity or desirability of a legal regime which advocates net-neutrality is its implication on privacy.

The principle behind net-neutrality, simply put, is that the data being transmitted to and from the user should be treated equally, i.e. that data carriage, at the level of ISP’s, should be ‘dumb’. This would mean that internet service providers cannot discriminate between different data based on the content of the data. Without the principle of net-neutrality being followed, ISP’s would become the ‘internet gatekeepers’, choosing what data gets to reach the end-user and how. There are many arguments for favouring or disfavouring net-neutrality, however, advocates of privacy on the internet should be wary of the possible implications of endorsing a non-neutral internet and allowing greater network management by ISP’s. So, how does the net-neutrality debate affect privacy?

It all depends upon what kind of network management ISP’s employ. Deep Packet Inspection (DPI) is a method of data inspection which allows the network manager to scrutinize data at the application level, and in real time. As compared to shallow packet inspection, which identifies based on headers like IP addresses or protocols like TCP and UDP, which are analogous to envelopes on a letter, DPI would be akin to having access to the contents. DPI-based network management can identify the programs, software and applications being used, and what they are being used for in real time. Unlike any ordinary online service provider ISP’s are in the unique position of having comprehensive access to all of their customers’ data. Allowing DPI-based network management for prioritizing certain data or applications, an almost certain outcome if net-neutrality is weakened, would mean that ISP’s would be able to intercept and scrutinize any and all user data, which would reveal substantial information about the user, and would be a serious blow to privacy. While DPI can have several benefits in its application (such as finding and fighting malware or viruses), but where it is used, must be for a targeted and legitimate aim. Even where DPI is not used, if network discrimination is allowed, based on a user-to-user basis it would require inspecting the IP addresses of the user, which can also be a problematic intrusion of privacy, especially since the ISP also has other data like addresses and names of users which it can use to identify them.

Privacy may not necessarily be affected through non-neutral internet systems, but in all probability, with the growth of systems like the DPI and commercial incentives for “gatekeeper ISP’s” who are in a position to profit greatly from an ability to scrutinize and discriminate between data, it is likely that it will. In India, though government ISP’s like MTNL and BSNL deny using DPI,[1] it’s likely that it is still applied by others, and that the government is aware of this (http://www.theinquirer.net/inquirer/news/2161541/indian-isps-block-104-websites). Even as the TRAI advocates and supports net-neutrality, Indian ISP’s seem to be heading the other way.[2] Before the trend becomes the norm, it’s high time for a comprehensive discussion about how policies should be framed for keeping the internet a more neutral, and more private, space.

References

Apar Gupta, TRAI(ing) to keep it neutral, http://www.iltb.net/2010/09/traiing-keep-it-neutral/
For a lay discussion on Deep Packet Inspection and net-neutrality, visit http://arstechnica.com/gadgets/2007/07/deep-packet-inspection-meets-net-neutrality/

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-and-privacy

New Standard Operating Procedures for Lawful Interception and Monitoring

divij — 2014-03-20T05:13:13Z

Government issues new guidelines to TSP’s to assist Lawful Interception and Monitoring.

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

Resources

For more details visit https://cis-india.org/internet-governance/blog/new-standard-operating-procedures-for-lawful-interception-and-monitoring

Calcutta High Court Strengthens Whistle Blower Protection

divij — 2014-02-24T06:38:44Z

Calcutta High Court has ordered for protection of whistle blower's privacy in its November 20, 2013 order. The court has directed the government to accept RTI applications without the applicant's personal details.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

For more details visit https://cis-india.org/internet-governance/blog/calcutta-hc-strengthens-whistle-blower-protection

February 11: The Day We Fight Back Against Mass Surveillance

divij — 2014-02-14T06:00:05Z

The expansive surveillance being perpetuated by governments and corporations is the single biggest threat to individual liberties in the digital age.

The expanding scope and extent of massive data collection and surveillance undertaken by bodies like the USA’s National Security Agency compromises our privacy and stifles our freedom of speech and expression in its most vital public spheres, affecting the civil liberties of citizens of countries all across the world.

The previous year has been a watershed year for reclaiming the internet as a free and open space, primarily through the exposure of the unwarranted systems of surveillance that threaten it, by whistle-blowers like Edward Snowden and WikiLeaks. Despite all these efforts, they have only managed a dent in the surveillance regimes, which continue unbridled, with the protection of the state and the surveillance industry. The future of a free internet depends upon the systematic challenge of these programs by the millions of internet users they affect.

February 11, 2014 is the day we fight back against mass surveillance. Organized by the Electronic Frontier Foundation, and supported by thousand of organizations like Mozilla and the Centre for Internet and Society, on this day of action, citizens around the world will demand an end to these programs that threaten the freedom of the internet. You can support this cause by signing and supporting the 13 Principles (International Principles on the Application of Human Rights to Communications Surveillance), and contacting your local media, petitioning your local legislators and telling your friends and colleagues about the topic. Publicizing the movement and creating a buzz around it will help spread the message to many others across the internet. Do anything that will make the fight more visible and viable, such as organizing or attending public lectures, or creating tools or memes or art to spread information. For more ways in which you can contribute, and more information on the event, visit the website.

The users of the internet deserve a free and open internet and deserve and end to mass surveillance. If we can make enough noise, make enough of an impact, we can greatly bolster the movement for reclaiming the internet.

For more details visit https://cis-india.org/internet-governance/blog/the-day-we-fight-back-against-mass-surveillance

The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues

divij — 2013-07-12T12:17:06Z

The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

The author, Divij Joshi is a law student at NLS and is interning with CIS for its privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

What is the Criminal Law (Amendment) Bill, 2013? What will it change?
The Criminal Law (Amendment) Bill is a bill which is to be introduced in the Indian Parliament, which will replace the Criminal Law (Amendment) Ordinance, 2013[1] currently in force, and aims at amending the existing provisions in criminal law in order to improve the safety of women. The Bill seeks to make changes to the Indian Penal Code, the Code of Criminal Procedure, and the Indian Evidence Act. The Bill will introduce unprecedented provisions in the Indian Penal Code which would criminalise sexual voyeurism and stalking and would amend legal provisions to protect the privacy of individuals, such as discontinuing the practice of examination of the sexual history of the victim of a sexual assault for evidence. With instances of threats to individual privacy on the rise in India, [2] it is high time that the criminal law expands its scope to deal with offences which violate physical privacy.

What threats to privacy will the Act address?
The Act will address the following violations of physical privacy:

Stalking
Draft provision: The ordinance introduces the offence of stalking under Section 345D of the Indian Penal Code, and makes it punishable by imprisonment of not less than one year, which may extend to three years, and a fine. The provision prescribes that ‘Whoever follows a person and contacts, or attempts to contact such person to foster personal interaction repeatedly, despite a clear indication of disinterest by such person, or whoever monitors the use by a person of the internet, email or any other form of electronic communication, or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person.’ Hence, under the new law, constant, unwanted interaction of any one person with another, for any reason, can be made punishable, if the actions results in fear of violence or distress in any person, or interferes with their mental peace.

Current law and need for amendment: Stalking is generally characterized by unwanted and obsessive harassment or persecution of one person by another. Stalking can be a physical act such as constantly following a person, or can be done through electronic means — usually the internet (known as cyberstalking). Stalking may or may not be an act which physically threatens the security of an individual; however, it can cause mental trauma and fear to the person being stalked. Stalking is a blatant intrusion into an individual’s privacy, where the stalker attempts to establish relationships with their victim which the victim does not consent to and is not comfortable with. The stalker also intrudes into the victim’s private life by collecting or attempting to collect personal information the victim may not want to disclose, such as phone numbers or addresses, and misusing it. If the stalker is left undeterred to continue such actions, it can even lead to a threat to the safety of the victim. Cyber-stalking is a phenomenon which can prove to be even more invasive and detrimental to privacy, as most cyber-stalkers attempt to gain access to private information of the victims so that they can misuse it. Stalking, in any form, degrades the privacy of the victim by taking away their choice to use their personal information in ways they deem fit. [3] Recognizing stalking as an offence would not only protect the physical privacy rights of the victims, but also nip potentially violent crimes in the bud.

Many nations including Australia, the United States of America and Japan have penal provisions which criminalise stalking. [4] In India however, there is no appropriate response to stalking as an offence — either in its physical or electronic forms. The Information Technology Act, the legislation purported to deal with instances of cyber-crimes, overlooks instances of breach of online privacy and stalking which does not lead to publication of obscene images or other obvious manifestations of physical or mental threat. The general provision under which victims of stalking can file complaints is Section 509 of the Indian Penal Code (IPC), which states that — ‘Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to one year, or with fine, or with both.’There are several problems with using this section as a response to stalking. Without a particular definition of what comes under the scope of ‘intrusion of privacy’ under this section, there is reluctance both for the victim to approach the police and for the police to file the complaint. Usually the offence is coupled with some other form of harassment or violence, and the breach of privacy and trauma is not considered as a separate offence. For example, if a person is continuously following or trying to contact you without your consent or approval, but does not physically threaten or insult you, there is no protection in law against such a person. Hence, as pointed out, there is a need to recognize the breach of privacy as a separate ground of offence, notwithstanding other physical or mental grounds. Secondly, the provisions of this section require the criminal to have the ‘intent of insulting the modesty of a woman’. Aside from the difficulties in adjudging the ‘modesty’ of a woman, the provision limits the scope of harassment to only that which intends to insult the modesty of a woman and excludes any other intention as criminal behaviour. The present law amends these problems by disregarding the reason or intent for the behaviour, and by clearly defining the elements of the offence and making stalking as a stand-alone, punishable offence.

Sexual Voyeurism

Draft provision: The Act will add Section 345D to the Indian Penal Code, which reads as follows — ‘Whoever watches, or captures the image of, a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years, and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine.

Explanation 1.–– For the purposes of this section, “private act” includes an act carried out in a place which, in the circumstances, would reasonably be expected to provide privacy, and where the victim's genitals, buttocks or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or the person is doing a sexual act that is not of a kind ordinarily done in public.

Explanation 2.–– Where the victim consents to the capture of images or any act, but not to their dissemination to third persons and where such image or act is disseminated, such dissemination shall be considered an offence under this section.’

The provision seeks to protect victims of voyeurism, who have been watched, or recorded, without their consent and under circumstances where the victim could reasonably expect privacy, and where the victim’s genitals, buttocks or breasts have been exposed. A reasonable expectation of privacy means that in the circumstances, whether in a public or a private place, the victim has a reasonable expectation that she is not being observed engaging in private acts such as disrobing or sexual acts. The test of reasonable expectation of privacy can be derived from similar provisions in voyeurism laws across the world, and also section 66E of the Information Technology Act.[5] It is particularly important because voyeurism does not necessarily take place in private places like the victims home, but also in public spaces where there is generally an expectation that exposed parts of one’s body are not viewed by anyone.

Current law and need for amendment: A ‘voyeur’ is generally defined as "a person who derives sexual gratification from the covert observation of others as they undress or engage in sexual activities." [6] Voyeurism is the act of a person who, usually for sexual gratification, observes, captures or distributes the images of another person without their consent or knowledge. With the development in video and image capturing technologies, observation of individuals engaged in private acts in both public and private places, through surreptitious means, has become both easier and more common. Cameras or viewing holes may be placed in changing rooms or public toilets, which are public spaces where individuals generally expect a reasonable degree of privacy, and where their body may be exposed. Voyeurism is an act which blatantly defies reasonable expectations of privacy that individuals have about their bodies, such as controlling its exposure to others.[7] Voyeurism is an offence to both the privacy as well as the dignity of a person, by infringing upon the right of individuals to control the exposure of their bodies without their consent or knowledge, either through unwarranted observation of the individual, or through distribution of images or videos against the wishes or without the knowledge of the victim.

Voyeurism is a criminal offence in many jurisdictions across the world such as Australia,[8] the United States,[9] Canada,[10] and the UK,[11] which criminalise either the capturing of certain images, or observation of individuals, or both. In India, the capturing, distribution and transferring of images of ‘private areas’ of a person’s body, under circumstances where the person would have a reasonable expectation of privacy that their body would not be exposed to public view, is punishable with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. However, this does not cover instances where a person observes another in places and situations where they do not consent to being observed. The inclusion of voyeurism as an offence in the IPC would close several loopholes in the voyeurism law and hopefully be a precedent for the state to better work towards securing the bodily privacy of its citizens.

Examination of Sexual History and Privacy
Draft provision: The amendment to Section 53A of the Indian Evidence Act in the Bill reads, “In a prosecution for an offence under section 354, section 354A, section 354B, section 354C, sub-section (1) or sub-section (2) of section 376, section 376A, section 376B, section 376C, section 376D or section 376E of the Indian Penal Code or for attempt to commit any such offence, where the question of consent is in issue, evidence of the character of the victim or of such person’s previous sexual experience with any person shall not be relevant on the issue of such consent or the quality of consent.”

A similar proviso is added to Section 376 of the Indian Evidence Act.

According to the above provision, in a trial for sexual assault or rape the evidence supplied of a victim’s previous sexual experience or her ‘character’ would not be admissible as relevant evidence to determine the fact of the consent or the quality of the consent.

Current law and need for amendment: The Indian Evidence Act is the legislation which governs the admissibility of evidence in the different courts. In cases of rape or sexual assault and related crimes, the evidence of consent often considered is not just that of the consent of the woman in the act at that time itself, but rather her previous sexual experience and “promiscuous character”. Even though it has been widely censured by the highest court,[12] such practices continue to dominate and prejudice the justice of victims of sexual assault and harassment.[13] The examination of the victim’s sexual history in court is an unwarranted intrusion into their privacy through public disclosure of the sexual history and details of her sexual life, which causes potential embarrassment and sexual stereotyping of the victim, especially in a conservative, patriarchal society like in India. With the new amendments, such evidence will not be permitted in a court of law, hence, it will act as a safeguards against defendants attempting to influence the court's decision through disparaging the ‘character’ of the victim, and will protect the disclosure of intimate, personal details like previous sexual encounters of the victim.

Conclusion
Privacy, crime, and safety of women are intricately linked in any legal system. An essential part of the security of citizens is the safety of their privacy and personal information. If any legal system does not protect the privacy — both of body and of information — of its people, there will always be insecurity in such a system. With the recent debates on women’s safety, several crucial privacy and security issues have been raised, such as the criminalization of voyeurism and stalking, which is a huge boost for privacy rights of citizens in India, and it is hopeful that the government will continue the trend of considering privacy issues along when addressing security concerns for the state.

Update to the Criminal Law Amendment Bill 2013 - Penalising Peeping Toms and other privacy issues

The Criminal Law (Amendment) Bill, 2013, was made into law on April 3, 2013. Several provisions under the Act differ from the provisions in the ordinance. Under the Act, unlike in the Ordinance, the terms or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person are not included as a part of the offence of stalking. Hence, the offence is limited to the physical act of following or contacting a person, provided that there has been a clear sign of disinterest, or to monitoring the use by a woman of the internet, email or any other forms of electronic communication.

Hence, from the confusing language of the provision, it would seem that the offence of stalking related to monitoring of activities of a woman is restricted to the monitoring of online communications, and not physical acts. The caveat of such monitoring having to cause serious alarm, distress or interference with the mental peace of the victim is also removed. The removal of unwaranted intrusion through watching or spying of a person, and indeed, the removal of any subjective test to determine the effect of stalking is a departure from stalking provisions accross the world, and is a setback for individual privacy, because stalking per se is a privacy offence, relating not only to the physical interference but also the mental harassment it causes to the victims.

The provision has also increased the puinishment for the crime in the first offence to upto three years, and subsequently to upto five years. Further, the provisions sought to be included within Section 53A and Section 376 of the Indian Evidence Act are now included in Section 146 of the Act.

Link to the Criminal Law (Amendment) Act, 2013

[1]. Criminal Law (Amendment) Ordinance, 2013, available at http://mha.nic.in/pdfs/criminalLawAmndmt-040213.pdf

[2]. http://bit.ly/10nMSTT

[3]. Anita Gurumurthy and Nivedita Menon, Violence against Women via Cyberspace, Economic and Political Weekly, 44 (40), 19, (October, 2009).

[4]. For example, see laws listed http://bit.ly/126hBpO

[5]. Section 66E, The Information Technology Act, 2000: ‘66E. Punishment for violation of privacy.- Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation - For the purposes of this section--

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that--(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[6]. Oxford English Dictionary, available at http://bit.ly/YN2ZvI

[7]. Lance Rothenberg, Rethinking Privacy: Peeping Toms, Video Voyeurs, and the failure of criminal law to recognize a reasonable expectation of privacy in the public space, American University Law Review, 49, 1127, (1999).

[8]. Section 91J, Crimes Act, 1910: "A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act without the consent of the person being observed to being observed for that purpose, and knowing that the person being observed does not consent to being observed for that purpose, is guilty of an offence."

[9]. Video Voyeurism Protection Act, 2004.

[10]. Section 162, Criminal Code of Canada: " (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if
(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;
(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or
(c) the observation or recording is done for a sexual purpose.

[11]. Section 67, Sexual Offences Act, 2003.

[12]. http://bit.ly/10nNDwg

[13]. http://reut.rs/13CIDXU

For more details visit https://cis-india.org/internet-governance/blog/the-criminal-law-amendment-bill-2013

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns